Analysis
-
max time kernel
14s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 10:03
Static task
static1
Behavioral task
behavioral1
Sample
d2d0810f_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d2d0810f_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
d2d0810f_by_Libranalysis.exe
-
Size
118KB
-
MD5
d2d0810fa6f942c316339a48c865d41b
-
SHA1
d5adefd42699b367307639e1a298f07a56513e6c
-
SHA256
f81d2b083548afd9b722626a4d2d94ff9f180b9fbb57e66c42036a4317bca1cb
-
SHA512
b679711faf592c9aac2c10dd438974e2a52300c38ff4e647ce26de62e9c0f7c8fb70c6ebfab4dd11fe776dfd86159a41c61bb895d9877f1eed6168eed509c613
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Windows\SysWOW64\shervans.dll acprotect C:\Windows\SysWOW64\shervans.dll acprotect \Windows\SysWOW64\shervans.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
ctfmen.exesmnss.exepid process 3780 ctfmen.exe 3820 smnss.exe -
Loads dropped DLL 2 IoCs
Processes:
d2d0810f_by_Libranalysis.exesmnss.exepid process 1016 d2d0810f_by_Libranalysis.exe 3820 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d2d0810f_by_Libranalysis.exesmnss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" d2d0810f_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
d2d0810f_by_Libranalysis.exesmnss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 d2d0810f_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1 d2d0810f_by_Libranalysis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum d2d0810f_by_Libranalysis.exe -
Drops file in System32 directory 12 IoCs
Processes:
d2d0810f_by_Libranalysis.exesmnss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\shervans.dll d2d0810f_by_Libranalysis.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe d2d0810f_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe d2d0810f_by_Libranalysis.exe File created C:\Windows\SysWOW64\shervans.dll d2d0810f_by_Libranalysis.exe File created C:\Windows\SysWOW64\grcopy.dll d2d0810f_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll d2d0810f_by_Libranalysis.exe File created C:\Windows\SysWOW64\smnss.exe d2d0810f_by_Libranalysis.exe File created C:\Windows\SysWOW64\satornas.dll d2d0810f_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\satornas.dll d2d0810f_by_Libranalysis.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2156 3820 WerFault.exe smnss.exe -
Modifies registry class 6 IoCs
Processes:
d2d0810f_by_Libranalysis.exesmnss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" d2d0810f_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 d2d0810f_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node d2d0810f_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID d2d0810f_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} d2d0810f_by_Libranalysis.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
smnss.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3820 smnss.exe Token: SeRestorePrivilege 2156 WerFault.exe Token: SeBackupPrivilege 2156 WerFault.exe Token: SeDebugPrivilege 2156 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d2d0810f_by_Libranalysis.exectfmen.exedescription pid process target process PID 1016 wrote to memory of 3780 1016 d2d0810f_by_Libranalysis.exe ctfmen.exe PID 1016 wrote to memory of 3780 1016 d2d0810f_by_Libranalysis.exe ctfmen.exe PID 1016 wrote to memory of 3780 1016 d2d0810f_by_Libranalysis.exe ctfmen.exe PID 3780 wrote to memory of 3820 3780 ctfmen.exe smnss.exe PID 3780 wrote to memory of 3820 3780 ctfmen.exe smnss.exe PID 3780 wrote to memory of 3820 3780 ctfmen.exe smnss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2d0810f_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\d2d0810f_by_Libranalysis.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 11444⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\ctfmen.exeMD5
b908598e3e29d84ea7c4296c57121a24
SHA1909b073c8aab40d7f9e37ea06a663f5f96396a86
SHA25635d1eb4d188643fa4da0d400254eca28c17cb95cbed619071365f0f1eaba135a
SHA512513d0a38cb161b77b4e956ec68429239ca547c83ac6e5f97e9f3da18f6ff1e8768977db537c9a4f2b0ca26f02043a5dd71b922413ba95dbcf20f3205f02d460d
-
C:\Windows\SysWOW64\ctfmen.exeMD5
b908598e3e29d84ea7c4296c57121a24
SHA1909b073c8aab40d7f9e37ea06a663f5f96396a86
SHA25635d1eb4d188643fa4da0d400254eca28c17cb95cbed619071365f0f1eaba135a
SHA512513d0a38cb161b77b4e956ec68429239ca547c83ac6e5f97e9f3da18f6ff1e8768977db537c9a4f2b0ca26f02043a5dd71b922413ba95dbcf20f3205f02d460d
-
C:\Windows\SysWOW64\grcopy.dllMD5
923154de6b790052e6f80127e816acb1
SHA1b9ad78a36acd4c64fcb47bcc414520af8f3bc3d1
SHA256c8ae44e2a12a069072c53ca5f668d842dc9740f62c552d8fa1c359a30c1beb71
SHA512a0409470a3b630d8b621bded0055c2548eb078bc423b1f6bba5f086489038cd4e2f1cf59950f732a868944db6d4b6b1f491a55d8ed64d2def444e44d286b5be8
-
C:\Windows\SysWOW64\satornas.dllMD5
5077d10dce9a23323257f4e51120e305
SHA1341ad26b98703ffb30133683fb08859fe0efcc4f
SHA25680d036b3ad77fc1a44006060bf4644bed42c86ea608f33b76ea4255b6e9361bc
SHA5127d7eeb6f28204ebac8c67a4f8b54fd1aeb3b5b2c1f93a313fc208dd6a9f8568621768e57dfb67acee319d085604afacbc5adcc988b06234f18e3b85e36538343
-
C:\Windows\SysWOW64\shervans.dllMD5
1f225772fabbdce9a8b02aba1ef6384a
SHA15fba361792bc7a73476ef322db48fdfaa2f1ab21
SHA25629d4bab388879d396ad22e4396e88e3eb681bed074f1393f9d82548c62d4ecc6
SHA5129eb9ffb9a4ce8c90ae35049d6e48dda82e5056962efe0e5756893a5ce61058b3d4d2c033905862a2abee09dec3aa8c7024285e8997ab606d3a43d5461110d9e6
-
C:\Windows\SysWOW64\smnss.exeMD5
923154de6b790052e6f80127e816acb1
SHA1b9ad78a36acd4c64fcb47bcc414520af8f3bc3d1
SHA256c8ae44e2a12a069072c53ca5f668d842dc9740f62c552d8fa1c359a30c1beb71
SHA512a0409470a3b630d8b621bded0055c2548eb078bc423b1f6bba5f086489038cd4e2f1cf59950f732a868944db6d4b6b1f491a55d8ed64d2def444e44d286b5be8
-
C:\Windows\SysWOW64\smnss.exeMD5
923154de6b790052e6f80127e816acb1
SHA1b9ad78a36acd4c64fcb47bcc414520af8f3bc3d1
SHA256c8ae44e2a12a069072c53ca5f668d842dc9740f62c552d8fa1c359a30c1beb71
SHA512a0409470a3b630d8b621bded0055c2548eb078bc423b1f6bba5f086489038cd4e2f1cf59950f732a868944db6d4b6b1f491a55d8ed64d2def444e44d286b5be8
-
\Windows\SysWOW64\shervans.dllMD5
1f225772fabbdce9a8b02aba1ef6384a
SHA15fba361792bc7a73476ef322db48fdfaa2f1ab21
SHA25629d4bab388879d396ad22e4396e88e3eb681bed074f1393f9d82548c62d4ecc6
SHA5129eb9ffb9a4ce8c90ae35049d6e48dda82e5056962efe0e5756893a5ce61058b3d4d2c033905862a2abee09dec3aa8c7024285e8997ab606d3a43d5461110d9e6
-
\Windows\SysWOW64\shervans.dllMD5
1f225772fabbdce9a8b02aba1ef6384a
SHA15fba361792bc7a73476ef322db48fdfaa2f1ab21
SHA25629d4bab388879d396ad22e4396e88e3eb681bed074f1393f9d82548c62d4ecc6
SHA5129eb9ffb9a4ce8c90ae35049d6e48dda82e5056962efe0e5756893a5ce61058b3d4d2c033905862a2abee09dec3aa8c7024285e8997ab606d3a43d5461110d9e6
-
memory/3780-115-0x0000000000000000-mapping.dmp
-
memory/3820-118-0x0000000000000000-mapping.dmp