Analysis
-
max time kernel
151s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe
Resource
win10v2004-20240226-en
General
-
Target
98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe
-
Size
41KB
-
MD5
79e260a513f98d0e38814275ff375430
-
SHA1
3b44c85110e60418d903e928142bf9bb30996995
-
SHA256
98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866
-
SHA512
95a210a5066a190ee4d251b05673918b8c836619f79e41c4c6a7dd228d13e26ede312ec81e5ded549c6e490fcbb5617c6d006d60503f71631fdee14e4d2d6b56
-
SSDEEP
768:qeMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09sy1+:qq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS2
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 14 IoCs
Processes:
resource yara_rule behavioral1/memory/2612-0-0x0000000000400000-0x000000000041F000-memory.dmp UPX \Windows\SysWOW64\shervans.dll UPX behavioral1/memory/2612-14-0x0000000010000000-0x000000001000D000-memory.dmp UPX \Windows\SysWOW64\ctfmen.exe UPX behavioral1/memory/2612-18-0x0000000000340000-0x0000000000349000-memory.dmp UPX behavioral1/memory/2612-24-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral1/memory/2912-29-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral1/memory/2612-31-0x0000000010000000-0x000000001000D000-memory.dmp UPX C:\Windows\SysWOW64\smnss.exe UPX behavioral1/memory/2540-35-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral1/memory/2540-39-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/memory/2540-41-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral1/memory/2540-42-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/memory/2540-46-0x0000000000400000-0x000000000041F000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Windows\SysWOW64\shervans.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
ctfmen.exesmnss.exepid process 2912 ctfmen.exe 2540 smnss.exe -
Loads dropped DLL 9 IoCs
Processes:
98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exectfmen.exesmnss.exeWerFault.exepid process 2612 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe 2612 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe 2612 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe 2912 ctfmen.exe 2912 ctfmen.exe 2540 smnss.exe 2636 WerFault.exe 2636 WerFault.exe 2636 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exesmnss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exesmnss.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
Processes:
smnss.exe98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exedescription ioc process File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe File created C:\Windows\SysWOW64\shervans.dll 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe File created C:\Windows\SysWOW64\grcopy.dll 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe File created C:\Windows\SysWOW64\satornas.dll 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe File created C:\Windows\SysWOW64\smnss.exe 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe -
Drops file in Program Files directory 64 IoCs
Processes:
smnss.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt smnss.exe File opened for modification C:\Program Files\7-Zip\License.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml smnss.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2636 2540 WerFault.exe smnss.exe -
Modifies registry class 6 IoCs
Processes:
98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exesmnss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
smnss.exedescription pid process Token: SeDebugPrivilege 2540 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exectfmen.exesmnss.exedescription pid process target process PID 2612 wrote to memory of 2912 2612 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe ctfmen.exe PID 2612 wrote to memory of 2912 2612 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe ctfmen.exe PID 2612 wrote to memory of 2912 2612 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe ctfmen.exe PID 2612 wrote to memory of 2912 2612 98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe ctfmen.exe PID 2912 wrote to memory of 2540 2912 ctfmen.exe smnss.exe PID 2912 wrote to memory of 2540 2912 ctfmen.exe smnss.exe PID 2912 wrote to memory of 2540 2912 ctfmen.exe smnss.exe PID 2912 wrote to memory of 2540 2912 ctfmen.exe smnss.exe PID 2540 wrote to memory of 2636 2540 smnss.exe WerFault.exe PID 2540 wrote to memory of 2636 2540 smnss.exe WerFault.exe PID 2540 wrote to memory of 2636 2540 smnss.exe WerFault.exe PID 2540 wrote to memory of 2636 2540 smnss.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe"C:\Users\Admin\AppData\Local\Temp\98314be4825f2c7d10644a2cdeccdcd8191690dbfdb514f3f9635ba31a075866.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 8204⤵
- Loads dropped DLL
- Program crash
PID:2636
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD55d61738be3682051b12ebab04f22dd1f
SHA171732aebb8f9e2dc7444e833ea161447b746b4b6
SHA25682f8ea932719e2120798ab38192ac0b6f7e88020c9a8c3c8ea05566b89da162f
SHA51248c925527a3f2aa28d0b8d3f11e38e930bf6e4c71507daf7c2f8bebbad31ed3e1ab89fb82a59048f1a06949bd13615efbc70341d7ccf1b8b220f936b8f0185b9
-
Filesize
41KB
MD5b40d57bdcbe6c7ee91d8ed76b56a92fa
SHA146c9e7129a045bce4dbf22f3a19b1fc38d23459f
SHA256b56993c0f5eace9f61ed12d1af74078475a8688ef3ba8129390e68f0845724c8
SHA512e7501bcadf0f0124dea7494866f3d0ac18d81c7cd49d516d519f6c49dfd3087903abb1bfeb8796fc7784477f87a1582f436f60a5306e070f9fb3c0ef812f0d9f
-
Filesize
4KB
MD5f44f221f931e2558535fd4dbc8a49a6d
SHA1bd1b5b9b9d6e0394a678c6bff1a9f5c5f06f79b5
SHA2566a2e928d32f0960c2b05c0e937c23772e1ea6369c021ee02d091f505499d1f74
SHA51264edc91e4afd09717b1bff33e20dee29c5dbc48fd3df18fe83fcf9e87b1b113098aadcc8d7bc511d988322455cabb1ac9e9355e5b5911d87e97d70b846eaed8c
-
Filesize
8KB
MD5255ed633493eaaccf8d70d0a3e52a6ea
SHA115a654be9cf78d917e96178ea284ecacf1a9d230
SHA256186bd23125b6b76b9b4c4622a248dd618dc026b2b076350afc7fc66f14e340d6
SHA51292b0d236d5d1d9137edd205f69cf821bd73c040ecc3197869993a75a923536aaa57399991e29064c08c8eba23cd2688bbc9800add549dc86d5a435ec81525ec1