Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 09:52

General

  • Target

    58233f2f22c36c5f9a3857021508e210N.exe

  • Size

    137KB

  • MD5

    58233f2f22c36c5f9a3857021508e210

  • SHA1

    340f42c46070b12d7b92a8cd060df7860725d21a

  • SHA256

    a523b34da30cf4b7825db652e71c1ce04c57020c69e56177fbdc35df89ab8e6d

  • SHA512

    07b5b749c9ebfc31ebcce42e9f68181f273d3a3a2b98409343608044ef6a039e9311bc8b5a21ce0d06cd68f9d54da5fe0f32df65dd8a5ac138550dcc4f6da1aa

  • SSDEEP

    3072:oOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPV:oIs9OKofHfHTXQLzgvnzHPowYbvrjD/m

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe
    "C:\Users\Admin\AppData\Local\Temp\58233f2f22c36c5f9a3857021508e210N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    a121fa663fdedcf5a592e0c7b766ed80

    SHA1

    b34345af5c39d72f7fec8345aa8ab7dc98989e7e

    SHA256

    fa7dfe06de722f219c5cadb4975a171ec49cc90fe99187aa195e101061b96bae

    SHA512

    119809d3b44c9bca82803c9933b678b6ef85050d2c14a987fef1975962b0244b4c7e941698165520e61d9953b7dda57ae5a25b30e6136ca4aaa4672d8cf615a3

  • C:\Windows\SysWOW64\grcopy.dll

    Filesize

    137KB

    MD5

    2c7f6d9e230d95368ce6ae4ea03d8382

    SHA1

    2c6ba30de1a1a40b653f47bf1788f285fdc3f985

    SHA256

    5a402eaf7bc2108b86809c28f5f097bb9972e8d92148ce64c0c8153cc1cc1f0b

    SHA512

    320646bb6f18004dc1dfa9f7b0152211fe1d7ac253a9a7b4356bfb8404d0a3a547d91c25a911b4d0f5e9b0beef9bdc649e8e71aebe4940fc1ddbd891085f40f2

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    5e59b5e88103db48edc65ccd92ec0bff

    SHA1

    aeca08ab9d5b328ea789d44ba5c23be848be36a5

    SHA256

    6b795ebaee7f7d889c4af478673c37986d3a4df1db2457a09742a655acaf5fba

    SHA512

    897d5373b5c726fd837e88f71863b3fffb3ae5712662907fe0f13975f32951be91de8effe272c9c542df765a6f2079d02a14f593f761938665fd2af0a8005b68

  • C:\Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    68c47e5f6cc0662081be5dfe12cddb42

    SHA1

    31acf71c702e9d9bf4ae70da555ca81e1d532fcb

    SHA256

    1d8e8132ee4d00011bfd8c36847bc082b47c89cce6ca792437fcaa143baffc36

    SHA512

    53c6684e526774421bc252e7446a3345f53b27c7108455f234c83ad241a3ed5b582a3e41ae5ddea15350bedaf50baf8a18fa74b3328880dcf131bfedac8b0359

  • memory/3332-24-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/3332-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3332-23-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3332-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/4480-30-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4480-37-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/4480-39-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4480-40-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/4888-21-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4888-29-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB