Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 08:03
Static task
static1
Behavioral task
behavioral1
Sample
b4d22b58_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b4d22b58_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
b4d22b58_by_Libranalysis.exe
-
Size
118KB
-
MD5
b4d22b58cd80b7ffc930a76ca9f9fa71
-
SHA1
3931f09d3d36e714eade19bab13a2ac5c5db1a6c
-
SHA256
804acd2d212ff0dbdc4670b07862c19f275fc746b19d431bf6b31f78d7a63ec6
-
SHA512
fa990e0799500dfef650648d06f7226a5c697b71c587ff32dbabe957a3e0425bd4f3d2f05990af787d3f2b223aa3097a88c2d018d79eadf4776f1742706e9b5e
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Windows\SysWOW64\shervans.dll acprotect C:\Windows\SysWOW64\shervans.dll acprotect \Windows\SysWOW64\shervans.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
ctfmen.exesmnss.exepid process 2788 ctfmen.exe 2808 smnss.exe -
Loads dropped DLL 2 IoCs
Processes:
b4d22b58_by_Libranalysis.exesmnss.exepid process 3896 b4d22b58_by_Libranalysis.exe 2808 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b4d22b58_by_Libranalysis.exesmnss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" b4d22b58_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b4d22b58_by_Libranalysis.exesmnss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 b4d22b58_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1 b4d22b58_by_Libranalysis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b4d22b58_by_Libranalysis.exe -
Drops file in System32 directory 12 IoCs
Processes:
b4d22b58_by_Libranalysis.exesmnss.exedescription ioc process File created C:\Windows\SysWOW64\smnss.exe b4d22b58_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\satornas.dll b4d22b58_by_Libranalysis.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe b4d22b58_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll b4d22b58_by_Libranalysis.exe File created C:\Windows\SysWOW64\grcopy.dll b4d22b58_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\shervans.dll b4d22b58_by_Libranalysis.exe File created C:\Windows\SysWOW64\satornas.dll b4d22b58_by_Libranalysis.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe b4d22b58_by_Libranalysis.exe File created C:\Windows\SysWOW64\shervans.dll b4d22b58_by_Libranalysis.exe -
Drops file in Program Files directory 64 IoCs
Processes:
smnss.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml smnss.exe File opened for modification C:\Program Files\7-Zip\readme.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\README.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\License.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml smnss.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2088 2808 WerFault.exe smnss.exe -
Modifies registry class 6 IoCs
Processes:
b4d22b58_by_Libranalysis.exesmnss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID b4d22b58_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} b4d22b58_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" b4d22b58_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 b4d22b58_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node b4d22b58_by_Libranalysis.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
smnss.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2808 smnss.exe Token: SeRestorePrivilege 2088 WerFault.exe Token: SeBackupPrivilege 2088 WerFault.exe Token: SeDebugPrivilege 2088 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b4d22b58_by_Libranalysis.exectfmen.exedescription pid process target process PID 3896 wrote to memory of 2788 3896 b4d22b58_by_Libranalysis.exe ctfmen.exe PID 3896 wrote to memory of 2788 3896 b4d22b58_by_Libranalysis.exe ctfmen.exe PID 3896 wrote to memory of 2788 3896 b4d22b58_by_Libranalysis.exe ctfmen.exe PID 2788 wrote to memory of 2808 2788 ctfmen.exe smnss.exe PID 2788 wrote to memory of 2808 2788 ctfmen.exe smnss.exe PID 2788 wrote to memory of 2808 2788 ctfmen.exe smnss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4d22b58_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\b4d22b58_by_Libranalysis.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 13924⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\ctfmen.exeMD5
783e0c46651b332e408e0877db3f35d9
SHA15d20c0686d7b06c81a23ab8a2e8028b21e269ebc
SHA25607d7f528db77666bf755306149b3826535eff7a3cca39f87d66a12b7b19d30f7
SHA512b9b950cc7ed67d0a2480593773ec9471c33608c628f51f59d10b5543ff4ee7ef7bf209061a7130320c3ef4b9756e26f59a5f0ae9207185dadf859307439b329d
-
C:\Windows\SysWOW64\ctfmen.exeMD5
783e0c46651b332e408e0877db3f35d9
SHA15d20c0686d7b06c81a23ab8a2e8028b21e269ebc
SHA25607d7f528db77666bf755306149b3826535eff7a3cca39f87d66a12b7b19d30f7
SHA512b9b950cc7ed67d0a2480593773ec9471c33608c628f51f59d10b5543ff4ee7ef7bf209061a7130320c3ef4b9756e26f59a5f0ae9207185dadf859307439b329d
-
C:\Windows\SysWOW64\grcopy.dllMD5
578ccb47152ab1aa106d8e7f1333edb4
SHA13e89f046e22474aa077ff5763d5fa2bb4aadad2a
SHA2562698c7e8dfe0a5189c590e219ad2d14ec52dbc0e9223bde7bbb1d59e42cc9557
SHA5126a6e51fedd4c15d9000eaa2686738d53cf1cd80a9d77ea87be7b997b424e4b81b27a7d43f4a71b18dd19a5c62cdfbeb4e3966aeab4e02b01221a146ae14a7d59
-
C:\Windows\SysWOW64\satornas.dllMD5
9737f397c6bba40cd39eb3a4d9fae4d4
SHA1b42ee469713614b5c789a6fc3a539e0d1c5d86e8
SHA256ea4b0fb26ce02d1aea00a2b78961520886fae51333813668602e34adf4fe7bed
SHA5120c81f3efc30ade6f29179cde82061335ab3817bea873459aac5958da0ddee42c95cf1597e06cf7167bf80db568a87c5ac80772db7aac9872aebcbe05bfa442f5
-
C:\Windows\SysWOW64\shervans.dllMD5
f4f385513ae830b2a5e7d532cd975ca4
SHA1090b231c7ef91327f335b36673dd6551a666c007
SHA25697c73659ab6631ec1b5e928551c4e4ecb45ad1b011612e1d201ffc34501e1e62
SHA512c401dac1a153dfc2afb22a00f0a81eed025e38c6e9a3912a286c37afddbe35466e36581df0716b3ea330570488361eaf3be202ffd8082b20a6fdb85cc859be23
-
C:\Windows\SysWOW64\smnss.exeMD5
578ccb47152ab1aa106d8e7f1333edb4
SHA13e89f046e22474aa077ff5763d5fa2bb4aadad2a
SHA2562698c7e8dfe0a5189c590e219ad2d14ec52dbc0e9223bde7bbb1d59e42cc9557
SHA5126a6e51fedd4c15d9000eaa2686738d53cf1cd80a9d77ea87be7b997b424e4b81b27a7d43f4a71b18dd19a5c62cdfbeb4e3966aeab4e02b01221a146ae14a7d59
-
C:\Windows\SysWOW64\smnss.exeMD5
578ccb47152ab1aa106d8e7f1333edb4
SHA13e89f046e22474aa077ff5763d5fa2bb4aadad2a
SHA2562698c7e8dfe0a5189c590e219ad2d14ec52dbc0e9223bde7bbb1d59e42cc9557
SHA5126a6e51fedd4c15d9000eaa2686738d53cf1cd80a9d77ea87be7b997b424e4b81b27a7d43f4a71b18dd19a5c62cdfbeb4e3966aeab4e02b01221a146ae14a7d59
-
\Windows\SysWOW64\shervans.dllMD5
f4f385513ae830b2a5e7d532cd975ca4
SHA1090b231c7ef91327f335b36673dd6551a666c007
SHA25697c73659ab6631ec1b5e928551c4e4ecb45ad1b011612e1d201ffc34501e1e62
SHA512c401dac1a153dfc2afb22a00f0a81eed025e38c6e9a3912a286c37afddbe35466e36581df0716b3ea330570488361eaf3be202ffd8082b20a6fdb85cc859be23
-
\Windows\SysWOW64\shervans.dllMD5
f4f385513ae830b2a5e7d532cd975ca4
SHA1090b231c7ef91327f335b36673dd6551a666c007
SHA25697c73659ab6631ec1b5e928551c4e4ecb45ad1b011612e1d201ffc34501e1e62
SHA512c401dac1a153dfc2afb22a00f0a81eed025e38c6e9a3912a286c37afddbe35466e36581df0716b3ea330570488361eaf3be202ffd8082b20a6fdb85cc859be23
-
memory/2788-115-0x0000000000000000-mapping.dmp
-
memory/2808-118-0x0000000000000000-mapping.dmp