Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 22:25

General

  • Target

    a0c0b3398d8ef4bdba250e645367c6158ee071cac0c80d514c47ecf7cd8bf0faN.exe

  • Size

    75KB

  • MD5

    6b5286a12d2277003d4e89d71da6aa10

  • SHA1

    6cbfe852040407428811750f393e5e8c3eac5111

  • SHA256

    a0c0b3398d8ef4bdba250e645367c6158ee071cac0c80d514c47ecf7cd8bf0fa

  • SHA512

    5584062fad68dc5a6be70db5a152dc3ca3cc6e0f8d29349d99f4fb7657076ed7404fb47a2aaccb6e4c407b5b4f5c66f4c3a8d382ff31db62879977a7c3fa6220

  • SSDEEP

    1536:Zx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3E:DOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPM

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0c0b3398d8ef4bdba250e645367c6158ee071cac0c80d514c47ecf7cd8bf0faN.exe
    "C:\Users\Admin\AppData\Local\Temp\a0c0b3398d8ef4bdba250e645367c6158ee071cac0c80d514c47ecf7cd8bf0faN.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1092

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          e0527cd227017182aca0abb62f89dda6

          SHA1

          8548253801de1eb203133952d8a043beac0c2fbf

          SHA256

          87ed721938697c565fcd27b5a1db32bd4a64f82bdf3843aba66e441cd3ca04ac

          SHA512

          0f2838726a2d5e2cc421d01a6b9f76f4e985a93e70267ac8aea9d6f3dbd178513c4c063d4e4c41d07402a65943d8d11bc0f739269e45df882fc36638a757ec19

        • C:\Windows\SysWOW64\grcopy.dll

          Filesize

          75KB

          MD5

          c50957b2dda6d78d6485182f69660670

          SHA1

          f2fba64b1cf0cab4521781feef92a4d593416bb0

          SHA256

          e52c464a6f14c9d209ace5a13865bd72d63666644825857deb2aa8025587fc8c

          SHA512

          3e7cc6c24587349c1f6e4bde22374829b694200d1ff07b0d5fdbb9aaba15bc0401a1326270f5bbaca7ec11e2ad758bfccfeea0e7bba223d8abcef930012cc910

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          f38594ad2d39a6ca39f091fc89470503

          SHA1

          0d5a21b5c86785b60e3574dac82539651e7d7051

          SHA256

          5bfbdf8607003a1dc2498e8f0dcc8c875618372a2490b45bc2d2ee2718f9e8f2

          SHA512

          4488ce445f924c647b376c57817cc0785e9c4714ce7fb1efc1d452d83aa63f0185c069a266909a7153d2e9b641a2199f16a38785c2260ab642d083fe4c3e9fb4

        • C:\Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          dfb845848a899a6ffaee0ef483039d27

          SHA1

          acee41123b6715cd51296fc223c34d72c1478579

          SHA256

          0805ccbbd9a8e333963b5e47663078055cf547b99642c521f66d1bb39da75c38

          SHA512

          a3855e307c401846dbc1dd204bfa57a1b67c9de601dba8c99a581a74c8bf8619d5176395b41d781cbb65dc71c32e1900e750fb662823d5d6e384fd158978a106

        • memory/216-27-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/216-20-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/1092-37-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1092-47-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1092-57-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1092-35-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/1092-53-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1092-38-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/1092-39-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1092-41-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1092-43-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1092-45-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1092-51-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1724-21-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1724-11-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/1724-23-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB