Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 19:06

General

  • Target

    0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe

  • Size

    75KB

  • MD5

    d74358b02cccfb755bbd86c3a66cfc10

  • SHA1

    1c250f0d50f0eb95728788bfcde0a8d5a304321c

  • SHA256

    0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351c

  • SHA512

    f30a89909b85ec6335b8df47526708622d36626adba92042b1707cc729381346b0985e9ce4ed3ae5446841ced642dd41ecd8343943ad19bc7c7ee6d5e071f367

  • SSDEEP

    1536:4x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3c:wOjWuyt0ZsqsXOKofHfHTXQLzgvnzHP0

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe
    "C:\Users\Admin\AppData\Local\Temp\0d64893ccdfe8cc6f28caf28237b4cb846aa41ae07bd65330c4a1d7f8762351cN.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3920

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\ctfmen.exe

          Filesize

          4KB

          MD5

          8a63e3dc9151675336f2e588f0d16ec7

          SHA1

          3034019cdc969f2af6cd671c9edba25a857feefd

          SHA256

          1501b3ba44e80b39acdda05859af691579ce6484074655b1a2af785983815663

          SHA512

          208d980b6e7ced91b01cb69bc076a418f14ffc57528b73c33e891a08b79d5d77f784c9de7497edd7f9088ffa861aa02059496b16ff8210f3d433b91277cc03c2

        • C:\Windows\SysWOW64\grcopy.dll

          Filesize

          75KB

          MD5

          8a7ca882c696df58b3ec1ea5d7aaa888

          SHA1

          68bd54068060ee1c282a100ac1af18836f106fa2

          SHA256

          8eaae038ad04752344c0722c15f76ab4405591e2736fa4adf9cd288ef403d91c

          SHA512

          113afe5744f20209009c709bed80cb4098596389d14bf3b40033a9fcd833b2d893777a1ac09cd11ba50df02c4c215dbfc8d31427ff7ad5bcb32e2a15af8ee358

        • C:\Windows\SysWOW64\satornas.dll

          Filesize

          183B

          MD5

          a4aaa79fc51c1d7091c639932358f311

          SHA1

          6255910ec19ea54f3d63331d90fa9cb1a567e7ab

          SHA256

          f7e02554e60bcb675108cd81e2b122f3026027bc2e9431d021db6678d949ac5f

          SHA512

          6a678f5fc5c375e4176d9dbfbe2538a70fd583e6b4a6a22c7f770e4f1de487d1959e50a9292725bb551a09ec48440b9d7a6cbb4cded836da54d48280fb4b08f9

        • C:\Windows\SysWOW64\shervans.dll

          Filesize

          8KB

          MD5

          99a04468c9cff2101d9cbefbec2463b4

          SHA1

          2f18c0ea86c2a6cc18424d53ffdd0951c54b9721

          SHA256

          94dfcfba828001ae13983c89e8f7d32ec08026bf8e6a67e231e16ee06955cf7a

          SHA512

          d24bc4abcbaef2fffde6afaa7ec76ef8b1ba77a24122007c4424fefe61d588bf1ce3c381e65bcc04309adbe4ac1ba5b95ff0546cd85eae9a3d16c46a3777ee6d

        • memory/3236-12-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3236-23-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3236-21-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/3856-20-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3856-29-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3920-38-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3920-37-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/3920-35-0x0000000010000000-0x000000001000D000-memory.dmp

          Filesize

          52KB

        • memory/3920-39-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/3920-41-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/3920-43-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/3920-45-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/3920-47-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/3920-51-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB

        • memory/3920-55-0x0000000000400000-0x000000000041C000-memory.dmp

          Filesize

          112KB