Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 02:18

General

  • Target

    a6e28ff11a1a5aa52559cd51acf1ae54da513d49030b1f3c59d26e6d93908d2e.exe

  • Size

    352KB

  • MD5

    1989f174330de65926ebbdaf105c9f5e

  • SHA1

    0532f9a9bb182255552b07ad0c65be36542912da

  • SHA256

    a6e28ff11a1a5aa52559cd51acf1ae54da513d49030b1f3c59d26e6d93908d2e

  • SHA512

    94d4b6954d57fba9c9f2b2fdcfa0edd9228b0fe2620c9b1563d2511087dcb817c888a15c1536403a1d8f7c0ca43e59eb298b18bdb424de68ec93d478e6910ecd

  • SSDEEP

    6144:8Is9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8i:NKofHfHTXQLzgvnzHPowYbvrjD/L7QPs

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 9 IoCs
  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6e28ff11a1a5aa52559cd51acf1ae54da513d49030b1f3c59d26e6d93908d2e.exe
    "C:\Users\Admin\AppData\Local\Temp\a6e28ff11a1a5aa52559cd51acf1ae54da513d49030b1f3c59d26e6d93908d2e.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    d7083bc73520981274b030c4b3136f2b

    SHA1

    24fb35479803a73e3366cfd9ef9244eda9fe3d70

    SHA256

    9ebcd26b50dd82822a8f693f4c0b54ff0e082d44ce54bfd2a93791e9f7ec9073

    SHA512

    33592013267581f11ab51b28ca34cce904826861d562ae52a2acefd50953d2bf6244880cef89d5a28a2b7948d6714b95c0bbabb6a8dee7e48641c18ff4d47de9

  • C:\Windows\SysWOW64\grcopy.dll

    Filesize

    352KB

    MD5

    0fc1cbb1ea3b626fd1aff0083b242834

    SHA1

    b9454a982843d0e7797c9ea883c91727a02c1d14

    SHA256

    2a61a125797aaeafe06307ba991c332dd2d4747617e79ec06a576da9af89684d

    SHA512

    d239b741dcb5e0b202b0eb8d0e988ca1a1f53ab8f8aa79c9830abb8b41c7479abbc115270f05666c24a0b3db6e7a3bc772c1b62cfa81c9fb8da0eb81132c1174

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    fc14cc9e9aaa0f1b443041e67802e314

    SHA1

    ca0b3205cab1c88932c5735470b6086b3f68d1e4

    SHA256

    92369825a994e45fd9287f9fbe9a5223f0b432b56cfd2ced2867c8f41a162371

    SHA512

    b7d6029620c7b824d80a723730a66388e2314d5e5ac1fdad8121d60d26287a85e7cac3d7eb0903d9271f3fcc67788551f2133217eac4bc1d55f11cb9f2f93e2d

  • C:\Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    6bc653eead43ef997118ca75b09e4753

    SHA1

    debac46848cf0a8b515323b93f080396ea0ac0fd

    SHA256

    45b2de5f3968b0221220e74b1aa1cdc45e08c8f9262a5e3e98291a7a2587594c

    SHA512

    62006118cad63c3a2250975db6eb63963e8cb1aaa61a4730fbb3242c84d066bbb15fc3c4b7e3d054d17f5510b7fbc2154eecdc8a209d9d33633e618a647b9c3f

  • memory/968-22-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/968-24-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/968-0-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/968-18-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2460-25-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2460-29-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4048-32-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/4048-38-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/4048-41-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB