865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
Size

127KB
MD5

b4c7736654c41b2417c93bd16e2e9bad
SHA1

93a7a9bdfcb77646184b11b573b41ebd8052c480
SHA256

865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d
SHA512

41f051ff42c9280d8933ea48860f03a75c1bcace78b7dd710f712a0b4d7d1e4353c0f336e64e9ed20484713ab12640781ccbc7a65b450dd2852452a93de65f89
SSDEEP

3072:4Ojruyt0ZsqsXXKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:4js9XKofHfHTXQLzgvnzHPowYbvrjD/m

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c00000001480e-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2540	ctfmen.exe
2504	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
1956	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
1956	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
1956	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
2540	ctfmen.exe
2540	ctfmen.exe
2504	smnss.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
File created	C:\Windows\SysWOW64\shervans.dll	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
File created	C:\Windows\SysWOW64\grcopy.dll	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
File created	C:\Windows\SysWOW64\smnss.exe	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
File created	C:\Windows\SysWOW64\satornas.dll	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\InstallConvertFrom.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2448	2504	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2540	1956	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe	28
PID 1956 wrote to memory of 2540	1956	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe	28
PID 1956 wrote to memory of 2540	1956	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe	28
PID 1956 wrote to memory of 2540	1956	865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe	28
PID 2540 wrote to memory of 2504	2540	ctfmen.exe	29
PID 2540 wrote to memory of 2504	2540	ctfmen.exe	29
PID 2540 wrote to memory of 2504	2540	ctfmen.exe	29
PID 2540 wrote to memory of 2504	2540	ctfmen.exe	29
PID 2504 wrote to memory of 2448	2504	smnss.exe	30
PID 2504 wrote to memory of 2448	2504	smnss.exe	30
PID 2504 wrote to memory of 2448	2504	smnss.exe	30
PID 2504 wrote to memory of 2448	2504	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe
"C:\Users\Admin\AppData\Local\Temp\865dbcc3be4e0d038c388c87f4ccd7f44c7ac83ae6f229990d0c61902999712d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 760
      4⤵
      Loads dropped DLL
      Program crash
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\grcopy.dll

Filesize
127KB

MD5
3ffb7a7b0482e72067220e1c84ff44e7

SHA1
34d99bc507fcbd78e89a8491e5331680ed53b4e5

SHA256
70a4b8d67440c0962299c35f2001619dda5466206d6447f939aba15d7e3e25b2

SHA512
0afca970e736422603cf79263964eb5a53383de293a1fa8041e813f75301db4324db3c674099e1451f2d52e20a84c5daa4c4990b309fbc1b4d2744ad859c0d98

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
fd4219ce661d953bbf14fca738672638

SHA1
4f81e1e343bdc9bbf8675bcb8ea7dd28a7216172

SHA256
8d4a80f5f9b79b9f8ba1142920dbdc993964e6630889b508364be751dc0b7cae

SHA512
6dcf293c10b413f10b75f1a56aa02bd05a6822f3a26944e5431ef17a269659bacff8fcbf3de523ee278398c4359c51faa04d5029c3b318f109b9c18c619a9472

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
405c06d8fc2d25ea30840c69e5aa93d2

SHA1
91ad285938ee71504f63cc24864ea673f22ccf64

SHA256
2a3a4165ba052c4eab529160f009c14f552c52c9a3752786b9ad619942026157

SHA512
2d6cabc3e107810e4a902b389eb59daf1c36f933c1514fc5d16d8668364878b10fa4a93078f2a45684c6f7965ed58c7399ea03b7c7d43261aa68cca5d291ddaa

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
16da9b15249e3a963558932a2c9e0012

SHA1
d6c8e73dd87443a0dc77936961a0dcf91c2fb91a

SHA256
db89ccc8c84088ca180b6db2cf46f634ffb06c08ec41b8aea76a47f017f676d9

SHA512
2e190bb4efa8366a9452679f1596f005b1fe20a50e94a790942720112616353f47f387aac398e954ab41668099886ab6892e17f2c1da4ad8269e532d7cd57f53

Download Submit
memory/1956-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1956-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/1956-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1956-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1956-26-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/1956-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2504-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2504-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2504-46-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2540-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads