6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191

General

Target

6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
Size

41KB
MD5

70408b748e9cbdf3534d0fced1343b22
SHA1

d01f1e9556b20c1538f55a9f8896dac0b609f3ec
SHA256

6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191
SHA512

e09e7071f83c56f41f815faa58d6aa1bb89e6f8b67137efaa31640e7c6dac637fa244a1c2174f7fa3a18ec14da7ff62e77ade17a91d2aa943c55d472eeba3fcb
SSDEEP

768:xeMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09sy:xq5VwWDjDkdTRqHFOn8tIbbeYiuZIFSl

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 11 IoCs

resource	yara_rule
behavioral2/memory/2112-0-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/files/0x000800000002325d-10.dat	UPX
behavioral2/memory/2112-12-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/files/0x000800000002325e-16.dat	UPX
behavioral2/files/0x000900000002325a-20.dat	UPX
behavioral2/memory/2112-21-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/4000-24-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/2112-23-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/1136-30-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1136-36-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/1136-37-0x0000000000400000-0x000000000041F000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002325d-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4000	ctfmen.exe
1136	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
1136	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shervans.dll	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
File created	C:\Windows\SysWOW64\satornas.dll	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
File created	C:\Windows\SysWOW64\smnss.exe	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
File created	C:\Windows\SysWOW64\grcopy.dll	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3392	1136	WerFault.exe	92

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4000	2112	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe	91
PID 2112 wrote to memory of 4000	2112	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe	91
PID 2112 wrote to memory of 4000	2112	6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe	91
PID 4000 wrote to memory of 1136	4000	ctfmen.exe	92
PID 4000 wrote to memory of 1136	4000	ctfmen.exe	92
PID 4000 wrote to memory of 1136	4000	ctfmen.exe	92

C:\Users\Admin\AppData\Local\Temp\6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe
"C:\Users\Admin\AppData\Local\Temp\6220a445563bfb9f4bd3e7c199d685a201c82df0d00a194a518aa52ab9370191.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1348
      4⤵
      Program crash
      PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1136 -ip 1136
1⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
5dd75fd5ac95da14cdbd30bcf01b547b

SHA1
93a9c87e6bb555f301060bf9e75a5f8cab88b805

SHA256
c081e15c7edb80f5b94d3899af06346ee157ca5a2bf062f73efef2f9f4028339

SHA512
08e6fe6161fd035efe4f3cf3f41d01953a9467c37f74753771b03e5edf9bf2ef93d497ae550e03068d4b49d1ca04f989ed8434ef54ded27b7ded4dc2432c5a15

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
41KB

MD5
24c5abf4896bf5740e8bd38795c497c5

SHA1
1acb49e523dbf6b15ddcdbbb2e7b0abca9b87b49

SHA256
d4b80631585c2af49305f4689f15db433034cdd3c410de87406c00d513d3c552

SHA512
4b39ce8b9a97a89f66f71416a323a1dad73c817026b7bfef6e6374bc334c41e62e79d6fa67de494f4b7ea87862129b782e53822b532bbd37f8942769375f7f4d

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
dbdcd1022cf0e61066f2d348e533ed46

SHA1
0e3cb6f7262cd952c4de22c200ac2f0bf1951eae

SHA256
0c9b30500cc661a9b36de75615053dd5da380f93ca3eb1e172919dcf4d68f0b3

SHA512
3c66711e0e0730ae28dd4674c0f31b9928e0226fb51a2ddc3fddab1ed63b61123e20c930320c7f16d55fbc863347237127b3f161f15a57b8dca802833564d7b5

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
0f351e33d4f35e3210646e5785366180

SHA1
762dfcc38e20911cb092d9ca5c844151866d60ee

SHA256
c3d81882a3cbe1664e6d34bbc6bde9c488f5be187f5f9f57d6ead1ea4f850087

SHA512
a7f2654a4f3bf9a209f3a9d0d9e9f56d3af76f3ca23870e2d23007e49ca6737c4a624d6e4a99260b55cdb3778bc30d12561660e1dda15a8a60e77cdd9a7d9e38

Download Submit
memory/1136-30-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1136-36-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1136-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2112-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-23-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4000-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads