Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:25

General

  • Target

    a0c0b3398d8ef4bdba250e645367c6158ee071cac0c80d514c47ecf7cd8bf0faN.exe

  • Size

    75KB

  • MD5

    6b5286a12d2277003d4e89d71da6aa10

  • SHA1

    6cbfe852040407428811750f393e5e8c3eac5111

  • SHA256

    a0c0b3398d8ef4bdba250e645367c6158ee071cac0c80d514c47ecf7cd8bf0fa

  • SHA512

    5584062fad68dc5a6be70db5a152dc3ca3cc6e0f8d29349d99f4fb7657076ed7404fb47a2aaccb6e4c407b5b4f5c66f4c3a8d382ff31db62879977a7c3fa6220

  • SSDEEP

    1536:Zx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3E:DOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPM

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0c0b3398d8ef4bdba250e645367c6158ee071cac0c80d514c47ecf7cd8bf0faN.exe
    "C:\Users\Admin\AppData\Local\Temp\a0c0b3398d8ef4bdba250e645367c6158ee071cac0c80d514c47ecf7cd8bf0faN.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 852
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2616

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          ff4ca4fe6621dcae93864dbcfea2d82a

          SHA1

          edfb10902baa01247a749e0ab98a3abdf8aeafef

          SHA256

          54e834bb8a01875a724691e7e38516ba49fc52a5dc64ced50cee13b99482d2c6

          SHA512

          5c0bda13c1ef3c6edaaf73840493043126f2a71114c26893450183ce170f3ef1a3c1ec7ce4915c5097fc9c006575a3298475eb2a3ce277d6199496d5e1caa63c

        • \Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          dc29998ad360df5847c83c4b0df56e9a

          SHA1

          b5e82f9f0f67710b0d2142c389010b93b2abf4da

          SHA256

          55f8574a16cb8338b83c5ccaf5886ac425c6cf91066663c4853d1e81a8c978ad

          SHA512

          98bd1b82efaf164468c2619b9330fefe91e7f3bb54df27fdf4d79e57cd9b1c79c16c820aaa4eb7ee45106ec593640f44297c47b067ab988cfc7d929b8da61fa9

        • \Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          d00879f5c6a3699708cbe90e548d86be

          SHA1

          5c1ebc3c7cd9e49180dd2e25dc2308d94bb460db

          SHA256

          90266c6d41f5e5014920490fecbf65a4f76c87501e4def4c7c80561689d34843

          SHA512

          0643d2dd7bcfc5f04837c37787b8d8f8339fa99a427061edd21fdb5f87ce07a364d15e1675e5697e4e391305d71341b619c3e9a4c61b798dbb1c5b26a266ade8

        • \Windows\SysWOW64\smnss.exe

          Filesize

          75KB

          MD5

          40ded4942d8a5522d0722291c0bb4097

          SHA1

          dae5d68052d8089371734590a705ad8e8d565037

          SHA256

          3b8626a4cbc1a557760f688a8288182e8b1c6703f3988e5d6b3141e73a9a2485

          SHA512

          438b2f9b1a8f1633e45879893b482697774ae4098e3b8351a39d416ded997d5f8c5a21c8580ca526c618c91b2f78d4f4571676a3c644f2f1081293a4caf1545f

        • memory/2216-27-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2460-17-0x0000000000340000-0x0000000000349000-memory.dmp

          Filesize

          36KB

        • memory/2460-24-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2460-26-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2460-11-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2804-38-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2804-40-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2804-41-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2804-45-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB