Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 12:12

General

  • Target

    9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe

  • Size

    118KB

  • MD5

    451fc8e6b2fc51f4930faaa1b82650e7

  • SHA1

    1700c83af85d787a952acfcec2d26879d91d2689

  • SHA256

    9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976

  • SHA512

    c4eb0442e24a7112e64cd9c0fc31b179133b1328b0d59cc0e612842b96226d358fa67dde6cecf403b05497169fa73ae658186f535bf751c0c4dbee58f93fe055

  • SSDEEP

    3072:3OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPn:3Is9OKofHfHTXQLzgvnzHPowYbvrjD/k

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe
    "C:\Users\Admin\AppData\Local\Temp\9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2760

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          3f0e3793a580300661f5b1ee3a71f491

          SHA1

          87689d4ec02976f7f51dc87b98da4a97cf56f34a

          SHA256

          073de8fe9d618039175423fab412fa6bb8b9db534b1d15cda2889c4064396f5c

          SHA512

          343d855ee711a9d22c744393b7512c261215d887263221b0354fe6bb6dd45d1b04873710f49f0627f75bc79bbb899e65814662c870eaa0ebe3a2df6c4dd5eb8a

        • \Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          e3240cc40ac57876c9efdc54fe96f09d

          SHA1

          1607d0133f0634ff44fb3634a9e4c3438ed76728

          SHA256

          f46de933ba786a0ad13acf6bcd8fc4bc6260d1e1ed9f65cd35e2b162aec79e1c

          SHA512

          18d5afc469007d486ea83657b624c65a7641743773b024af6890bd0c97fd492aeefebb15c3b671daa3315511fe1302a5662c8e1777ad87d6e7f93eefde4bbad2

        • \Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          ed89bde8a63662290b9685060d858e92

          SHA1

          380fbe8db9a3cf2a7103b20ece64f56005399c81

          SHA256

          4c7fdbb661aafa9948940094cf568c49de5ea320315e980a12df9e16f5e13c3e

          SHA512

          454a245df35e7a570afad5577bf643b874f111fcc13bd85601333c0836033a3b352d7a69213cbca07f400eaa76faf888daf151eff30e76c1ce772b5a97d12995

        • \Windows\SysWOW64\smnss.exe

          Filesize

          118KB

          MD5

          2cadcac75adc1d0281a6ed28ecb4ed67

          SHA1

          a03f6ec018f67077ff141da8d7b74d0eb722c679

          SHA256

          e4a2ba278adcfc0882a37f7c5564eba75b97f05819767a8197aef262613253b3

          SHA512

          386da8af8c56a7fafcce998c45b16655da729d1ca258fb30c29a5ff47f363969a666a45b0878d84797fcf6f714d1218fcbefd11efcb8c08ce710a5ac082304be

        • memory/1840-27-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/1840-0-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1840-26-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/1840-18-0x00000000003C0000-0x00000000003C9000-memory.dmp

          Filesize

          36KB

        • memory/1840-12-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2760-35-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2760-41-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2760-43-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2760-44-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3048-28-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3048-31-0x0000000000320000-0x000000000033F000-memory.dmp

          Filesize

          124KB