Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 21:12
Static task
static1
Behavioral task
behavioral1
Sample
46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe
Resource
win10v2004-20240226-en
General
-
Target
46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe
-
Size
75KB
-
MD5
1ae3a88e11ffbf00e881c1591cc06899
-
SHA1
f9d1f45298092077f420339dfb84cb6afad1ea50
-
SHA256
46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c
-
SHA512
285587900e6492f387f2e101d5e20abbd5d43e11b9607b9b610c715dda52b27526dce6fb8e1c4a6b37079e21572ad4a227634c72274bb2d1c6967b5a404fa405
-
SSDEEP
1536:Ix1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3B:gOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPp
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
resource yara_rule behavioral2/files/0x0008000000023263-9.dat UPX behavioral2/memory/1756-11-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/files/0x0008000000023260-19.dat UPX behavioral2/memory/4548-20-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral2/memory/4548-24-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral2/memory/1756-26-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/memory/4540-34-0x0000000010000000-0x000000001000D000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0008000000023263-9.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 4548 ctfmen.exe 4540 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 1756 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe 4540 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\satornas.dll 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\grcopy.dll 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe File created C:\Windows\SysWOW64\shervans.dll 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe File created C:\Windows\SysWOW64\smnss.exe 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe -
Drops file in Program Files directory 29 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\fy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\7-Zip\History.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1172 4540 WerFault.exe 92 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4540 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1756 wrote to memory of 4548 1756 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe 91 PID 1756 wrote to memory of 4548 1756 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe 91 PID 1756 wrote to memory of 4548 1756 46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe 91 PID 4548 wrote to memory of 4540 4548 ctfmen.exe 92 PID 4548 wrote to memory of 4540 4548 ctfmen.exe 92 PID 4548 wrote to memory of 4540 4548 ctfmen.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe"C:\Users\Admin\AppData\Local\Temp\46585f22ced200bfef63ef83d04acaea70b9b26496b0c9bab811f1add91c850c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 13444⤵
- Program crash
PID:1172
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4540 -ip 45401⤵PID:4832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:1736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5206021cfbf44a42300f364c19747f214
SHA19ecd2a91a837416a02a0199b6b20f5fe075d405a
SHA2565e3e8a42f7ebf8470c2c4e5ae3f27e16cd399479b0867ec2153e7598b5c2db12
SHA51250bf9a43735ab3346c3375fd640734b25f08b5f2ada3ad5e3a07a636ffffaace58605c4ec5f6a6bdc6608525c5145c68e48034b778600b521ad82b9c6c56c80a
-
Filesize
75KB
MD57831ae52f492c758e46c9e443cabcecc
SHA121124976cfa9904020a6b12ad23c48c1154a567a
SHA2562ffbf24566223ff6edff7d8971f098ba4e4294d0ffb95236995228053289c2dd
SHA51229e1bfba305eac38a4af14ef4dd524dd18dc762fccf9bc711565fd63a1b8e3e34c74eb25e70f9d3b86c676fa5228fdfd4c3a6031a525094eaa9643d48c114e66
-
Filesize
183B
MD5bf09df0fa22ff82c1adb7e19cda975a5
SHA1a2de19ea074b26035eeacd5c21382f17c579f96c
SHA256f50430bb484df9bf44d987caddf363a48a13e18447d83913099fedc3baac1f14
SHA51242f334b6eeafc316637ce3dcbc515569cc4a1684507d75b5921ac9dff6fce6b06455f25756efac49910bb61404adc1e6b637c8cc949e0e92f9bae5418888f593
-
Filesize
8KB
MD5cfcfffe584bb90edce4d854ae602af42
SHA1dd24d7cb4214406e764414d07031ce37dc4f3a7e
SHA256672cc38374b03b11665de7289f95a630c26013c96ad31f6f0ec3a601cee554c8
SHA512bdfdb962b93724197988137e98bf8811e3cddea87875027199d3b960a863f37159716a65611060d43e85e0b5b1401ee8eb5f9f46d93ea542eb1d2ce705f0e384