Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 10:07
Static task
static1
Behavioral task
behavioral1
Sample
d331a53d_by_Libranalysis.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d331a53d_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
d331a53d_by_Libranalysis.exe
-
Size
118KB
-
MD5
d331a53d6deced27e44a1b23a897c660
-
SHA1
a96d6f7f562943794a632b7071c2bc228477ed6f
-
SHA256
29051e0cdfd29405d4766b2d09e93c03b190fc71d094d11fb0e7bc998187689d
-
SHA512
632b1a37d395a9dad7e2ac1c47007b98c877f187ecf564935fa1cb9062ceed13eacd98cc9782e815d616c204e38e9c3bef43f4223c3f69a4b94562e899543a18
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Windows\SysWOW64\shervans.dll acprotect C:\Windows\SysWOW64\shervans.dll acprotect \Windows\SysWOW64\shervans.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
ctfmen.exesmnss.exepid process 3856 ctfmen.exe 1232 smnss.exe -
Loads dropped DLL 2 IoCs
Processes:
d331a53d_by_Libranalysis.exesmnss.exepid process 3872 d331a53d_by_Libranalysis.exe 1232 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
smnss.exed331a53d_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" d331a53d_by_Libranalysis.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
smnss.exed331a53d_by_Libranalysis.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum d331a53d_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 d331a53d_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1 d331a53d_by_Libranalysis.exe -
Drops file in System32 directory 12 IoCs
Processes:
d331a53d_by_Libranalysis.exesmnss.exedescription ioc process File created C:\Windows\SysWOW64\ctfmen.exe d331a53d_by_Libranalysis.exe File created C:\Windows\SysWOW64\shervans.dll d331a53d_by_Libranalysis.exe File created C:\Windows\SysWOW64\grcopy.dll d331a53d_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll d331a53d_by_Libranalysis.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe d331a53d_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\shervans.dll d331a53d_by_Libranalysis.exe File created C:\Windows\SysWOW64\smnss.exe d331a53d_by_Libranalysis.exe File created C:\Windows\SysWOW64\satornas.dll d331a53d_by_Libranalysis.exe File opened for modification C:\Windows\SysWOW64\satornas.dll d331a53d_by_Libranalysis.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3764 1232 WerFault.exe smnss.exe -
Modifies registry class 6 IoCs
Processes:
d331a53d_by_Libranalysis.exesmnss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 d331a53d_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node d331a53d_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID d331a53d_by_Libranalysis.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} d331a53d_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" d331a53d_by_Libranalysis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe 3764 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
smnss.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1232 smnss.exe Token: SeRestorePrivilege 3764 WerFault.exe Token: SeBackupPrivilege 3764 WerFault.exe Token: SeDebugPrivilege 3764 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d331a53d_by_Libranalysis.exectfmen.exedescription pid process target process PID 3872 wrote to memory of 3856 3872 d331a53d_by_Libranalysis.exe ctfmen.exe PID 3872 wrote to memory of 3856 3872 d331a53d_by_Libranalysis.exe ctfmen.exe PID 3872 wrote to memory of 3856 3872 d331a53d_by_Libranalysis.exe ctfmen.exe PID 3856 wrote to memory of 1232 3856 ctfmen.exe smnss.exe PID 3856 wrote to memory of 1232 3856 ctfmen.exe smnss.exe PID 3856 wrote to memory of 1232 3856 ctfmen.exe smnss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d331a53d_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\d331a53d_by_Libranalysis.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 11444⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\ctfmen.exeMD5
54e565c16486516b6e90417adaab1452
SHA10bea045e3c7c5116c9f1241820b1a2051020f17b
SHA256146e7747ffb92c777371bdf113992822f7f37ac4f71dc8b4d2fcdd836d0fb5fd
SHA5121a0ec37e6705b80a24a61a467a661f75b621666cff9f81ec6870c0225e977dcedd99410e0e1c0ad908d2d450cfdefb2b7dd5e4aed15e13930d0a978f7444e909
-
C:\Windows\SysWOW64\ctfmen.exeMD5
54e565c16486516b6e90417adaab1452
SHA10bea045e3c7c5116c9f1241820b1a2051020f17b
SHA256146e7747ffb92c777371bdf113992822f7f37ac4f71dc8b4d2fcdd836d0fb5fd
SHA5121a0ec37e6705b80a24a61a467a661f75b621666cff9f81ec6870c0225e977dcedd99410e0e1c0ad908d2d450cfdefb2b7dd5e4aed15e13930d0a978f7444e909
-
C:\Windows\SysWOW64\grcopy.dllMD5
87890ee242a5c4f4169833889948de81
SHA1454b2ad7d803d84e0c14f975b7f36ca8bfd116e5
SHA2561f67a5d14f2c338f83f0494a5a52e950ad1eb3d4fb690bae8dfac3c85a7dded5
SHA512ecf39318c5ff7df25dcf6cc40e7977fbec35195cfac9dddcea1efa7befc3bc3a4ab43c79b836fbf720a041d17fc78819cca06dead0d9c77990e11a5bdca4bc54
-
C:\Windows\SysWOW64\satornas.dllMD5
254326f1921de85c9f877aedd6837ca5
SHA1f92fa40bf5d7852f5c45301b45d37e241731ef83
SHA25600b1dd2c78cebaf118f7dd3f6b7cfa71f4e9a8dc5f36aa6b934df27b2d6510ab
SHA512960428efb16a1b88a99389a506582b6409b3c2862f3f443877aaeeb03f0a8b2fc50418894d355dcfafa506bdfc6b17f2a4b0af02ca35c100aec68a92b77c2f22
-
C:\Windows\SysWOW64\shervans.dllMD5
67517a699acc94418e45433824bc084b
SHA1f33275cb423a5bd8f76443908aa64fe301d25b58
SHA256bf6b6b4311f34ab03e42737983ecfb8f425b186e1fd4f3ecb14ed0e8412d2ba0
SHA51248936a4928771ba1381b58ff5c804ee0b194ad34364bc3fac4b094a85be1ec733558132c1882e3afeee5c596238177b376edecc5583ba5dbaa2faf07f1c9bb0a
-
C:\Windows\SysWOW64\smnss.exeMD5
87890ee242a5c4f4169833889948de81
SHA1454b2ad7d803d84e0c14f975b7f36ca8bfd116e5
SHA2561f67a5d14f2c338f83f0494a5a52e950ad1eb3d4fb690bae8dfac3c85a7dded5
SHA512ecf39318c5ff7df25dcf6cc40e7977fbec35195cfac9dddcea1efa7befc3bc3a4ab43c79b836fbf720a041d17fc78819cca06dead0d9c77990e11a5bdca4bc54
-
C:\Windows\SysWOW64\smnss.exeMD5
87890ee242a5c4f4169833889948de81
SHA1454b2ad7d803d84e0c14f975b7f36ca8bfd116e5
SHA2561f67a5d14f2c338f83f0494a5a52e950ad1eb3d4fb690bae8dfac3c85a7dded5
SHA512ecf39318c5ff7df25dcf6cc40e7977fbec35195cfac9dddcea1efa7befc3bc3a4ab43c79b836fbf720a041d17fc78819cca06dead0d9c77990e11a5bdca4bc54
-
\Windows\SysWOW64\shervans.dllMD5
67517a699acc94418e45433824bc084b
SHA1f33275cb423a5bd8f76443908aa64fe301d25b58
SHA256bf6b6b4311f34ab03e42737983ecfb8f425b186e1fd4f3ecb14ed0e8412d2ba0
SHA51248936a4928771ba1381b58ff5c804ee0b194ad34364bc3fac4b094a85be1ec733558132c1882e3afeee5c596238177b376edecc5583ba5dbaa2faf07f1c9bb0a
-
\Windows\SysWOW64\shervans.dllMD5
67517a699acc94418e45433824bc084b
SHA1f33275cb423a5bd8f76443908aa64fe301d25b58
SHA256bf6b6b4311f34ab03e42737983ecfb8f425b186e1fd4f3ecb14ed0e8412d2ba0
SHA51248936a4928771ba1381b58ff5c804ee0b194ad34364bc3fac4b094a85be1ec733558132c1882e3afeee5c596238177b376edecc5583ba5dbaa2faf07f1c9bb0a
-
memory/1232-118-0x0000000000000000-mapping.dmp
-
memory/3856-115-0x0000000000000000-mapping.dmp