Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 06:55

General

  • Target

    ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe

  • Size

    119KB

  • MD5

    9c92e829609cd7d39f820528059a56b6

  • SHA1

    bdbd8e1fe5b76935afe76540bbb844fc7767b26d

  • SHA256

    ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690

  • SHA512

    0afddd6eec516f8a7ea2ca0740e4be4ed864858de6e582353111c32dfccebe47481b4b45d0ff349f0ca9746a4317c061ff93eda2804fc1c1027c67b269b5e3a8

  • SSDEEP

    3072:zOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:zIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe
    "C:\Users\Admin\AppData\Local\Temp\ed6345cdae4ba098fa07431d7f79f154ce80a73818a24bd2863ee3fa51c53690.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1452

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          d695a16bd29862e738b16bf87dcd6092

          SHA1

          eb508671d0c92cb201865218557bbb5e71b17df7

          SHA256

          8148c95c5e16635b1a630dd1ac113609e5088c9757780323f2bda8a44b2fe139

          SHA512

          98f02662b7bc14221bce54740de10f4ae3e23973640c143f431838eddb12dd05470fc87e8472b1d64da3d1365b0d9de2af414cc507b3752191a389e29e194228

        • C:\Windows\SysWOW64\grcopy.dll

          Filesize

          119KB

          MD5

          894cc366077b44c0c4c58c669b7f9bce

          SHA1

          bda588123f09222d4696cec0e024e5b87cd4a253

          SHA256

          d3debf07f1fe54e2a1869f18e0a27e61df7acbc4e5715ccb8912f10418c8b51e

          SHA512

          58f00365858d5fad02543a04b05ddc750b22eb048b3b1cf0c800400a16a4625113a76ff8a7fb7e70dd40e51a219541d98192a1a62c8d450b78ddf4be1522c15a

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          120d7632ba75bb6a00191ff4750196ae

          SHA1

          75dd562c782bff49ba284d81d2b0cd7bc16826ff

          SHA256

          1bc5bc611e84cec61d24c0a7e809d580d7f050fdee23f51686a9729ca6632131

          SHA512

          591d8d1bf8a8a0c7cb37036bcadb35964a4debc1a5d62aa57b5c32dce40d1c70bbf347dad2990df39c8a77d79d82e0feb409b9e4c419b3471b75ca52b9b925f2

        • C:\Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          12eca2daca36abcd79a8f727f476aa8b

          SHA1

          d94387ec0b04ebd974d3390ca311e8ab5718e007

          SHA256

          03eb237cb3dec41c1d49bff5c712d2fe379ba799b98fbea3eb08ba8e18b1b14c

          SHA512

          3f09139f2fb4e842f457ce82719f11012ad98fb6dabfc292202f4de2c7e3af4e4b215ef843f133d46e10339e21256d122df49ea3545aa0e267780549d1cc9763

        • memory/1452-29-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

        • memory/1452-37-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/1452-39-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

        • memory/1452-40-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3668-25-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3668-24-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

        • memory/3668-0-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

        • memory/3668-13-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/5000-21-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/5000-31-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB