Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 19:27

General

  • Target

    e5ccebe5cd19b5fa723fa5cbff666b7663ab351f38661b10a60fba4d048e7a71N.exe

  • Size

    75KB

  • MD5

    ce4a9cd91a8a89a3261303216abb3040

  • SHA1

    49fa86116bae10d77a5cfe8d346c923e03f18a7f

  • SHA256

    e5ccebe5cd19b5fa723fa5cbff666b7663ab351f38661b10a60fba4d048e7a71

  • SHA512

    857ba765810678a4d436d69ac8d20b3a6844209e4fb56b47c68a5dba84cd7347ebd3a9a4be3117992bb3f1882ad2a1c3ec64bf39424cfebe8098015d0421e97b

  • SSDEEP

    1536:ex1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3E:eOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPM

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5ccebe5cd19b5fa723fa5cbff666b7663ab351f38661b10a60fba4d048e7a71N.exe
    "C:\Users\Admin\AppData\Local\Temp\e5ccebe5cd19b5fa723fa5cbff666b7663ab351f38661b10a60fba4d048e7a71N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4496

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          97d541d43cc32414a4630b4eb4ad36e5

          SHA1

          46d6e6be0219d90d2045ce17de90ece9711ca9e9

          SHA256

          b37126ca549b75869944d6d6f9954d46080005adee77f8c21efefa04d097b9a9

          SHA512

          e875b4c1536bceec86686076fbb57aaf3fac4db0890790074ba185bb6e21e12fafd1b5aaaac460962cfe1affe3edab2235aefa28d1c0b7da09c42f4ac4a86c91

        • C:\Windows\SysWOW64\grcopy.dll

          Filesize

          75KB

          MD5

          ff712c5e912bc069fbf0c5597329d807

          SHA1

          351131684a013b844851128620565d1c84458b94

          SHA256

          cf5ff644e99203556410cb2c4a8cf7f2e9b55b955243f092c3f84c8824ce7892

          SHA512

          369f76876b59fbe28c0f1a3eda6191999dd789c6e3dbad0dd9ac77faa28aca153c99b2a81b16b48087682697789abca8228d2c63461b18ee23b1be3128af683e

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          c6321adf920e859e187f2606c1adc4d8

          SHA1

          285c2d638e61a13dec8269f83aa1d9d5744d7329

          SHA256

          3a6a537e8a5918d47452faf3425e6444fbb76544aafb80d77be98409916502a9

          SHA512

          78404b949744ce4fea1df6bf171e278a0902405371e322f5ebe77e2341690b8babd87bcce91ed485734a9c41728d975d22bde62a16797175f81267cdf2204347

        • C:\Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          e5b815a26dff180b5480180d9d8b5e52

          SHA1

          384d093f8e1347e6be0186a00d3605588c9c6ebe

          SHA256

          3756df8ab7145a299c442420fa5e4c000277c649ac8525800476ad20c3bfc111

          SHA512

          fe41f9471813c655f6a36c63dd9ccc933df39d9723229eccd0fa4720959f590e92360ee29a4130c9c7146fa3894c4f950ca735a0e1629b1a653d873b84905e97

        • memory/4068-27-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4068-20-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4496-46-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/4496-42-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/4496-56-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/4496-36-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/4496-37-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/4496-38-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/4496-40-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/4496-54-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/4496-44-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/4496-52-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/4496-48-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/4676-11-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/4676-23-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/4676-21-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB