Edit tour

Windows Analysis Report
ctfmon.exe

Overview

General Information

Sample Name:	ctfmon.exe
Analysis ID:	1327898
MD5:	74dbd545cf6dc5d006325cc3e4658a12
SHA1:	9e6b92ed3d29a46611234836d4d493f226ce5fa7
SHA256:	316c85917832c66ac0071f73a880d5e40099a16e419f7813fbe39ee0a851d1c7
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Drops PE files to the startup folder

Opens the same file many times (likely Sandbox evasion)

Spreads via windows shares (copies files to share folders)

Creates autorun.inf (USB autostart)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

May infect USB drives

Creates a start menu entry (Start Menu\Programs\Startup)

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

ctfmon.exe (PID: 7032 cmdline: C:\Users\user\Desktop\ctfmon.exe MD5: 74DBD545CF6DC5D006325CC3E4658A12)

ctfmon.exe (PID: 4504 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe" MD5: 74DBD545CF6DC5D006325CC3E4658A12)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ctfmon.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: ctfmon.exe	ReversingLabs: Detection: 92%
Source: ctfmon.exe	Virustotal: Detection: 91%			Perma Link

Antivirus detection for dropped file

Source: C:\Recycled\Recycled\ctfmon.exe	Avira: detection malicious, Label: TR/VB.AQT
Source: C:\Recycled\Recycled\ctfmon.exe	Avira: detection malicious, Label: TR/VB.AQT

Multi AV Scanner detection for dropped file

Source: C:\Recycled\Recycled\ctfmon.exe	ReversingLabs: Detection: 92%
Source: C:\Recycled\Recycled\ctfmon.exe	Virustotal: Detection: 91%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	Virustotal: Detection: 91%	Perma Link

Source: ctfmon.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Spreading

Spreads via windows shares (copies files to share folders)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe

File created: z:\Recycled

Jump to behavior

Creates autorun.inf (USB autostart)

Source: C:\Users\user\Desktop\ctfmon.exe

File created: C:\autorun.inf

Jump to behavior

Source: ctfmon.exe	Binary or memory string: \autorun.inf
Source: ctfmon.exe	Binary or memory string: [autorun]
Source: ctfmon.exe, 00000000.00000003.1629810119.0000000000752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: ctfmon.exe, 00000000.00000003.1629810119.0000000000752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]Rshellexecute=Recycled\Recycled\ctfmon.exefshell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
Source: ctfmon.exe, 00000000.00000003.1630412532.0000000000720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\autorun.inf
Source: ctfmon.exe, 00000000.00000003.1630412532.0000000000720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\autorun.inf<
Source: ctfmon.exe, 00000000.00000003.1630412532.0000000000720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\autorun.inf
Source: ctfmon.exe, 00000000.00000002.1630993858.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\autorun.inf
Source: ctfmon.exe, 00000000.00000000.1625980816.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: ctfmon.exe, 00000000.00000000.1625980816.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]Rshellexecute=Recycled\Recycled\ctfmon.exefshell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
Source: ctfmon.exe, 00000000.00000002.1630838672.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: \autorun.inf
Source: ctfmon.exe, 00000000.00000002.1630838672.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]Rshellexecute=Recycled\Recycled\ctfmon.exefshell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
Source: ctfmon.exe, 00000000.00000002.1630993858.0000000000720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\autorun.inf
Source: ctfmon.exe, 00000000.00000002.1630993858.0000000000720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\autorun.inf<
Source: ctfmon.exe, 00000000.00000002.1630993858.0000000000720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\autorun.inf
Source: ctfmon.exe, 00000000.00000003.1630412532.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\autorun.inf
Source: ctfmon.exe, 00000000.00000002.1630993858.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i:\autorun.infX9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q:\autorun.inf_9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o:\autorun.infR9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j:\autorun.infQ9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: g:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: g:\autorun.infK9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z:\autorun.infN9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: w:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: w:\autorun.infM9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v:\autorun.inf@9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k:\autorun.infG9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n:\autorun.infz9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y:\autorun.inf\|9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x:\autorun.infu9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q:\autorun.infh9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e:\autorun.infb9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v:\autorun.infa9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e:\autorun.infd9
Source: ctfmon.exe, 00000001.00000002.2889786409.0000000000564000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889711800.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: \autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889711800.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: [autorun]Rshellexecute=Recycled\Recycled\ctfmon.exefshell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
Source: ctfmon.exe, 00000001.00000002.2889786409.000000000054E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.000000000054E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v:\autorun.infe
Source: ctfmon.exe, 00000001.00000002.2889786409.000000000054E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.000000000054E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: u:\autorun.inf
Source: ctfmon.exe, 00000001.00000002.2889786409.000000000054E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j:\autorun.inf
Source: ctfmon.exe, 00000001.00000000.1731903664.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: \autorun.inf
Source: ctfmon.exe, 00000001.00000000.1731903664.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: [autorun]Rshellexecute=Recycled\Recycled\ctfmon.exefshell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
Source: ctfmon.exe	Binary or memory string: \autorun.inf
Source: ctfmon.exe	Binary or memory string: [autorun]Rshellexecute=Recycled\Recycled\ctfmon.exefshell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
Source: ctfmon.exe.0.dr	Binary or memory string: \autorun.inf
Source: ctfmon.exe.0.dr	Binary or memory string: [autorun]Rshellexecute=Recycled\Recycled\ctfmon.exefshell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
Source: ctfmon.exe0.0.dr	Binary or memory string: \autorun.inf
Source: ctfmon.exe0.0.dr	Binary or memory string: [autorun]Rshellexecute=Recycled\Recycled\ctfmon.exefshell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
Source: autorun.inf.0.dr	Binary or memory string: [autorun]

Source: ctfmon.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ctfmon.exe, 00000000.00000003.1630412532.0000000000720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs ctfmon.exe
Source: ctfmon.exe, 00000000.00000002.1630993858.0000000000720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs ctfmon.exe

Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: vb6chs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: vb6chs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	Section loaded: vb6chs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	Section loaded: vb6chs.dll	Jump to behavior

Source: ctfmon.exe	ReversingLabs: Detection: 92%
Source: ctfmon.exe	Virustotal: Detection: 91%

Source: C:\Users\user\Desktop\ctfmon.exe

File read: C:\Users\user\Desktop\ctfmon.exe

Jump to behavior

Source: ctfmon.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ctfmon.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ctfmon.exe C:\Users\user\Desktop\ctfmon.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe"

Source: C:\Users\user\Desktop\ctfmon.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe

Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe

File created: C:\Users\user\AppData\Local\Temp\~DFEB1B06898EC6A682.TMP

Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe

File written: C:\Recycled\desktop.ini

Jump to behavior

Source: classification engine

Classification label: mal88.spre.adwa.evad.winEXE@2/7@0/0

Source: C:\Users\user\Desktop\ctfmon.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe

Code function: 0_2_004019C3 push 0040108Eh; ret

0_2_004019DB

Source: C:\Users\user\Desktop\ctfmon.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ctfmon.exe	File created: C:\Recycled\Recycled\ctfmon.exe			Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\ctfmon.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe

Jump to dropped file

Source: C:\Users\user\Desktop\ctfmon.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe

Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe

Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe

File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe count: 54644

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
11 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	1 Taint Shared Content	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	12 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	11 Replication Through Removable Media	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	1 Process Injection	Security Account Manager	1 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ctfmon.exe	92%	ReversingLabs	Win32.Worm.Fakerecy
ctfmon.exe	92%	Virustotal		Browse
ctfmon.exe	100%	Avira	TR/VB.AQT

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Recycled\Recycled\ctfmon.exe	100%	Avira	TR/VB.AQT
C:\Recycled\Recycled\ctfmon.exe	100%	Avira	TR/VB.AQT
C:\Recycled\Recycled\ctfmon.exe	92%	ReversingLabs	Win32.Worm.Fakerecy
C:\Recycled\Recycled\ctfmon.exe	92%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	92%	ReversingLabs	Win32.Worm.Fakerecy
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe	92%	Virustotal		Browse

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1327898
Start date and time:	2023-10-18 11:12:18 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ctfmon.exe
Detection:	MAL
Classification:	mal88.spre.adwa.evad.winEXE@2/7@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:13:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe
11:13:56	API Interceptor	2264x Sleep call for process: ctfmon.exe modified

Process:	C:\Users\user\Desktop\ctfmon.exe
File Type:	data
Category:	dropped
Size (bytes):	22
Entropy (8bit):	1.300937604943853
Encrypted:	false
SSDEEP:	3:AXjF0c:AXmc
MD5:	5101F3AC57F684F2AE0868645A9AFB6A
SHA1:	130880F959600D9F06CF2DB0FDD5B6BE52AE0D0D
SHA-256:	420DC76D37A1AB821E587D703AC5E629281149E78744288F9D43A8FEB885A236
SHA-512:	4AE0831D8FD705ED15ED88EE217D604CF1BBEE2E52E72FE42C8AC7B04EF9D7196BC020F339C1E3E727EDA25A0B907987245A6F726331B2D59E04128ADA060D20
Malicious:	false
Reputation:	low
Preview:	. . . ..

C:\Recycled\Recycled\ctfmon.exe

Download File

Process:	C:\Users\user\Desktop\ctfmon.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.1035750624804614
Encrypted:	false
SSDEEP:	384:U3kXacLySXFNFENfGzB5AJiQiFeiKi6iPYWZNWP:U3qacuCFY6BHVpTjK
MD5:	74DBD545CF6DC5D006325CC3E4658A12
SHA1:	9E6B92ED3D29A46611234836D4D493F226CE5FA7
SHA-256:	316C85917832C66AC0071F73A880D5E40099A16E419F7813FBE39EE0A851D1C7
SHA-512:	0BD76967B087FE669D1CE0F63FFDFB67F99F1A7EF0937365A146CF11702F119F4FA97764D94D13795090757B5B6217EEE78BB45DBBF392A1EC4B3F30C1C12F22
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 92%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............i...i...i...d...i.Rich..i.................PE..L.....D.................0... ...............@....@.............3.4..........`.......<.......................................5..(....P...................................................................... ... .......@............................text....&.......0.................. ..`.data...l....@......................@....rsrc........P.......@..............@..@.\|.9............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recycled\desktop.ini

Download File

Process:	C:\Users\user\Desktop\ctfmon.exe
File Type:	Windows desktop.ini
Category:	dropped
Size (bytes):	65
Entropy (8bit):	4.767769735772537
Encrypted:	false
SSDEEP:	3:0NdQDjoqxyRVIQBU+1IVLfAn:0NwoSyzI2U8MAn
MD5:	AD0B0B4416F06AF436328A3C12DC491B
SHA1:	743C7AD130780DE78CCBF75AA6F84298720AD3FA
SHA-256:	23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416
SHA-512:	884CD0CAE3B31A594F387DAE94FC1E0AACB4FD833F8A3368BDEC7DE0F9F3DC44337C7318895D9549AAD579F95DE71FF45E1618E75065A04C7894AD1D0D0EAC56
Malicious:	false
Reputation:	low
Preview:	[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..

C:\Users\user\AppData\Local\Temp\~DFA7F884124A3BC448.TMP

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.4704471791892961
Encrypted:	false
SSDEEP:	6:rl912N0xs+CFQXCB9Xh9Xh9XCzE/V0XAXtwuNfIinb3kuw/luC:rl3lKFQCb77Cw/V0XitRNginbZw/0C
MD5:	7332491BFFFCC0FB4E283FB4A2AE4E30
SHA1:	8663AE3772138EE3A96C041A64756652EB9EC23D
SHA-256:	EC3B8EE6D12FB07EC3121B6E0349D6F99DE484FF226F9AFDD0C1B69766173B40
SHA-512:	367B164103DA276943A2C8D6F0664C5F66F7ABF61FDF07FC8314A4CA86F91C378C190F9A2ABD466BD1638DAD06AAE4ECE26E9058E6A6B79C8F49C4F5243E9694
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEB1B06898EC6A682.TMP

Download File

Process:	C:\Users\user\Desktop\ctfmon.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	1.6281888399272118
Encrypted:	false
SSDEEP:	12:rl3baFQwlzPltD7ONw/V0XitRNginbZw/0C:rYywVxtbZw/0
MD5:	4E7FA117216D5627448F54F5832DFB28
SHA1:	2499262320F47EC3F416E5A746E0B3321DF2BD57
SHA-256:	0E277B1588440F317C19212AF642CA683EC2C72E9208944BC61088F783DD5526
SHA-512:	86E164E42BAB8E59D1E77FAE149707D9746B18BA063FA5E9CD241B8D7B251B94F0183A3C6538F4531D835681C5F060D5E62922DDA0FA0CDE76567AD0D7B8F042
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe

Download File

Process:	C:\Users\user\Desktop\ctfmon.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.1035750624804614
Encrypted:	false
SSDEEP:	384:U3kXacLySXFNFENfGzB5AJiQiFeiKi6iPYWZNWP:U3qacuCFY6BHVpTjK
MD5:	74DBD545CF6DC5D006325CC3E4658A12
SHA1:	9E6B92ED3D29A46611234836D4D493F226CE5FA7
SHA-256:	316C85917832C66AC0071F73A880D5E40099A16E419F7813FBE39EE0A851D1C7
SHA-512:	0BD76967B087FE669D1CE0F63FFDFB67F99F1A7EF0937365A146CF11702F119F4FA97764D94D13795090757B5B6217EEE78BB45DBBF392A1EC4B3F30C1C12F22
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 92%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............i...i...i...d...i.Rich..i.................PE..L.....D.................0... ...............@....@.............3.4..........`.......<.......................................5..(....P...................................................................... ... .......@............................text....&.......0.................. ..`.data...l....@......................@....rsrc........P.......@..............@..@.\|.9............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\autorun.inf

Download File

Process:	C:\Users\user\Desktop\ctfmon.exe
File Type:	Microsoft Windows Autorun file
Category:	dropped
Size (bytes):	123
Entropy (8bit):	4.472303868336424
Encrypted:	false
SSDEEP:	3:It1WN0rcpSek8H0+jwRJdkuwGcGuSek8H0+QVA5rvn:e1WCcpw8dedkuzew8B7n
MD5:	2AB0B179E8C92B24E7EE505ADCB041A0
SHA1:	B774E195AD10A54E690B2B68FDEC9F94E94DCBB5
SHA-256:	78A4DFC262701204649583CA40396698130B2696EBDED0D05FA4C9326B65F487
SHA-512:	343448D1A9D406ABD6728A81EDE61EFAA414001335918522875647E6E1FC79AD5AC1C1BEB85A3DDAE895FBF560439C0B68F96AE21D4F0EEF98B55524F306D48B
Malicious:	true
Reputation:	low
Preview:	[autorun]..shellexecute=Recycled\Recycled\ctfmon.exe..shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe..shell=Open(&0)..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.1035750624804614
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ctfmon.exe
File size:	20'480 bytes
MD5:	74dbd545cf6dc5d006325cc3e4658a12
SHA1:	9e6b92ed3d29a46611234836d4d493f226ce5fa7
SHA256:	316c85917832c66ac0071f73a880d5e40099a16e419f7813fbe39ee0a851d1c7
SHA512:	0bd76967b087fe669d1ce0f63ffdfb67f99f1a7ef0937365a146cf11702f119f4fa97764d94d13795090757b5b6217eee78bb45dbbf392a1ec4b3f30c1c12f22
SSDEEP:	384:U3kXacLySXFNFENfGzB5AJiQiFeiKi6iPYWZNWP:U3qacuCFY6BHVpTjK
TLSH:	68927202E7F8A650E7E6473038BF92645C237D5C6E528E4FE298231F1C34D529E79B62
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...d...i.Rich..i.................PE..L......D.................0... ...............@....@.............3.4........

File Icon


Icon Hash:	32fa7c1ea733b194

Static PE Info

General

Entrypoint:	0x40109c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x44A0CEEC [Tue Jun 27 06:23:40 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	45aa8eda173f07ac03fdbab992cddcaf

Entrypoint Preview

Instruction
push 004013BCh
call 00007F9629206B73h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sbb ch, byte ptr [eax-454BA54Eh]
lodsb
dec ecx
add byte ptr [ecx+7A755CC5h], FFFFFFC9h
lodsb
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
mov ecx, 31CCB3A4h
mov ecx, 31CCB3A4h
add byte ptr [ebp+72h], ah
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add dh, byte ptr [ebx+esi]
scasd
sbb eax, dword ptr [edi]
scasd
dec esp
inc edx
test al, 32h
xchg byte ptr [ecx], bl
push es
int F9h
scasb
cli
mov ecx, edi
pop ss
imul eax, dword ptr [ebp+edi*8+48h], 6C2B979Eh
rcl byte ptr [ebx-2Dh], 1
xchg eax, ebp
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
iretd
add dword ptr [eax], eax
add byte ptr [ecx+eax+05000000h], al
add byte ptr [esi+6Fh], al
jc 00007F9629206BEFh
xor dword ptr [eax], eax
or eax, 46000501h
outsd
jc 00007F9629206BEFh
xor dword ptr [eax], eax
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al
and eax, dword ptr [esi+01h]
add byte ptr [eax], al
insb

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x35e4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5000	0x5dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x220	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x40	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x26dc	0x3000	False	0.3048502604166667	data	4.133897638693223	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4000	0xa6c	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5000	0x5dc	0x1000	False	0.158203125	data	1.630988472354307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x54b4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.49324324324324326
RT_GROUP_ICON	0x54a0	0x14	data			1.25
RT_VERSION	0x50f0	0x3b0	data	Chinese	China	0.4311440677966102

Imports

DLL	Import
MSVBVM60.DLL	MethCallEngine, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

• ctfmon.exe
• ctfmon.exe

Click to jump to process

Memory Usage

• ctfmon.exe
• ctfmon.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	11:13:04
Start date:	18/10/2023
Path:	C:\Users\user\Desktop\ctfmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ctfmon.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	74DBD545CF6DC5D006325CC3E4658A12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:13:14
Start date:	18/10/2023
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe"
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	74DBD545CF6DC5D006325CC3E4658A12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Visual Basic
Antivirus matches:	Detection: 92%, ReversingLabs Detection: 92%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040109C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&vb6chs.dll), ref: 004010A1

Strings

VB5!6&vb6chs.dll, xrefs: 0040109C

Memory Dump Source

Source File: 00000000.00000002.1630838672.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1630825465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630853599.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1630866137.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: #100
String ID: VB5!6&vb6chs.dll
API String ID: 1341478452-1765456798
Opcode ID: ae9591af157d9bc014ddc9d7bc5ec6e7008e70ea7fed4a7e9e80bdbbcfe6513e
Instruction ID: 4d2245f90658a928c5477931331285bfeb86eae602f7460a3c8bb75d8c04aebc
Opcode Fuzzy Hash: ae9591af157d9bc014ddc9d7bc5ec6e7008e70ea7fed4a7e9e80bdbbcfe6513e
Instruction Fuzzy Hash: 5B11202118E7D20FC3039BB888766897FB09E8325476A41EBC9C1CF0E3C5194D0AC762

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ctfmon.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Recycled\INFO2

C:\Recycled\Recycled\ctfmon.exe

C:\Recycled\desktop.ini

C:\Users\user\AppData\Local\Temp\~DFA7F884124A3BC448.TMP

C:\Users\user\AppData\Local\Temp\~DFEB1B06898EC6A682.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe

C:\autorun.inf

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: ctfmon.exePID: 7032, Parent PID: 2580

General

Windows Analysis Report
ctfmon.exe