Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 02:18

General

  • Target

    a6e28ff11a1a5aa52559cd51acf1ae54da513d49030b1f3c59d26e6d93908d2e.exe

  • Size

    352KB

  • MD5

    1989f174330de65926ebbdaf105c9f5e

  • SHA1

    0532f9a9bb182255552b07ad0c65be36542912da

  • SHA256

    a6e28ff11a1a5aa52559cd51acf1ae54da513d49030b1f3c59d26e6d93908d2e

  • SHA512

    94d4b6954d57fba9c9f2b2fdcfa0edd9228b0fe2620c9b1563d2511087dcb817c888a15c1536403a1d8f7c0ca43e59eb298b18bdb424de68ec93d478e6910ecd

  • SSDEEP

    6144:8Is9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8i:NKofHfHTXQLzgvnzHPowYbvrjD/L7QPs

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 11 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6e28ff11a1a5aa52559cd51acf1ae54da513d49030b1f3c59d26e6d93908d2e.exe
    "C:\Users\Admin\AppData\Local\Temp\a6e28ff11a1a5aa52559cd51acf1ae54da513d49030b1f3c59d26e6d93908d2e.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    7a87826183cde7eaa9aae5ee7c2a4314

    SHA1

    40883d090ce948941636ecf9a62c783986da2a99

    SHA256

    7f54f9467710d55c668591a75fd1d2b4e808277b0d2dc1bfa966d8e450188757

    SHA512

    54d6db875deae7c001d2234ba1dc9533176955ec7e3d17141cdd2796717add9350ab0e7dcb4575ddefa419343ecb062c6f7c72d4227006b9e9664b50dc374319

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    126a94b480bf898329259d88c85bea19

    SHA1

    1397865933af7d70c4aa5dacdb01d297ac0908da

    SHA256

    a9a5fd90bce4a96b2ee9c0aabde516dc769f718a90674d358b07bade259e6bc5

    SHA512

    34856ec4f7376f20e57b9943b151decad607c2d6061afbe57169282af9e663dd26a9348b719ede0e2aff2c9bc3683efecd7319e91a146756947b6707448a43f1

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    2741456682a86f4521e36d4fe8753ed4

    SHA1

    bda9e187c3e250cf55ebb5b96f0782179d847ade

    SHA256

    e610e34ac3bd0252b67d896f8a5a85be062803d73fc8af0d325437be93ce8b3d

    SHA512

    74d5937091026dd0adf6ccc306276553e20983cba6f5ae7cb742ccd5365f54ad72eb8ddba8335c8042163be62a42a0835e911fe8067a1976d51974ab5cfd93aa

  • \Windows\SysWOW64\smnss.exe

    Filesize

    352KB

    MD5

    cac0d29418f1a4227b497b31419aeb82

    SHA1

    90e261ccd1b94c56fc5a64ec0b45beb1bf23933d

    SHA256

    c477d13b5b9b876a9a54b0590e100c3cc560559abf5e1732724c69a5fd29d14d

    SHA512

    8493ed677f6124a02821b3f46965f68d8a6bcd4ff66b8bfdd0b9cacc5622882d66897f4b9cd2c8428717cacf67a7880cb3d0c250a6aee4d0ec623c50cb6d19f9

  • memory/2032-28-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2468-18-0x00000000003C0000-0x00000000003C9000-memory.dmp

    Filesize

    36KB

  • memory/2468-25-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2468-26-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/2468-27-0x00000000003C0000-0x00000000003C9000-memory.dmp

    Filesize

    36KB

  • memory/2468-0-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/2468-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2468-44-0x00000000003C0000-0x00000000003C9000-memory.dmp

    Filesize

    36KB

  • memory/2720-34-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/2720-41-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2720-45-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB