Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 22:23

General

  • Target

    51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe

  • Size

    195KB

  • MD5

    3b76ea733003ab39d0c2b8762ab11bf0

  • SHA1

    d605ba5122feea002f525c13fec78b32e6703d91

  • SHA256

    51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea

  • SHA512

    445a39910a68a206ad566a0aa04f8193ae155cfbed7b0d33f511453bc38aaf6f15f32503f8c80cd9209438f1563738d675a11021259bbc89b0df68cc06488541

  • SSDEEP

    6144:JIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCyOd:wKofHfHTXQLzgvnzHPowYbvrjD/L7QP7

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe
    "C:\Users\Admin\AppData\Local\Temp\51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4376

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          a3e87a358da6ffad09c48e560c56acc6

          SHA1

          2da4c7cfb1a48cee8b64d39d8a5f6ba8ef6ce327

          SHA256

          9038343cf3317b968e3981b6494f6fd7947c10ad64c51e24034d87f3a2c03557

          SHA512

          4ea57dce514b13c0ee94405f7bd88be7c193650934ec1c6e730eac1a474c39a8c7efe8f4e8725789828e061baecb40d47d3f23e2ca66d57935465e022bd9c618

        • C:\Windows\SysWOW64\grcopy.dll

          Filesize

          195KB

          MD5

          d00aae7543ae2e486b9ad9c13900a55a

          SHA1

          e70eb92f8f751a2b6440bcf45ce0807add058ddb

          SHA256

          aac324bf60ebc22e2967d8adf3016bf82d10f954f5afee7b877516d7b33fcee3

          SHA512

          8d69f40a1c8bdb7954f061869e91858b44fa25ac6b5a1a3259ce0baca5772787270663c89a2f0ec93912269ee18583fc1623c8bdbaf80b09d952afb3396ad9c3

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          23a2b15488122105ec233ce0c8feec17

          SHA1

          6c7830d627556d764be94c216c3f58358896f700

          SHA256

          5940cbee51cceaa30b18c21541e675c490274d8b5083c851b17713a855f9de8c

          SHA512

          f22d21b0fc3daf4a1622fcdec901e219f3d3d71ff2f631d11044a78888af4c1984f8704256b2e6aea97a5c79d46f580ff185bc1c6c0af38db54e87226f75b83a

        • C:\Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          321743919b662035e772c1808c95dcdd

          SHA1

          f0cd6e45bccb298ff0b1d0e6fa5028b59d340705

          SHA256

          6af086bbb14e7163c08e9e0d6b7533713c6cfd82cf6d9412a7828295a4a5d003

          SHA512

          ed499fbf275502ad4dac327dec7bc50085427a476881489cccbdcbb1d0f5abea6330b696ee8212bfa70847d5ee8022441d3f6ed34a746df51db20acececfbc26

        • memory/3696-31-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3696-21-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4216-23-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/4216-24-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/4216-0-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/4216-12-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/4376-30-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/4376-36-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/4376-38-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/4376-39-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB