Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 19:20

General

  • Target

    485de7cbcbbc96423abd1fa19395c34135b0e8f5543c81232bcb22aa489f9094N.exe

  • Size

    352KB

  • MD5

    3416587688008dcd1e13fd3c048c3720

  • SHA1

    8ec11179a9c92f7ca4b51edda09f43e600516ae8

  • SHA256

    485de7cbcbbc96423abd1fa19395c34135b0e8f5543c81232bcb22aa489f9094

  • SHA512

    b2314e06412d520003c39d061a63ee103b01e48212ff33531f22000dbca84e942a17a14b9f411336b0f3fce5a6f8adb3b7a744cb4a4f1e91545376907c015db1

  • SSDEEP

    6144:BIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8C:4KofHfHTXQLzgvnzHPowYbvrjD/L7QPq

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\485de7cbcbbc96423abd1fa19395c34135b0e8f5543c81232bcb22aa489f9094N.exe
    "C:\Users\Admin\AppData\Local\Temp\485de7cbcbbc96423abd1fa19395c34135b0e8f5543c81232bcb22aa489f9094N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2688

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          dc2aafe36925a6dc4e3c7ef7f4d5fa94

          SHA1

          d2e84e8d1a3a33203fe87869169c2f4715e56bde

          SHA256

          c4a5880ed822ed289531798fef428e8224ecf6444e511b1789037ebc6cb2e0ce

          SHA512

          044fbfcaef06b5d97fbf3e9cb47ca482d80cb7cc9a4125e53875693d4f0e85671d1a0a3c9509f549b29399d9c7638f8ebba8dda66f2a2fcf3fd8d19e60c2968b

        • C:\Windows\SysWOW64\smnss.exe

          Filesize

          352KB

          MD5

          e671053fa581ff413448957ff83a9bf3

          SHA1

          5b58e4a2ad99c0a109ca87ccd09c068e93254897

          SHA256

          6cf31475c7ff6f868b6097ec55d3fcf6dedfc80500bd2b9cf96a2b14908f398d

          SHA512

          4cc35b237f4b14a0aea9ba74094c11937f723da6492058179adf4f33b9eb78f04d75531e7e66e1cdcd9f8f297466be28c862b423002c09aa737b40a49d8ec753

        • \Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          4b0467702bc0b523007d0a2107c83d0c

          SHA1

          692f0af8cba118bf8f757f849947597987e9e6f4

          SHA256

          a5fc534653e8641bf4465ddfe30c4cb26b39967fbc2e5f0997002eb987fa3f89

          SHA512

          a8b0ff505a8b3a6a654417532a555d4f5960d6c8cae9f88791a2da0cd18ec112ca427fd794d4b180d3d9f481ade8a44f266f63dd6241a68bc7dc35b955374114

        • \Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          5ea126d5a97c236514f2f57a74ad1690

          SHA1

          6e90b771cd6b2e4b80c665c8c199491df2e3a247

          SHA256

          143ef7d377627d4532c3fe33ba1dbc1f5dc90e0d4a7ab685bda72419f0de5ca2

          SHA512

          3ae2a268c67992a9deb96085b1cbad4949309ba4482644c5040b9b9af1cdb87d57925b6ec2cc3a89df57442a40001ca2f2e12b2f0faf8397103d2580d2c98945

        • memory/2260-26-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2260-27-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2260-0-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2260-18-0x0000000000340000-0x0000000000349000-memory.dmp

          Filesize

          36KB

        • memory/2260-12-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2688-35-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2688-42-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2688-43-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2724-29-0x0000000000320000-0x0000000000380000-memory.dmp

          Filesize

          384KB

        • memory/2724-34-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB