Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 19:06

General

  • Target

    0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe

  • Size

    75KB

  • MD5

    d74358b02cccfb755bbd86c3a66cfc10

  • SHA1

    1c250f0d50f0eb95728788bfcde0a8d5a304321c

  • SHA256

    0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351c

  • SHA512

    f30a89909b85ec6335b8df47526708622d36626adba92042b1707cc729381346b0985e9ce4ed3ae5446841ced642dd41ecd8343943ad19bc7c7ee6d5e071f367

  • SSDEEP

    1536:4x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3c:wOjWuyt0ZsqsXOKofHfHTXQLzgvnzHP0

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe
    "C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2840

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          8653ab2c76d1bfd57049b9118cf50245

          SHA1

          e16ae0a850f7c596c1b3b5280921bf8faab378ef

          SHA256

          9ba884f945a8112e99e1479d5c0609413a4476adcd73ba8f6dbb4cc60e104b7f

          SHA512

          ceb37123453f10b5362f028a166eb5603ec997986c2c7865fa9e7032516884b33328c9dfc18bdd0f3b4e0cb8a7fa3104ec5fffec78e182cff34e6d863aabc52a

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          dd7f21d4ddf24528c66aee3430a962cd

          SHA1

          2fc0efd9c619507efb36f5e9ad8b006331515937

          SHA256

          e44be9997747c5230378b1f8a563114735bf65e2c8e8fecf4acf461025d89f8f

          SHA512

          2ba29ef8295ff1079c50085faaf73e82fc03571f85e64e1e1009df85bc4449160019ade4b1258f8949fbf241f83cdf9da034bf20b0185ab894f227c5fd7b12b5

        • \Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          4c304daf094f35d0bb5505eb5282508f

          SHA1

          1166fadb66d0b2d1c87ead24b239b4f49dd3894d

          SHA256

          991525039abc4e1ea19f969c01bada7489a4b124fd9d58ba095d39da1a42a053

          SHA512

          8839e72cf5b71ad9b0f1e9da3dfb622f8fc7b299fe7a692f060f5fa98cf35a0601dc3cfbf2d05d1ddb2cd7a1cd50c930486560bd086ff60f8346d73e8f0b1aa6

        • \Windows\SysWOW64\smnss.exe

          Filesize

          75KB

          MD5

          b1f67031ae79fccf01c8563c9550a4c2

          SHA1

          1dc591876655a9473ec01fd52a0733292eaf8b6c

          SHA256

          ac98cae277b999458837df40b0b08d71f0e29afc8f32025ef6e27a5e641434bd

          SHA512

          d669d6a05b39218b2f0c732cd17603e000d072458c68a30ac0b979e41e81168f145d8fbb027eeafbd63df1df5520b8ce5af63dcb65e5fc345ef60b289a2e4bf7

        • memory/1740-11-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/1740-22-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/1740-25-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2780-26-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2780-32-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2840-40-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2840-38-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2840-41-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/2840-42-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2840-44-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2840-46-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2840-48-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2840-50-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2840-54-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2840-56-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2840-58-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/2840-60-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB