Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 11:57

General

  • Target

    c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe

  • Size

    75KB

  • MD5

    6ed5cf8d1cd805767d358e6edad16bd1

  • SHA1

    a59441161e0b150e0bc8868780dc7ff5a633205c

  • SHA256

    c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7

  • SHA512

    6baf01c79a45e1289008dff1b9fa56ba9813239eae1b9848c32ac36c0148283afe2ce109109debed1aca5f2083b13ff9f928c36fb497df0041baf8751f7ba197

  • SSDEEP

    1536:4x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3E:wOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPM

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe
    "C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1208

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          293dfbb7f42232418a1ce0dbc91f0da9

          SHA1

          705675b56025c53dd660d66a2db2f973feda9459

          SHA256

          ac1dbc74c7b581fc2e15e0fd67bee7e1deef399abb90eb6901e71d0b05f12fa7

          SHA512

          527352556b1d760abea8e7fb6ad74fea87505b5be5dc3b3663e4931d0e35b3b746a2aad9aa1c5a369109d0c799ee5da012a02036a8aa9bf32baad6eedbc1ff10

        • C:\Windows\SysWOW64\grcopy.dll

          Filesize

          75KB

          MD5

          4ae3bdb4a44783fad05e73e3f7e91e77

          SHA1

          61bd8063ac040da93414017e4839e54a9ee35dc2

          SHA256

          1e8abc776220f4c42d26644c359fee7287a9cc77a5c6c020d5bc55e3ce478cc0

          SHA512

          e84927d30d7df7014d64ccffd2455d6365596c38a62d663a1429136c6eb47db4e65502c2590b959a7a54d6de4e460386a2e55975c692c782bfd484dc1a58b74b

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          26ba6f8354e11d00f7e51e35d794f73a

          SHA1

          82cb5e7aa36447dff247e529e951a2dd1bcc1e96

          SHA256

          7db78f120f059eaceeb29455fd15b1a44b9aa1cd435d6068d1ff30bc6ff4d47b

          SHA512

          91ea98db4b794b7d3f7bf0c8dbdaa2984719a9fb0642e660e4ba84f352fc92ddcd56d98aa1cb8c444327637271eb86cb70cf51490ece9fd4ffdb6c93747cc069

        • C:\Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          4ddcfc2840b95028ff4045917bd2e333

          SHA1

          749e7ecc4a0fae91656532e68c1240668c9f725c

          SHA256

          69a173d66b46bdb2471ca6bbc7593b16ec2aa171c4294f1e4a99a6112625aefc

          SHA512

          6e4f5ff11440d168dc710544bd18b9a46aa0dbf4312d60a5448e4cd87e59cc9c06b70faeeae76244f8352ac9a4f78c07453982ee21d875e252ad7f9c7ed81c6f

        • memory/1208-45-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1208-38-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/1208-57-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1208-53-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1208-36-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/1208-49-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1208-37-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1208-47-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1208-39-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1208-41-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1208-43-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/3192-11-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3192-21-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/3192-24-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3304-20-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3304-30-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB