Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
ddadc893682e81ccd25df9f834e2d8702a9ae6761c7ca4ee96bd72fdb86fd84aN.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ddadc893682e81ccd25df9f834e2d8702a9ae6761c7ca4ee96bd72fdb86fd84aN.dll
Resource
win10v2004-20241007-en
General
-
Target
ddadc893682e81ccd25df9f834e2d8702a9ae6761c7ca4ee96bd72fdb86fd84aN.dll
-
Size
8KB
-
MD5
8e008023fa26af3c1081b97318e98b60
-
SHA1
6748b072c1c74e26fd99113585fc5318212fbfa0
-
SHA256
ddadc893682e81ccd25df9f834e2d8702a9ae6761c7ca4ee96bd72fdb86fd84a
-
SHA512
4622f85407d2e33b88ebe48e5fff4c444d4f298afd104ca3265a9635e8984a43320314b0d310d694011005f6c6ed03d0e8ffdf42b4eb3570e0cb56756a54f8dc
-
SSDEEP
192:fh4SFyvWohE5xf6YUBSL63SUJqtMblWN:fO+ohE2B13NJqtM
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\satornas.dll rundll32.exe File created C:\Windows\SysWOW64\satornas.dll rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2004 1744 rundll32.exe 28 PID 1744 wrote to memory of 2004 1744 rundll32.exe 28 PID 1744 wrote to memory of 2004 1744 rundll32.exe 28 PID 1744 wrote to memory of 2004 1744 rundll32.exe 28 PID 1744 wrote to memory of 2004 1744 rundll32.exe 28 PID 1744 wrote to memory of 2004 1744 rundll32.exe 28 PID 1744 wrote to memory of 2004 1744 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ddadc893682e81ccd25df9f834e2d8702a9ae6761c7ca4ee96bd72fdb86fd84aN.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ddadc893682e81ccd25df9f834e2d8702a9ae6761c7ca4ee96bd72fdb86fd84aN.dll,#12⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2004
-