Overview

overview

8

Static

static

3

f03f4cada1...d7.exe

windows7-x64

8

f03f4cada1...d7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f03f4cada1a92b35f665e7b635df73edd5887ff5dc391dd743bfa7b35b8e1cd7.exe

  • Size

    239KB

  • MD5

    015f1cd5735fcc6228af380957916cb9

  • SHA1

    3fb6b49e01a7fae5cd44b4b5827ae496fcbcc1b8

  • SHA256

    f03f4cada1a92b35f665e7b635df73edd5887ff5dc391dd743bfa7b35b8e1cd7

  • SHA512

    77d2bbe7bc8e94014a1e617b3cfa05d5706d43268a207c4a6c533b212de2b5a3f0588e9345a3f09ef2c3964924ed9af6fb6dd314057469f9989cebacd53bb5c2

  • SSDEEP

    1536:Bq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9bc:Bq5ud9qHFO8Kf3rIIbc

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f03f4cada1a92b35f665e7b635df73edd5887ff5dc391dd743bfa7b35b8e1cd7.exe
    "C:\Users\Admin\AppData\Local\Temp\f03f4cada1a92b35f665e7b635df73edd5887ff5dc391dd743bfa7b35b8e1cd7.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    29f374c435fcc27ab39b5e4784fd48e0

    SHA1

    efc56824884be545cd36f9cb6db16751a67514f5

    SHA256

    020dc4ab91b4069f80a7e071cff59780567905028a6592d370ef921bf7f48fe2

    SHA512

    b0bfb39a76965a5864527a02bf0ffa9032385454f9577cda21223c4396698064360b27412a5ade6698dfec77621340c2a8949760484d8d16884c936e2af7259e

    Download Submit
  • \Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    398e55facfff7ee5df54f0a656530382

    SHA1

    3e46cc8210aa1d34fc3f867b27df914cf42de5de

    SHA256

    0916da98e5bb97f2a9bdc17a018cc24cbf1a9e63c14c9ed35554d71a4f058bfe

    SHA512

    2854fd5f3404e58fe8878bb3bf07004f2f64aeeb5b82a4baee21744878cb89a3898a44b5d33cee88fb0fb078ec7b76055c478729cd0cc83eb0cc8ff4a5d4b755

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    8886f5ac14b2acee8b9adae8cee98f7a

    SHA1

    70ed6abea2b86103f8df9e8317d20bbcd6ebcb9d

    SHA256

    4425d10c19559c363e5596ea56f0ce6cd89f9b50ea468f87c7cfcecc01bbab04

    SHA512

    d1fc2dbc2a0a57caf17b07bec83a151626137246dfa38088c68519176df8a575159e5e5564a82ab3bad23474f74404c3a0aaff1b4a1b0fcd8094209aabfda08d

    Download Submit
  • \Windows\SysWOW64\smnss.exe
    Filesize

    239KB

    MD5

    b75c5346a6614bfd4a0af27b7f62f46f

    SHA1

    d53fa7d0ac97d1440f63c4c88f1eca0009460b1b

    SHA256

    fa5fdc005df9e38b5c558b4ffa3b82d457ee5171aa6592afa9165885bcd7633b

    SHA512

    f8865c491680ed3959bff95bb2a6272f1841c492ed4e8d43b936b55be69b650ea9b95aca71b38f9df6075ede430d35d7a3b94b7bfb89913d26fdac59ae56530f

    Download Submit
  • memory/2580-28-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2580-16-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2580-0-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2580-27-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2580-18-0x00000000003C0000-0x00000000003C9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2688-45-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-59-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-42-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2688-43-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-69-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-47-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-49-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-51-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-53-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-57-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-35-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-63-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2688-65-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/3052-29-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download