Analysis
-
max time kernel
93s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-10-2024 18:54
General
-
Target
10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
-
Size
119KB
-
MD5
9828271777175cea0ef2f6da99e29517
-
SHA1
4a734bef63f42cbbddbb429bb2f845bf80d3a4a3
-
SHA256
10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd
-
SHA512
45bb9d2815510636f1a97fb56ef9231d9250edbce50506e472ab19965a72047431c7448f6621823743ef9be5fa32a81fdd2e73962780dfb9c734fecf6a882c05
-
SSDEEP
3072:0OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:0Is9OKofHfHTXQLzgvnzHPowYbvrjD/E
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 12 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe"C:\Users\Admin\AppData\Local\Temp\10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 13404⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1772 -ip 17721⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD588b7ff42027043614bd546d027ce593a
SHA148eafc4f228abec5e6b4fdc37eadf599f5b693a2
SHA25652bb93b10f78cf21b5808ccd3f42f0dbe0258c9e118623b87b14b9da51d021a9
SHA512c726bf13ebfb14bbf3ebea01ea62fb0c130dcfa8c6cc0ea7ac0b92fd07a513946beb3585be000288f59062d879bdf28f8bfa69b70203a78828ebdd00a34e30da
-
Filesize
119KB
MD5aacc77489c66b3e0f396167d8a4fc31d
SHA1a713816de135c6a2b243476b7854d3032aa5ed65
SHA256d4c6cf9a2054141857a2bdb4d8710407860e4b0f0e7b9e90c96aff21fa359415
SHA5127389298878fec6a758c2b89dcb4a40ca51406deb39aa36ed9d4b804f0bb8aada837d40ad5caddba3ec663df9006c1affd30d37a2820d7f4c486d35a0f6dc2b53
-
Filesize
183B
MD59f1911f5080172ec5f3895f6f438359f
SHA18ebb88013b76b76b2aa7e09a788850ee0467f6a8
SHA25604f835d45eb8f512b663436a01d5cbfc0b3f113b6d9e2c406a9fc68ffc2c26dc
SHA51211471c87ff7a9cb1969516b066dbb0c42c482ccd0dc51f5a91af0afd00667876329c0969549046d25a8213cf0321998e5d7426cf283713f6802948184bfc4e08
-
Filesize
8KB
MD5e0958bf5b957f9c3abb55c0e39452732
SHA19af0fc62ed930837ba5b87eacdbc3683011a0528
SHA256d48412a9ac82fa4b2df3ab6e44dabbca4fde713000450f210d9d53e210a9990f
SHA512d007b8d6239b36a78a965d33d956f56ff2c2b6ee7fbcdea6e17ee319cceb7ba2c6d530b2ab91b46add973125822475912afc2e7f1cfdff2f17eec6301a32d0d6
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
52KB
-
Filesize
52KB