Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 19:04

General

  • Target

    8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe

  • Size

    2.3MB

  • MD5

    5402a46941608bd1e81274bfda3d0a4e

  • SHA1

    481fa76b077c03a3cb6c7c9487f54cf2d7d27de4

  • SHA256

    8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2

  • SHA512

    5d5cf8fd3b6d151e287fa2205941b44e6a2abd0d1653f1a71e5c28f6173532471cba7e0bcba7b1d47152de602e59d7da02f8c2ed9cd311b5375fe45d60c69185

  • SSDEEP

    49152:88F4GBYEFMfVrt0HdZyZUKIKp9/bIA3e63wDknToN58zkfwHuVfcu5ZJFKsnfKUv:88F4GBY3dR0HHyZ9p9DIAvADkQ8gfwO7

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe
    "C:\Users\Admin\AppData\Local\Temp\8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2060

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          5f89c21e45b890066fc03b3639bcbf39

          SHA1

          12fb4c6c94123f47b1f223461fcc375400a7e9b1

          SHA256

          d1ec3804c6f437d123236701623b51f3a64bc2570013e6873107c42bb4d4764d

          SHA512

          8aa7c42c9fdca2177ea67f5a24e34d0ff71e2f35b6819f6157eaf3a51a725ad744a6d7a77c8c5266dddb3fd2bdb288e045d6c815a1cb5756b48787554f1e5ee0

        • C:\Windows\SysWOW64\smnss.exe

          Filesize

          2.3MB

          MD5

          70b0707857bc592887ec546357901521

          SHA1

          e8820ae1b93593d0dee8d2941d8c802735f44e26

          SHA256

          11e843c23985126e7306637520c2d9627c7934764be169e8f465aa7ca446da74

          SHA512

          05bf065a4aeb542af389471f3b44468641236f99cefaeeea00e92283c0018f2057b52a34d7e41b722940d95cc1691ded102e6e8b488ff8cf212b518f627a8b87

        • \Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          d11a8d5757849fd71e12606f90f57221

          SHA1

          b80059d984a41207c3153288039b81f16c1a8167

          SHA256

          0f20fc7fe2fe90bcb4b8a2e9f3e10b1607b59672eb85a22e024f170e8eedcca9

          SHA512

          435d5d5bfc186b021d6a1f2474290247191501fb13973ca47468235cb6050bf10b203aae73d5a70b54ae96d353203d5464c708d88e72142c6989fbf75d612a9c

        • \Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          aebb01942f98ff44b61715c6d2415c63

          SHA1

          7df5e80fa84ae68e2393fd4cf996cc03141af85b

          SHA256

          c6b8e4f7da623a844355469d9fbec024405a720ea58da22cb64dcd252d7aec76

          SHA512

          4db0dd40d0edb86a897fc9be8dcda0c2081db190f8371cf35713021ae13167d37d04754d5850d9194185c8fcf58520da433297368be54335fbb1a3bf32efb5cc

        • memory/2060-45-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2060-58-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-68-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-38-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-66-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-64-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-62-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-60-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-40-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

          Filesize

          3.8MB

        • memory/2060-56-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-54-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-52-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-47-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-49-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2060-48-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2060-50-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2508-35-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2676-2-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

          Filesize

          3.8MB

        • memory/2676-0-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2676-25-0x0000000000170000-0x0000000000179000-memory.dmp

          Filesize

          36KB

        • memory/2676-13-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2676-26-0x0000000000170000-0x0000000000179000-memory.dmp

          Filesize

          36KB

        • memory/2676-36-0x0000000000400000-0x0000000000DC2000-memory.dmp

          Filesize

          9.8MB

        • memory/2676-30-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

          Filesize

          3.8MB

        • memory/2676-28-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB