2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f

General

Target

2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
Size

2.4MB
MD5

226f182d10ae6165ce779e45f9eecda7
SHA1

f151622152a09bf4304200a0ad6bdd055364c6af
SHA256

2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f
SHA512

157f3d3fb8f2c8e6f52492211c02b1321b7a8f6585aa0ba4be1aad374f1177ff8b2530f10301bc3346888a33efd1f40746a1d09692be449af3cbebfe42f421e4
SSDEEP

49152:WxuVOF3MeXMIs817dtZMk60gO5KIF5tFb8LoB4QsSt:ouVOJxXM9817yCLKO7yL44Qs4

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023210-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4888	ctfmen.exe
4768	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
3472	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
4768	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
File created	C:\Windows\SysWOW64\grcopy.dll	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
File created	C:\Windows\SysWOW64\smnss.exe	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
File created	C:\Windows\SysWOW64\satornas.dll	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3472	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
4768	smnss.exe
4768	smnss.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
376	4768	WerFault.exe	96

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3472	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
4768	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 4888	3472	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe	95
PID 3472 wrote to memory of 4888	3472	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe	95
PID 3472 wrote to memory of 4888	3472	2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe	95
PID 4888 wrote to memory of 4768	4888	ctfmen.exe	96
PID 4888 wrote to memory of 4768	4888	ctfmen.exe	96
PID 4888 wrote to memory of 4768	4888	ctfmen.exe	96

C:\Users\Admin\AppData\Local\Temp\2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe
"C:\Users\Admin\AppData\Local\Temp\2296a778914a3272886066a2fa11fd6366fd44c56251b577036fc3d228b0a89f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1484
      4⤵
      Program crash
      PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4768 -ip 4768
1⤵
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
ea684f77a3cb1e72257c5d6777714c88

SHA1
787fa079e441699cd6d72b44c301830b55624ad8

SHA256
cacca98f9bfc884ff7277a39b65857e7a0514859f4ecef961416a36170ec2b57

SHA512
0a85b803cd8185b425e24e3781ff8d03280844832729ffeffb1987b25ea572bf2a81e2c830f83e327f84bb2432fa5fced07ebb8554b9ebd8bd90361f20299f5d

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
2.4MB

MD5
7acd24e8a1f08e4bcbf4d044b6a0eecb

SHA1
b0615642287e8d9402752f34ba56e177697b8a57

SHA256
81bb18569d5907405320205e30a84e31cae155f93cc16a6c4847713850fb213d

SHA512
2b8b6ea404e8c9927063a96b26cb0498cfc8d88841dd8cc5ad9a77b59f9251ce6d24225a014dfe85809c7aa7cea24ebd4f6263934a86e8bc40a0e15b7d7db0c5

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
6e9e19fcf1941eca74b0b4cd60c519e1

SHA1
908deea53506f32705fd0ea2cbc7ff6f73157ab0

SHA256
dbab31cd912b573142f0db87526ef72d805b5d79d3843f817c06282143e4f420

SHA512
b1f4dccc323489165e828b947cc2b0669e4b2c062f2e40bf2660c0a0e122ba9df9442cd9e0ab856d9530fad78dcb2e6429460ef1aef03f1c8c456eb18eaa8717

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
83217decae2d7435adc1aafd2aa20ed6

SHA1
4939e6a9b144ab46bb9ce863f6cf33d2bbcf39ea

SHA256
f7ba823edbf2323c5b1d10faef8eed53ab500ed20d7da8a2f42912e49e0890e8

SHA512
a80151689aa6fe3c081078c3fc0899cfed9d124ac4fce6a313382a3fd402eab7f09bbebff6e1bf7c6812a6b189abdaa17c39b3bf3614f59a8a3d97869ebbe00b

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
832KB

MD5
4fe0b61a6e46bcd8fba291bac586e2d2

SHA1
ab83fa43b5e1d9ea02ccd9b46c6ee3a7f818c687

SHA256
bf0a03152758a089846684c07abc59addd3eb169347a313f55fcb9f937401904

SHA512
4fde66152679ecad3e71f25b85a75565a3ba010cb22e7d15b7f18b2a0cd35b6eb3b45eb1530a0ea0d883e900030f5c1c81893990576a9407b5f6f4a6e1d4c827

Download Submit
memory/3472-29-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3472-14-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3472-27-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/3472-0-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/3472-32-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3472-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4768-30-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/4768-31-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4768-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4768-40-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/4768-42-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4888-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads