Overview

overview

8

Static

static

3

f03f4cada1...d7.exe

windows7-x64

8

f03f4cada1...d7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f03f4cada1a92b35f665e7b635df73edd5887ff5dc391dd743bfa7b35b8e1cd7.exe

  • Size

    239KB

  • MD5

    015f1cd5735fcc6228af380957916cb9

  • SHA1

    3fb6b49e01a7fae5cd44b4b5827ae496fcbcc1b8

  • SHA256

    f03f4cada1a92b35f665e7b635df73edd5887ff5dc391dd743bfa7b35b8e1cd7

  • SHA512

    77d2bbe7bc8e94014a1e617b3cfa05d5706d43268a207c4a6c533b212de2b5a3f0588e9345a3f09ef2c3964924ed9af6fb6dd314057469f9989cebacd53bb5c2

  • SSDEEP

    1536:Bq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9bc:Bq5ud9qHFO8Kf3rIIbc

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f03f4cada1a92b35f665e7b635df73edd5887ff5dc391dd743bfa7b35b8e1cd7.exe
    "C:\Users\Admin\AppData\Local\Temp\f03f4cada1a92b35f665e7b635df73edd5887ff5dc391dd743bfa7b35b8e1cd7.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    fe52043a03530fe1af1778ff8f4246c9

    SHA1

    bc8b99e67df6b0b0f2e4b270be83245f0aa8af41

    SHA256

    07d4d9f17796104bd4836690b5b8eb0195fef12e4bf72e9bbcb063eeabd0a02c

    SHA512

    3b1ef1e7cbfb860ff704762cc75712f9097e49f108622542d1205e90f60048979574d96a00d79b810f03e8d00b4244893b58a0d9d5798d935bd5e2079402fe73

    Download Submit
  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    239KB

    MD5

    bb66da4f8a9b05e6f6b0a6a09d843aa4

    SHA1

    f2af09a7a8c9871b6b53cc0be66b73d1765eb24c

    SHA256

    a98af8307a8697b8cdcc6b57434e7425d355fad541bf9ca13b972de37ff71f66

    SHA512

    1106b000c471c94be968e7bebba0073e05876042e4dacc62f9f22408438329c59e0da34b6a999c56c3df465197f8a086e7328bbf3e3a47507c12b3a19619a2a5

    Download Submit
  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    12de4b1b4e3461b93b41fa0662ea29b2

    SHA1

    46bea7c0edaba8a6786cffae5cf64a393d9cbe40

    SHA256

    7af365e90e8cb562a7af349cb893ce5aa06ae9e77ca8d7e418e11d3448d73a32

    SHA512

    06bdf9fe04411d98893d2e85521f74e22c7d6eb28d462519f72f17e936d23e48387f2b892c701006f447965778648605f1c535ba75e2c76bf0e1d5c80ecfb8d8

    Download Submit
  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    3891b42f4ffa7823a5feb27b4095bea6

    SHA1

    b69ea448901cef63d088d1a9e5a0c032816ab2cf

    SHA256

    56c6d136853e717d633be73f1420e025bf4fbdb3078104296f91c4b8508f6ff6

    SHA512

    8d2fc673fd085c0d3c8ccfffeda98da0e268c6cae350ba9910be2a0ca67a6cbc20e96ad55f2f97e895ec2ed6af1c5b9a56264c8d54c860aecbf76766b3905507

    Download Submit
  • memory/1228-24-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1228-25-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1228-0-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1228-16-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/3716-29-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4036-30-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4036-38-0x0000000010000000-0x000000001000D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/4036-39-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4036-41-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4036-43-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4036-45-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4036-47-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download