Overview

overview

8

Static

static

3

f08c886c34...6N.exe

windows7-x64

7

f08c886c34...6N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f08c886c349f5f2e5e9f14a1ae59ce832fd0a6b6efaedb9312ad7fc284cbfff6N.exe

  • Size

    195KB

  • MD5

    8b474754e41c9238bb84dbfc8adae740

  • SHA1

    bef5d669376f4ca3c3bb50260050609ae910c135

  • SHA256

    f08c886c349f5f2e5e9f14a1ae59ce832fd0a6b6efaedb9312ad7fc284cbfff6

  • SHA512

    c6ea5d17895e15e8869c4fc11a45d8c91138dd450f9c53ea9cadab333932c763d2ce4f3bf553c7e3f46ec9d978c712f1dba9bdbd7d6a1037c52104845b39c932

  • SSDEEP

    6144:zIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCyOW:WKofHfHTXQLzgvnzHPowYbvrjD/L7QPo

Score
7/10
discoverypersistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f08c886c349f5f2e5e9f14a1ae59ce832fd0a6b6efaedb9312ad7fc284cbfff6N.exe
    "C:\Users\Admin\AppData\Local\Temp\f08c886c349f5f2e5e9f14a1ae59ce832fd0a6b6efaedb9312ad7fc284cbfff6N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 840
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    26acba92c884e9b83f9762230b047390

    SHA1

    3109fe8b3caccdd831c4a3e507c135b49b9daaf2

    SHA256

    1fe28ab2c42b16ed5b7f08972d3534ed5224224d6c270f17259a41f5bd4285cc

    SHA512

    2825008c36a7a8cb970c33f4df0cdbdd8b2d26c7116f0350f7618db799fc009b80a631e4ba16ee37f0e3107a43896a3916fc2d1d56c664e01822bb20d3a10ecb

    Download Submit

  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    2c12607918843baf0b8e5e2f24348616

    SHA1

    a84eb384d58b7c593ce33e480a63604616ed3bf3

    SHA256

    a7289f314e1af40d6a35567e25c120a2a20ad4864aa0dbecd501be902f1df98d

    SHA512

    8774beefb31dd8bb7a75b52974c5d4fb2966106fa069abad62bc4fa4d18d907c3826db185c3f2770ebc620cc3352e968982d69c4a4588172e1f26b26b68e34c9

    Download Submit

  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    47224423397f327020bad376ead7b63f

    SHA1

    41c7140fd0e3ec720f41ee9e953ec57f5277952a

    SHA256

    45d30a1f52bd3351f10d58401aa15e434a5ba23a76e1f1804da95b92535d87be

    SHA512

    2fd3f8969c87b0feaec3707548d04afe20ad01a7ba28cf76ffc628096f0352928e77261f37f3d1797fd3afae2bad7b9a582a94d47d02938cf78491ec02ec0665

    Download Submit

  • \Windows\SysWOW64\smnss.exe
    Filesize

    195KB

    MD5

    d274a4c812716f7afa39bb41b1c6c69b

    SHA1

    08cc952268592fe99d45ab191096b8ef82aec749

    SHA256

    efcfd2e4d1f0a1b2278db44ef26f7ead62803f05cbf8a30b20ad70f93b803779

    SHA512

    3249bfd64157ffc0fc8639acd1e4d1707e7298de6f67a22662f618596a395feb8417694fcb41d5da69f338188fc224538a9d6427b44e9f78aa8402180a9cbe2d

    Download Submit

  • memory/2084-25-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2084-26-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2084-19-0x0000000000340000-0x0000000000349000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2084-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2084-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2140-37-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2140-43-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2140-48-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2140-49-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2264-28-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2264-30-0x0000000000320000-0x0000000000359000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2264-33-0x0000000000320000-0x0000000000359000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2264-36-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download