Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 09:52

General

  • Target

    58233f2f22c36c5f9a3857021508e210N.exe

  • Size

    137KB

  • MD5

    58233f2f22c36c5f9a3857021508e210

  • SHA1

    340f42c46070b12d7b92a8cd060df7860725d21a

  • SHA256

    a523b34da30cf4b7825db652e71c1ce04c57020c69e56177fbdc35df89ab8e6d

  • SHA512

    07b5b749c9ebfc31ebcce42e9f68181f273d3a3a2b98409343608044ef6a039e9311bc8b5a21ce0d06cd68f9d54da5fe0f32df65dd8a5ac138550dcc4f6da1aa

  • SSDEEP

    3072:oOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPV:oIs9OKofHfHTXQLzgvnzHPowYbvrjD/m

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe
    "C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    d879063b30321810e8b1797f9d4835b0

    SHA1

    f4ae9dab926e18f53d18b22572deb2e30bed8f4b

    SHA256

    05d3a998249e2e55a6ec8660ca2ba0dd84c50f03f8540a9a25496448e8d40f74

    SHA512

    136a231ab768a7cbf7fdd69f52295ef4a18665bf466b3ed6572b2a51615daa825c875ca2aa4c5a2adbfea260530867ff0b89f81dc09b3967556efac7f4bfdfeb

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    38687b6f3b2291e9d28e846a41113312

    SHA1

    24e6d62cf27a351a3d572d353b74c03a2b5b480b

    SHA256

    f846291ff19ac96f854115798e6e0c5ff450cb0af999f1aca9cb0be98b622f51

    SHA512

    72f722159f6fed8e047e023d2c1f00d3839ec7da70f4b215a4b8746ba3158e59e4cd2e7fa18fb9605d5a666eb321bc62f389636d9a78ee61a983e7aea5954ff6

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    a2ff14d03b4b9807982d8598cb477b0a

    SHA1

    91eced4392c13f058848e86b497300ab90e8a06c

    SHA256

    985e70f0aa5c289ba95439e95ac35fccb7e650be7efc13d469d338616a8ad6df

    SHA512

    2c46e022fafdbed07ed498a530632e952a9d653f83cff29fa67c5d26b5f60d80d00bb15fa32ec0ce0492d0dd359e5ceadecd296bfbaf29d16056163c3f2810ab

  • \Windows\SysWOW64\smnss.exe

    Filesize

    137KB

    MD5

    bae3a695826cf807175140b2b137411b

    SHA1

    32f716ee73a4a02d7c439ae6eb9e012c0e858768

    SHA256

    090764e2c74563ddb785e569266883e0f6c258ec4d256a186fced0ac8a964363

    SHA512

    19c2117c89da3abcdc7f724d6591e3ca98cc17a20387feb029bc66052e8eb1e5b6af39b40da750e191e301e4409aa60167e69e6bca373788acd9f75f69af8a92

  • memory/1328-26-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1328-27-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1328-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1328-19-0x00000000003D0000-0x00000000003D9000-memory.dmp

    Filesize

    36KB

  • memory/1328-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2028-29-0x00000000003A0000-0x00000000003BF000-memory.dmp

    Filesize

    124KB

  • memory/2028-34-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2920-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2920-42-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2920-43-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB