Overview

overview

8

Static

static

3

42084f0e08...bf.exe

windows7-x64

7

42084f0e08...bf.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42084f0e085e7caf07b3a37d3b3ccbab307f6682af92eb27b3d72fd25363ddbf.exe

  • Size

    2.3MB

  • MD5

    d2197f4cf49c91b31df0447d6fa7def0

  • SHA1

    71019c0314df5f18b244b5f2894d3ea5ccf82209

  • SHA256

    42084f0e085e7caf07b3a37d3b3ccbab307f6682af92eb27b3d72fd25363ddbf

  • SHA512

    a13d812eb57741bfc33f2ecab399bd8bc479168f7309c795444845a0a1acc7655c639aa64f14659c2254dceb9a34927508f78eef847b686635dc3c7c7afa07da

  • SSDEEP

    49152:ajvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:arkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42084f0e085e7caf07b3a37d3b3ccbab307f6682af92eb27b3d72fd25363ddbf.exe
    "C:\Users\Admin\AppData\Local\Temp\42084f0e085e7caf07b3a37d3b3ccbab307f6682af92eb27b3d72fd25363ddbf.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 916
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    b114a746cdeb5003fc680e939df44160

    SHA1

    aa3cc74c88d4d4f1f7b76c5faf5d065d00312f5e

    SHA256

    22c157bde506dfc58bf5d3381d3f66a2f276195b41084e8d96902325736bd185

    SHA512

    0603f0cb78375eca8c70dd6101e242e14316ff066ea7c1b46a7ce35a32a19631dac23e482b38e785ce8a518c73f34473ea6b63bb5bb14ef706e435067a326375

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    2.3MB

    MD5

    da263c1fe6d23b158f43d6fa4dd0b89d

    SHA1

    e4ab8fa80054b35ad984b7d401784b7dbf2e763a

    SHA256

    dd6b44b63456a70a55b0973f8cd364908a40aad5b0e365becc96afca14ba9f76

    SHA512

    054e54af46ab0800f3bb4d5d1464b8f7a2e9cd702f84defdcfa49d6da011418466e3709e30e5ab348f5f87045ebe279fb2878461c34b68871487ec6a88f1655d

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    93ec109bab3360ca19533655fc1d4bdb

    SHA1

    c1b904768886a3eb832c48bf521fad068fba94f2

    SHA256

    6a20ae8a479ec26bb60f9196af8f42e8f0a05d3083c04ece4394b8cc97df8f55

    SHA512

    db942832eb61e31bc52e2ccd0fd58cdc9e12099b41821759ed3360826eef31f283a2b1b8c17146428b8716b985166276f6ad3ce75d13d4030022ea539ed518fa

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    eaabc4af5459573d349b2f08c0ecc8dc

    SHA1

    d243313b1ce9551d1ea58d8f142a3efeb50d45b5

    SHA256

    12de92aab522b821f0638f24801e6d683b82eb74edb78c42a0bd4f9238d5507b

    SHA512

    02674575765b6a151516623ddc7c60ac89478878a822855354d53d27b1ef20fd36927a74b499d61fc00479c22da92837171a8665747182b9c69041f3d995a659

    Download Submit

  • memory/2376-37-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2376-30-0x0000000000170000-0x0000000000179000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2376-13-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2376-34-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2376-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2376-36-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2376-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2376-26-0x0000000000170000-0x0000000000179000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2576-31-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2804-40-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2804-42-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2804-46-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2804-51-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2804-50-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download