Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 12:12

General

  • Target

    9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe

  • Size

    118KB

  • MD5

    451fc8e6b2fc51f4930faaa1b82650e7

  • SHA1

    1700c83af85d787a952acfcec2d26879d91d2689

  • SHA256

    9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976

  • SHA512

    c4eb0442e24a7112e64cd9c0fc31b179133b1328b0d59cc0e612842b96226d358fa67dde6cecf403b05497169fa73ae658186f535bf751c0c4dbee58f93fe055

  • SSDEEP

    3072:3OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPn:3Is9OKofHfHTXQLzgvnzHPowYbvrjD/k

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe
    "C:\Users\Admin\AppData\Local\Temp\9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4516

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          0d38270421c9969c2ca02d62bdef1bb5

          SHA1

          0cb2d500096cc2a9736a622b4bd1f50b590f0d65

          SHA256

          b4f562a714502b5a649ad3d5bffda9d17de5bcb41da6deb482e273d078c57a60

          SHA512

          71d891d9baf35cbc7e3a30f1bee7a75cbb1e8dff1fa7bc2f3094e1cb77a0675ddd4493a0ffcd5de011f33759bcbf4a6ce319ede4883604fc46c7e3f900f545af

        • C:\Windows\SysWOW64\grcopy.dll

          Filesize

          118KB

          MD5

          916df0173cb2cde9ff93cfa58570c4e6

          SHA1

          f54001317446d7d9568e24d664b763c078ff1d29

          SHA256

          63ab5356be61ccc5186cf06282694d2dfce1de753dcec4565667bd4e3d726baa

          SHA512

          f3db6327a928a41752fcae6381a4d248e35a48f0ef264cb5bd7728b8296ed79b016ab89cf741cd02ab1aa29f4ac040456540d8cbe17fbb0a799403fbff62467e

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          bcb31bbdd02911c2929b869e2e6ac15a

          SHA1

          5a042c400d3850d6c77f0ab6d22a0e18dfaab82b

          SHA256

          e6ac5cbede18dfffaba220696f8b13c4b62de28887f6ec09ebde159301a3e4ab

          SHA512

          57bb126e6d193f5fbb65bd48b10636f90cf2a63b5b602ea120a94c9aaaec2bb30f3abe46391b1767e040c4b71e9444afa897edfe412749608abd66900b3098c2

        • C:\Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          cd154e2343c95a7e31fd9d0c8ab3fd41

          SHA1

          e86b0252da918426c8a73287665df92248066470

          SHA256

          0a1c584cd3adc8c07117dbbcd2e5fc2c00586ef27a95921496f30fd28be04b96

          SHA512

          f9305691276f413a91a5567b0176f4350a0c0bf3ddea0c4d842bec0e35f25574a4e8bf530497dfdcd54a538625e89a5a5c74c4786a1830864541a55060ddd1c5

        • memory/3992-25-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4516-36-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/4516-31-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4516-38-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4516-39-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/4900-23-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/4900-22-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4900-0-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/4900-12-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB