7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
Size

127KB
MD5

9a0ff7cee0938929cbfae0a3e77457a2
SHA1

ae913e03b1da99d93f137a5ec8e9e8f9b1aad99e
SHA256

7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e
SHA512

92580a5b9d2fa63888e7b60370111d14c73b3fd5341dd66f81cc5879a3179aff3a490ef52c4963d9514854993fd323bf738fab9e429107a0fa190c7af7b22df6
SSDEEP

3072:vej4uAt0ZsqsZOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPK:vCu7OKofHfHTXQLzgvnzHPowYbvrjD/j

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000013143-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2548	ctfmen.exe
2704	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2868	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
2868	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
2868	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
2548	ctfmen.exe
2548	ctfmen.exe
2704	smnss.exe
2440	WerFault.exe
2440	WerFault.exe
2440	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
File created	C:\Windows\SysWOW64\shervans.dll	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
File created	C:\Windows\SysWOW64\grcopy.dll	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
File created	C:\Windows\SysWOW64\smnss.exe	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
File created	C:\Windows\SysWOW64\satornas.dll	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2440	2704	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2548	2868	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe	28
PID 2868 wrote to memory of 2548	2868	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe	28
PID 2868 wrote to memory of 2548	2868	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe	28
PID 2868 wrote to memory of 2548	2868	7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe	28
PID 2548 wrote to memory of 2704	2548	ctfmen.exe	29
PID 2548 wrote to memory of 2704	2548	ctfmen.exe	29
PID 2548 wrote to memory of 2704	2548	ctfmen.exe	29
PID 2548 wrote to memory of 2704	2548	ctfmen.exe	29
PID 2704 wrote to memory of 2440	2704	smnss.exe	30
PID 2704 wrote to memory of 2440	2704	smnss.exe	30
PID 2704 wrote to memory of 2440	2704	smnss.exe	30
PID 2704 wrote to memory of 2440	2704	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe
"C:\Users\Admin\AppData\Local\Temp\7048893d1a2324751b45903f72f73d5ae32bb3f0d94a938a6913a8f31f96274e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 776
      4⤵
      Loads dropped DLL
      Program crash
      PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
814be35b326b1f09d42ef0c8fa863889

SHA1
59abf301b9ac7f82636833413c03f161689c22da

SHA256
26f39eff5d6aac13265eb2aa4622d5e78963fe147b040174f3c298b364d718eb

SHA512
69b9f988f3271f74a27b339d58cbce565c15539c711e436c93e78b7725698ff17617afd32848a6d93864c8be6e7dbd9e3e83d92b01b4e58df7072600f3642fc7

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
127KB

MD5
8b597f4132a5af2e27ed57f5878bc128

SHA1
ea90c1a3f817b349e918010d011b01722c3a3af4

SHA256
eff9b2dfe3a56d400e4148a8ecfd923ea772c3700dc7ded50c98369604159b00

SHA512
9b21a7b59846c5c9ff343fc255b2be58610aaa502e26a366544157ec24586f168ba9d064ccbf05e56ee6d6d09f16a820833f22943a7c0482b03b0073d497e360

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
c858e283d0f72b64c86b20473dfba67c

SHA1
d3752813477fbefaaaa3b299cfb36f35a8f3e684

SHA256
436215d809eaf5d54f01de8790fa25a242ed05d41a437bfa76db0daeba0ce893

SHA512
b0b77999a2c7249e06cf02cbd54b4d4543c831139417718ff4e539921217ae80b0e2452a4806e87c5d5fd2616f0cec44ba0a89154dfc237bbcf85f8878469106

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
d8643b48148f0bd983fdd871f8e20d8e

SHA1
4623c4363e65e54c48e05e5512c253bc179b6625

SHA256
994607bea60a19b62a6a342d2a392607013b717b0a4097369d5b3cc5c6d04a4c

SHA512
6519b2d7b917fde32b77062580f2c98b9ac723890de91a90a489d01a3a613dd1deaa697f2cad00e8373c647d5cd3492bc41fe45fc50172835657d681b2e66085

Download Submit
memory/2548-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2704-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2704-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2704-45-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2868-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2868-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2868-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2868-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2868-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads