Overview

overview

8

Static

static

3

d592d4b829...99.exe

windows7-x64

7

d592d4b829...99.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d592d4b8294185793c33562d54931048192717869399de71517d73d5f29a9299.exe

  • Size

    2.3MB

  • MD5

    4f788fda7994fd4cdd3611b30bfd4663

  • SHA1

    a52ef8fc668943131b4d0ac875e4722e2f0b035b

  • SHA256

    d592d4b8294185793c33562d54931048192717869399de71517d73d5f29a9299

  • SHA512

    8bd9cbe9a6322eaecc50d4e4c2156696593d0b1bc53416f00ca5005642d0bb48e57a26ce884ae6212d6026293684051b026592d804417bb0d70653a466e82505

  • SSDEEP

    49152:3jvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:3rkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score
7/10
discoverypersistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d592d4b8294185793c33562d54931048192717869399de71517d73d5f29a9299.exe
    "C:\Users\Admin\AppData\Local\Temp\d592d4b8294185793c33562d54931048192717869399de71517d73d5f29a9299.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 972
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    b5a8ac0c020379ad2a7588d1f8aa9289

    SHA1

    2e18f35813ccdaa5a1d01aab0aac97ad032bb9b1

    SHA256

    ac59716697ae3b749af2e07447758d6395982f070baa94d94b2228e3e2c5641d

    SHA512

    099139cfb960de6c072e590a170fe7f1d13a1b803468a06e55e5b3adc70e0e15b32e6698265350dd2ca75afe8a6122bc82bae5efe4499a6f168cf9c8f88ed8cb

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    2.3MB

    MD5

    1534a59868e211d1cacfe1b4e13a0ebb

    SHA1

    b624fa19500e6533027b8dc01cdbd1f555f870d6

    SHA256

    82de88dfdc5179cb0516e5a2922f842df3213c0cf688306b492eb1c2f16632ef

    SHA512

    1d01da6574280927e3f4c6361841f0bc1272f15c56c94256d68302583d375cc37181fdcb3324c6a5523f453e9315d3316979314b6e0c60008ef648bd805f9dc9

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    4204d1d71fce99af90bfab9d348eedcc

    SHA1

    3b925b0b0f3ac5c7c376983cca5953168b0675b2

    SHA256

    e55248b015e1c017257fa5f670636dc2059ffa8a229cf08f2626474175b600f7

    SHA512

    d93cafaf90019e6263bc55f20e4f6e6695f575ec0d6fbfa67059b402730a83792824a8978c6af52ebbf9b052c64b8151a5d317efd388c11b2a6251f3397acbbe

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    89384cba3c7151edfb4e0494edfa0632

    SHA1

    0aaef4efa092f0d49ff3a3313210bf0fdb465b35

    SHA256

    aa72e02e93372e86135ed9ce1e5610ef8312c118d00d5b1be956b48a1ef8d8db

    SHA512

    be9f1c3c618e14887644598b3a56db5a0c5703d659759aa73a7e830f417903f1e56731485f2b82e674486de8fa331c738cc3d6135b875b5c7b5e60bf64b289dc

    Download Submit

  • memory/1300-29-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1300-36-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2000-24-0x00000000001F0000-0x00000000001F9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2000-26-0x00000000001F0000-0x00000000001F9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2000-13-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2000-38-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2000-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2000-31-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2000-30-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2000-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2744-39-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2744-46-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2744-43-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2744-48-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2744-51-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2744-50-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2744-49-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download

  • memory/2744-55-0x0000000000400000-0x0000000000DCE000-memory.dmp

    Filesize

    9.8MB

    Download