Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 08:06
Static task
static1
Behavioral task
behavioral1
Sample
2f8f8012_by_Libranalysis.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2f8f8012_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
2f8f8012_by_Libranalysis.exe
-
Size
118KB
-
MD5
2f8f8012ebb28563cc02c5fd13331a77
-
SHA1
1a2fbf934df02869dc7a563501835e1feb5f6b5c
-
SHA256
0ea327b5a6eb09b51bd1337c2b29e9fd4cbfa11a083736b47188884ffca7e2bf
-
SHA512
92326e07db24f96b8f56e5b2b4f7d19dfcaa255592ec0de3f38ee585d5fa50d8a9038f65924b4b39125254ec234783beb003057289bcc995e1edf2afcd10f18c
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Windows\SysWOW64\shervans.dll acprotect C:\Windows\SysWOW64\shervans.dll acprotect \Windows\SysWOW64\shervans.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
ctfmen.exesmnss.exepid process 2848 ctfmen.exe 3604 smnss.exe -
Loads dropped DLL 2 IoCs
Processes:
2f8f8012_by_Libranalysis.exesmnss.exepid process 3152 2f8f8012_by_Libranalysis.exe 3604 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2f8f8012_by_Libranalysis.exesmnss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 2f8f8012_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
2f8f8012_by_Libranalysis.exesmnss.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2f8f8012_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 2f8f8012_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1 2f8f8012_by_Libranalysis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
Processes:
2f8f8012_by_Libranalysis.exesmnss.exedescription ioc process File created C:\Windows\SysWOW64\ctfmen.exe 2f8f8012_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 2f8f8012_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 2f8f8012_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 2f8f8012_by_Libranalysis.exe File created C:\Windows\SysWOW64\satornas.dll 2f8f8012_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 2f8f8012_by_Libranalysis.exe File created C:\Windows\SysWOW64\shervans.dll 2f8f8012_by_Libranalysis.exe File created C:\Windows\SysWOW64\grcopy.dll 2f8f8012_by_Libranalysis.exe File created C:\Windows\SysWOW64\smnss.exe 2f8f8012_by_Libranalysis.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1276 3604 WerFault.exe smnss.exe -
Modifies registry class 6 IoCs
Processes:
smnss.exe2f8f8012_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 2f8f8012_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 2f8f8012_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 2f8f8012_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 2f8f8012_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 2f8f8012_by_Libranalysis.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe 1276 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
smnss.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3604 smnss.exe Token: SeRestorePrivilege 1276 WerFault.exe Token: SeBackupPrivilege 1276 WerFault.exe Token: SeDebugPrivilege 1276 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2f8f8012_by_Libranalysis.exectfmen.exedescription pid process target process PID 3152 wrote to memory of 2848 3152 2f8f8012_by_Libranalysis.exe ctfmen.exe PID 3152 wrote to memory of 2848 3152 2f8f8012_by_Libranalysis.exe ctfmen.exe PID 3152 wrote to memory of 2848 3152 2f8f8012_by_Libranalysis.exe ctfmen.exe PID 2848 wrote to memory of 3604 2848 ctfmen.exe smnss.exe PID 2848 wrote to memory of 3604 2848 ctfmen.exe smnss.exe PID 2848 wrote to memory of 3604 2848 ctfmen.exe smnss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f8f8012_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\2f8f8012_by_Libranalysis.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 11404⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\ctfmen.exeMD5
05c9cec487879362296f94556707856e
SHA1ad61080fa7ecbd490401694e46e2c83245cd5d27
SHA256c9e68fbde9d95282e2963f98ec0f60c35cfdef5921a7f77332df90f6ab09ffa0
SHA512293df84586e3f946a1714fbd852ca110fbb1552be225ca03f0c929c4d8f3aaec9cdb19aa678654ee9168e12ca2016dd7f67ed726ba4035cd79d354c89235d72e
-
C:\Windows\SysWOW64\ctfmen.exeMD5
05c9cec487879362296f94556707856e
SHA1ad61080fa7ecbd490401694e46e2c83245cd5d27
SHA256c9e68fbde9d95282e2963f98ec0f60c35cfdef5921a7f77332df90f6ab09ffa0
SHA512293df84586e3f946a1714fbd852ca110fbb1552be225ca03f0c929c4d8f3aaec9cdb19aa678654ee9168e12ca2016dd7f67ed726ba4035cd79d354c89235d72e
-
C:\Windows\SysWOW64\grcopy.dllMD5
8b136fa7f210265943dcbd58a6a172fa
SHA1aec7bde364af5dddba512ad761b4373e8c9ca01c
SHA256ea36c5b6bc679ba38a7c1d238407aa01ca0bf8cd51b6d37999ce179a61052b52
SHA512afadb482538e5a34c55faee0877cd648d3274036ba7d3901648c0a7dffc99623f534cb0b33480d7f590245823ce13f5c23058497cba7a90c932f3b84a1f238c5
-
C:\Windows\SysWOW64\satornas.dllMD5
022498b0f5e164b1c58553f9b684c1fc
SHA150c1a942d510424994192d376a7142e03bf7a553
SHA256382db11ebe981d7166e9097758fd2eed1b151744714e833988e4f05c26a5caf8
SHA5125db14d658486f404a82dfa445f560551ebba32c5c27037c87b6eb6b7b61fd9d429ac89ff50ceee4b1d35a1b28ddb1674890f12910a7d7a564dd5fd83bcea5c80
-
C:\Windows\SysWOW64\shervans.dllMD5
44446608af1d8779f20524aec1a24f17
SHA10e0677eb4f75237645bbab3ea61796a479f4073e
SHA256e929c174ccd89b0f2de6e2a2bce599742c449bbcf33cd20c45bc73618ca718d9
SHA512d250fc5343cad6799c7f84d7c8e5081ff789b83c5699483186e6251b86de45f540f325952b3ea8a0b3ae1e4584b8c2fa7b4878da995e38681ee2a9878b43fcd0
-
C:\Windows\SysWOW64\smnss.exeMD5
8b136fa7f210265943dcbd58a6a172fa
SHA1aec7bde364af5dddba512ad761b4373e8c9ca01c
SHA256ea36c5b6bc679ba38a7c1d238407aa01ca0bf8cd51b6d37999ce179a61052b52
SHA512afadb482538e5a34c55faee0877cd648d3274036ba7d3901648c0a7dffc99623f534cb0b33480d7f590245823ce13f5c23058497cba7a90c932f3b84a1f238c5
-
C:\Windows\SysWOW64\smnss.exeMD5
8b136fa7f210265943dcbd58a6a172fa
SHA1aec7bde364af5dddba512ad761b4373e8c9ca01c
SHA256ea36c5b6bc679ba38a7c1d238407aa01ca0bf8cd51b6d37999ce179a61052b52
SHA512afadb482538e5a34c55faee0877cd648d3274036ba7d3901648c0a7dffc99623f534cb0b33480d7f590245823ce13f5c23058497cba7a90c932f3b84a1f238c5
-
\Windows\SysWOW64\shervans.dllMD5
44446608af1d8779f20524aec1a24f17
SHA10e0677eb4f75237645bbab3ea61796a479f4073e
SHA256e929c174ccd89b0f2de6e2a2bce599742c449bbcf33cd20c45bc73618ca718d9
SHA512d250fc5343cad6799c7f84d7c8e5081ff789b83c5699483186e6251b86de45f540f325952b3ea8a0b3ae1e4584b8c2fa7b4878da995e38681ee2a9878b43fcd0
-
\Windows\SysWOW64\shervans.dllMD5
44446608af1d8779f20524aec1a24f17
SHA10e0677eb4f75237645bbab3ea61796a479f4073e
SHA256e929c174ccd89b0f2de6e2a2bce599742c449bbcf33cd20c45bc73618ca718d9
SHA512d250fc5343cad6799c7f84d7c8e5081ff789b83c5699483186e6251b86de45f540f325952b3ea8a0b3ae1e4584b8c2fa7b4878da995e38681ee2a9878b43fcd0
-
memory/2848-115-0x0000000000000000-mapping.dmp
-
memory/3604-118-0x0000000000000000-mapping.dmp