Overview

overview

8

Static

static

3

043f5e81bf...0N.exe

windows7-x64

7

043f5e81bf...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    043f5e81bfdadd137e8ed9d7af9071b0N.exe

  • Size

    2.3MB

  • MD5

    043f5e81bfdadd137e8ed9d7af9071b0

  • SHA1

    11d3544ced96e144d634850c5ffaae78cacb395a

  • SHA256

    ad227a9586e5a3f7a685e5a68fdd2f956afd8b44de3c0986ba25e00f68b443ef

  • SHA512

    2bdefad1d698b6e0fdd63035f97e58b162ac22db7d7af47ceb3a887d0d5f60b04b0200d91cbd2291bd16825a221e112fd2506e6dae5f90a5d0d38c86c9b8b9ec

  • SSDEEP

    49152:yjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:yrkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score
7/10
discoverypersistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\043f5e81bfdadd137e8ed9d7af9071b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\043f5e81bfdadd137e8ed9d7af9071b0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 896
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    4f85d017ca67942f13ed4563be797156

    SHA1

    cf2e7a5afd85b746729334249e119e899e3ffdc2

    SHA256

    7c1ba0bc0f429951bc432d41f22b3f0d3fdb19860439b7d3f9fe9920e4c9cbd1

    SHA512

    664511909e7d7a882abef3953e81f7538fe58b5b23be22379e101dbfc8ba400d19bea8b94852b604377cf057363bf95480b02f59bb51472a851172e0ffcdec21

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    2.3MB

    MD5

    0483f8f0c522737d6e305fc47c9a0b8c

    SHA1

    301efd0a6625a3376a0f9c26934022912f82e39f

    SHA256

    caaf22337f8d3c7483971fd3839e7124779842680048f1556bda293e7c50e88c

    SHA512

    40a19087fed228e822eee8cb7af277a715239384159fda0caaeccf148861392b38d3c362ca8eaf3374f1f94e410f1879c6f30c2e078a74ad354ef379cb03bcda

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    d04fecb01767ed6de9f401cb4561f8ef

    SHA1

    89f5ba67e9731ec331fba9836b27c53c995c8a8b

    SHA256

    075e1b11369c86c34342c109290372a8bcbe9792ad37991340bc7bef19f27c9b

    SHA512

    262236c999cea320e03e330f864a8c151545554f60b165f3c1989d6dfabb1617c46285f5f19a3faee5a77e5eaecc27e7e377b1011af9b95e2477041362bcaa4f

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    3316da02dfbda39097316d09da2c1ee6

    SHA1

    7ed8e87166eaffba8aa5dda35e0c966dd6952a95

    SHA256

    127706929d3d26692b9603d0c096086c135bf80e5ccbb260f2388bd3adf4ef04

    SHA512

    99751582742f1527696c80d9dcacf8c4fd19401bd8dcba70ef5183f9a4337f7e2fe20a109b521b679c544be413a7699fbb863185846522e84d9c5c85da589d79

    Download Submit

  • memory/2456-34-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2456-17-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2456-28-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2456-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2456-32-0x0000000000390000-0x0000000000399000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2456-25-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2456-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2744-31-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2988-35-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2988-36-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2988-43-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2988-47-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2988-51-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download