ebf193727453354bde7b58568a82f497806b57b242a54ff67a34929fcc4abd38

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 11:07

Target

ebf193727453354bde7b58568a82f497806b57b242a54ff67a34929fcc4abd38.dll
Size

8KB
MD5

1c5cd2fa37d8eee2ddd880254f07875f
SHA1

63e7a0916961a1cc8f61d236eb5c28c7adad0c7a
SHA256

ebf193727453354bde7b58568a82f497806b57b242a54ff67a34929fcc4abd38
SHA512

e91f22985238055c7ecc2e72b7fc094fa8777500b6db8287afa33ef911b550fbfa0eb65ae9485232756b66abdf62a09e8e16a9d4898039601aa58236f1fd71a6
SSDEEP

192:xh4SFyvWohE5xf6YUBSL63SUJqtMblWN:xO+ohE2B13NJqtM

Score

6^/10

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\satornas.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3248 wrote to memory of 4728	3248	rundll32.exe	rundll32.exe
PID 3248 wrote to memory of 4728	3248	rundll32.exe	rundll32.exe
PID 3248 wrote to memory of 4728	3248	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebf193727453354bde7b58568a82f497806b57b242a54ff67a34929fcc4abd38.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebf193727453354bde7b58568a82f497806b57b242a54ff67a34929fcc4abd38.dll,#1
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4728