Overview

overview

9

Static

static

3

0a36eb9da9...13.exe

windows7-x64

9

0a36eb9da9...13.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a36eb9da9ef3226ae6e1a1abb68d655902ba18e1dfb24447598722264ee5c13.exe

  • Size

    75KB

  • MD5

    0efa565d84cba140b9504bb6d1f2b3fa

  • SHA1

    778226ae17808d2fc26a52de0f0d5e23926a0d17

  • SHA256

    0a36eb9da9ef3226ae6e1a1abb68d655902ba18e1dfb24447598722264ee5c13

  • SHA512

    f89829c0acf30eb27289c0f4decd7b1ff86a29bd2459bf39f6648dc12ba26ba24ff6faaa9f322d90029d724adbce4a7c1c7b81817dff07627356c590de293ac7

  • SSDEEP

    1536:lx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:vOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 7 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a36eb9da9ef3226ae6e1a1abb68d655902ba18e1dfb24447598722264ee5c13.exe
    "C:\Users\Admin\AppData\Local\Temp\0a36eb9da9ef3226ae6e1a1abb68d655902ba18e1dfb24447598722264ee5c13.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1000
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    ba2c9bf77ba45dc3b134fd1fdb3eb142

    SHA1

    08438c8e37bc5c8cf9391d8be93f4965becbf29a

    SHA256

    0e69a3d9398f0810f07a8d1e835c3bfa3ffe7adbd4716ff9e211ea8629330b57

    SHA512

    696ce0ae050a9d23b40a965fa704494a54781705882965653e447747fd739824fdd16c6ef8538d84ea4c845fa585c9ece4ee6d9c0257fb539ab503a0f96a80a2

    Download Submit
  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    75KB

    MD5

    2d350c6c8d4d627f320be8b61b884985

    SHA1

    0824a9b93f8231397c8e7f5364d840c1be89ccf9

    SHA256

    027c463d167b61123c06e91a647352f85e2cb0aa94f728498af35dd0284a06f5

    SHA512

    afa32ec44d05fd545ef7268534fc615e77a5b6194699d9b2153c6696a9e234f3bed17ed4f5a1ccf8f2eb746d84d6c529b3b2f163352f24d45cf902c6024aeeb9

    Download Submit
  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    732c5494e8ac663d5188c7ace7bfe95c

    SHA1

    9d6e673a4b97a08d55446118d43568501bf449e7

    SHA256

    7f874c50caf0b52ef3e4d77a85a8b28bb1f1c9f76815a9c7dfdf854c39ff925d

    SHA512

    4fc5977d54fa9c9da5f496a4c16912c2cdaac4623d5c9ed40b461dfbfc944ff8f7c70b73ade6aad71686fe0d4acdfd0423df6dcd6d14362f21633500a65dc1d1

    Download Submit
  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    f866b69da88c039bcda7b6098727ec68

    SHA1

    84bb142c47b5c103b72ee85167b9ecf1b73ac34c

    SHA256

    4126a463ef6903858c23dd3c8fe5100eb0c6bbe9a0c3549e93c6caf0a77cf660

    SHA512

    2d69967ff4ddb33d47ba6e0c72a1d86c5b0261083117b4d40645755a9073649fd4375e1c88fd5e5ae84c2235ecf3bf76bb96ac801451a95566f497bb6fb16c1c

    Download Submit
  • memory/1000-17-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1000-20-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1000-22-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2200-41-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-57-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-36-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2200-37-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-39-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-63-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-43-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-45-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-47-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-49-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-51-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-53-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-55-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-61-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2200-59-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/4004-28-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4004-24-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download