Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 08:03
Static task
static1
Behavioral task
behavioral1
Sample
b4d22b58_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b4d22b58_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
b4d22b58_by_Libranalysis.exe
-
Size
118KB
-
MD5
b4d22b58cd80b7ffc930a76ca9f9fa71
-
SHA1
3931f09d3d36e714eade19bab13a2ac5c5db1a6c
-
SHA256
804acd2d212ff0dbdc4670b07862c19f275fc746b19d431bf6b31f78d7a63ec6
-
SHA512
fa990e0799500dfef650648d06f7226a5c697b71c587ff32dbabe957a3e0425bd4f3d2f05990af787d3f2b223aa3097a88c2d018d79eadf4776f1742706e9b5e
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Windows\SysWOW64\shervans.dll acprotect C:\Windows\SysWOW64\shervans.dll acprotect \Windows\SysWOW64\shervans.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
ctfmen.exesmnss.exepid process 1424 ctfmen.exe 828 smnss.exe -
Loads dropped DLL 9 IoCs
Processes:
b4d22b58_by_Libranalysis.exectfmen.exesmnss.exeWerFault.exepid process 1100 b4d22b58_by_Libranalysis.exe 1100 b4d22b58_by_Libranalysis.exe 1100 b4d22b58_by_Libranalysis.exe 1424 ctfmen.exe 1424 ctfmen.exe 828 smnss.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b4d22b58_by_Libranalysis.exesmnss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" b4d22b58_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b4d22b58_by_Libranalysis.exesmnss.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b4d22b58_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 b4d22b58_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 b4d22b58_by_Libranalysis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
Processes:
b4d22b58_by_Libranalysis.exesmnss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\grcopy.dll b4d22b58_by_Libranalysis.exe File created C:\Windows\SysWOW64\smnss.exe b4d22b58_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\satornas.dll b4d22b58_by_Libranalysis.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe b4d22b58_by_Libranalysis.exe File created C:\Windows\SysWOW64\shervans.dll b4d22b58_by_Libranalysis.exe File created C:\Windows\SysWOW64\grcopy.dll b4d22b58_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\shervans.dll b4d22b58_by_Libranalysis.exe File created C:\Windows\SysWOW64\satornas.dll b4d22b58_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe b4d22b58_by_Libranalysis.exe -
Drops file in Program Files directory 64 IoCs
Processes:
smnss.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\lt.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml smnss.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt smnss.exe File opened for modification C:\Program Files\7-Zip\History.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt smnss.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 548 828 WerFault.exe smnss.exe -
Modifies registry class 6 IoCs
Processes:
b4d22b58_by_Libranalysis.exesmnss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node b4d22b58_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID b4d22b58_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} b4d22b58_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" b4d22b58_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 b4d22b58_by_Libranalysis.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe 548 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 548 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
smnss.exeWerFault.exedescription pid process Token: SeDebugPrivilege 828 smnss.exe Token: SeDebugPrivilege 548 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b4d22b58_by_Libranalysis.exectfmen.exesmnss.exedescription pid process target process PID 1100 wrote to memory of 1424 1100 b4d22b58_by_Libranalysis.exe ctfmen.exe PID 1100 wrote to memory of 1424 1100 b4d22b58_by_Libranalysis.exe ctfmen.exe PID 1100 wrote to memory of 1424 1100 b4d22b58_by_Libranalysis.exe ctfmen.exe PID 1100 wrote to memory of 1424 1100 b4d22b58_by_Libranalysis.exe ctfmen.exe PID 1424 wrote to memory of 828 1424 ctfmen.exe smnss.exe PID 1424 wrote to memory of 828 1424 ctfmen.exe smnss.exe PID 1424 wrote to memory of 828 1424 ctfmen.exe smnss.exe PID 1424 wrote to memory of 828 1424 ctfmen.exe smnss.exe PID 828 wrote to memory of 548 828 smnss.exe WerFault.exe PID 828 wrote to memory of 548 828 smnss.exe WerFault.exe PID 828 wrote to memory of 548 828 smnss.exe WerFault.exe PID 828 wrote to memory of 548 828 smnss.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4d22b58_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\b4d22b58_by_Libranalysis.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 8084⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\ctfmen.exeMD5
c9ad591f0b0c0f9ed53cee7ccf0d8488
SHA123516aa278f7f3cb738d5175ab6cb15afaf4bed2
SHA256b8f68b40dde3f4db2c751545536137310a5d8132e8369c9180ffa7309257c4a5
SHA5127e215cf343decbe668fa96cceecf7ce8e710a237486e054b2b2a939c1ef4193d5eebcd119387e40dbe79a1aa3b98ef93331ba90107b6ed3cbb65cde87ecac442
-
C:\Windows\SysWOW64\grcopy.dllMD5
c58d385103bdcfcdbac8542edaa678b4
SHA14fd8fead52d94a5eb6c97ac88da7a9ad5d50603a
SHA2563acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4
SHA512222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9
-
C:\Windows\SysWOW64\satornas.dllMD5
b26a78df2025cd9fb3ab24e9db7c4b46
SHA111965c84377cc4903602ca9f3ad5bdcc5a6c62bc
SHA25684eedc3b5feb70a840fe89ce3aa076c76551eb5fc7b07423d47f41a9a3f2ea35
SHA5127b6c05f15c91db49d8d9f2043ad18f529839fa2369bd7ee1fc3ef900dd5d9dea2c84f9a06b3bd23a7ede4d8f9a97bb704b9e4f92f4019b11bd5e336b1e2e4c4d
-
C:\Windows\SysWOW64\shervans.dllMD5
9fcc83db4e03b67fccabcb604b51948c
SHA113bfe6ebe5b527f9fbfcf0622cc5da8064422394
SHA2564329dc82e98cc06d23c93a24c89fb597a13f4d2253339b6824c3ffa3d74c8a7b
SHA51278128588c87a03e1fdf9192192918a47e460e0e198ac9ee22ef1ce60acfa12139c2effed6a3d7f96814ec0be01adfa217acf7b38f11924e239af109b7fbf8844
-
C:\Windows\SysWOW64\smnss.exeMD5
c58d385103bdcfcdbac8542edaa678b4
SHA14fd8fead52d94a5eb6c97ac88da7a9ad5d50603a
SHA2563acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4
SHA512222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9
-
C:\Windows\SysWOW64\smnss.exeMD5
c58d385103bdcfcdbac8542edaa678b4
SHA14fd8fead52d94a5eb6c97ac88da7a9ad5d50603a
SHA2563acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4
SHA512222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9
-
\Windows\SysWOW64\ctfmen.exeMD5
c9ad591f0b0c0f9ed53cee7ccf0d8488
SHA123516aa278f7f3cb738d5175ab6cb15afaf4bed2
SHA256b8f68b40dde3f4db2c751545536137310a5d8132e8369c9180ffa7309257c4a5
SHA5127e215cf343decbe668fa96cceecf7ce8e710a237486e054b2b2a939c1ef4193d5eebcd119387e40dbe79a1aa3b98ef93331ba90107b6ed3cbb65cde87ecac442
-
\Windows\SysWOW64\ctfmen.exeMD5
c9ad591f0b0c0f9ed53cee7ccf0d8488
SHA123516aa278f7f3cb738d5175ab6cb15afaf4bed2
SHA256b8f68b40dde3f4db2c751545536137310a5d8132e8369c9180ffa7309257c4a5
SHA5127e215cf343decbe668fa96cceecf7ce8e710a237486e054b2b2a939c1ef4193d5eebcd119387e40dbe79a1aa3b98ef93331ba90107b6ed3cbb65cde87ecac442
-
\Windows\SysWOW64\shervans.dllMD5
9fcc83db4e03b67fccabcb604b51948c
SHA113bfe6ebe5b527f9fbfcf0622cc5da8064422394
SHA2564329dc82e98cc06d23c93a24c89fb597a13f4d2253339b6824c3ffa3d74c8a7b
SHA51278128588c87a03e1fdf9192192918a47e460e0e198ac9ee22ef1ce60acfa12139c2effed6a3d7f96814ec0be01adfa217acf7b38f11924e239af109b7fbf8844
-
\Windows\SysWOW64\shervans.dllMD5
9fcc83db4e03b67fccabcb604b51948c
SHA113bfe6ebe5b527f9fbfcf0622cc5da8064422394
SHA2564329dc82e98cc06d23c93a24c89fb597a13f4d2253339b6824c3ffa3d74c8a7b
SHA51278128588c87a03e1fdf9192192918a47e460e0e198ac9ee22ef1ce60acfa12139c2effed6a3d7f96814ec0be01adfa217acf7b38f11924e239af109b7fbf8844
-
\Windows\SysWOW64\smnss.exeMD5
c58d385103bdcfcdbac8542edaa678b4
SHA14fd8fead52d94a5eb6c97ac88da7a9ad5d50603a
SHA2563acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4
SHA512222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9
-
\Windows\SysWOW64\smnss.exeMD5
c58d385103bdcfcdbac8542edaa678b4
SHA14fd8fead52d94a5eb6c97ac88da7a9ad5d50603a
SHA2563acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4
SHA512222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9
-
\Windows\SysWOW64\smnss.exeMD5
c58d385103bdcfcdbac8542edaa678b4
SHA14fd8fead52d94a5eb6c97ac88da7a9ad5d50603a
SHA2563acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4
SHA512222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9
-
\Windows\SysWOW64\smnss.exeMD5
c58d385103bdcfcdbac8542edaa678b4
SHA14fd8fead52d94a5eb6c97ac88da7a9ad5d50603a
SHA2563acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4
SHA512222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9
-
\Windows\SysWOW64\smnss.exeMD5
c58d385103bdcfcdbac8542edaa678b4
SHA14fd8fead52d94a5eb6c97ac88da7a9ad5d50603a
SHA2563acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4
SHA512222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9
-
memory/548-74-0x0000000000000000-mapping.dmp
-
memory/548-78-0x00000000003A0000-0x00000000003BF000-memory.dmpFilesize
124KB
-
memory/828-71-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/828-67-0x0000000000000000-mapping.dmp
-
memory/1424-62-0x0000000000000000-mapping.dmp