Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 19:20

General

  • Target

    485de7cbcbbc96423abd1fa19395c34135b0e8f5543c81232bcb22aa489f9094N.exe

  • Size

    352KB

  • MD5

    3416587688008dcd1e13fd3c048c3720

  • SHA1

    8ec11179a9c92f7ca4b51edda09f43e600516ae8

  • SHA256

    485de7cbcbbc96423abd1fa19395c34135b0e8f5543c81232bcb22aa489f9094

  • SHA512

    b2314e06412d520003c39d061a63ee103b01e48212ff33531f22000dbca84e942a17a14b9f411336b0f3fce5a6f8adb3b7a744cb4a4f1e91545376907c015db1

  • SSDEEP

    6144:BIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8C:4KofHfHTXQLzgvnzHPowYbvrjD/L7QPq

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\485de7cbcbbc96423abd1fa19395c34135b0e8f5543c81232bcb22aa489f9094N.exe
    "C:\Users\Admin\AppData\Local\Temp\485de7cbcbbc96423abd1fa19395c34135b0e8f5543c81232bcb22aa489f9094N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4876

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          3ea84716b7b4ace98f880abcdb6a224c

          SHA1

          612b2953eb15c291df737e42ae1b5797695e78d5

          SHA256

          c690562f4d95c616616f39fe696c75371cac8ca755d837c9d75421428e6be572

          SHA512

          17279e8771fc6d87e5372403fb3774b3c8a8a302f65a7e274aa9100f29e8fc7cb7faf87dcb9805ddf7811719969a9473b1fcfdbe8c397e2fde306adad080a882

        • C:\Windows\SysWOW64\grcopy.dll

          Filesize

          352KB

          MD5

          09b2043a1fb47a95b0b7f426f493ba12

          SHA1

          97168893d195196dbd7736d9d30ff51c859db204

          SHA256

          18b1ca64840cf1d2b2a9f7d2066467287ffb27ac4b0e706dc3190199ad5ece21

          SHA512

          5e92f4c988bebaa5ad2f1d6b46ce791a065c2c7940008eda9ee919a41325e92f1b2394e68ad63493e1dc198993eaac02621a225e0dba3177723a6de934dac62c

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          d126a42774138b4ea15a7e37e576fe5d

          SHA1

          a81f7322d1b4db4bf3cca541fa71627c4adcf7a6

          SHA256

          c99cb6d6ef76c9f478772f92d93e2971cd77cd776f0babe36fa4630d05b0f14e

          SHA512

          16c97db365b9a98d0eabb1b2f146b3506b8de594b672ac4343a608c182bc4a77a41713ac1917dd260da8e0389898ba8747843241c2f0b3cde4b86022f37dfd04

        • C:\Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          c82db382e45f29e2152eef3bdf45316a

          SHA1

          1c3616e2be071472bd79aa510c2c91dad3d47d22

          SHA256

          438c0c6de183969a7857958de0498961e28dcdde67f6e105612a1ab9cf3f9af5

          SHA512

          8e42048352511120c20d0d71384d2f4aedcf091a44364af3ac10f95322a7782037d0a9df0babbc61f9946bcb7d3325b0130248dfe386c5b13c559388d13a6e4b

        • memory/3668-22-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/3668-12-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3668-24-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3668-0-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/4844-25-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4876-36-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/4876-31-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/4876-38-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/4876-39-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB