d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847

Analysis

max time kernel
138s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
Size

41KB
MD5

3ec9ad75005d7d0ba35f15c1cba18b94
SHA1

5b116311fd73c4a84137fb3d40d78fb27add7f09
SHA256

d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847
SHA512

02eb6f5b64657bed07f4b9c7c3aa6bc6f7aa17358552b517f0d6348b6f41e089a4a252145b7f22be1722e88dc9f88d2d015135f2b40a47fbdd1e9de1e5f13726
SSDEEP

768:8eMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09syp:8q5VwWDjDkdTRqHFOn8tIbbeYiuZIFSL

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 11 IoCs

resource	yara_rule
behavioral2/memory/2100-0-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/files/0x000500000002326e-10.dat	UPX
behavioral2/memory/2100-18-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/files/0x00080000000233f2-15.dat	UPX
behavioral2/memory/5044-23-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/files/0x000300000001e970-22.dat	UPX
behavioral2/memory/2100-21-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/2100-24-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/4992-29-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/4992-36-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/4992-37-0x0000000000400000-0x000000000041F000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000500000002326e-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
5044	ctfmen.exe
4992	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2100	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
4992	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\grcopy.dll	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
File created	C:\Windows\SysWOW64\satornas.dll	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
File created	C:\Windows\SysWOW64\smnss.exe	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jvisualvm.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	smnss.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	4992	WerFault.exe	93

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 5044	2100	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe	92
PID 2100 wrote to memory of 5044	2100	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe	92
PID 2100 wrote to memory of 5044	2100	d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe	92
PID 5044 wrote to memory of 4992	5044	ctfmen.exe	93
PID 5044 wrote to memory of 4992	5044	ctfmen.exe	93
PID 5044 wrote to memory of 4992	5044	ctfmen.exe	93

C:\Users\Admin\AppData\Local\Temp\d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe
"C:\Users\Admin\AppData\Local\Temp\d08c7d868b6f93df6263542b58afb2af56c51d223e7b293512585bdfc4717847.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1708
      4⤵
      Program crash
      PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4992 -ip 4992
1⤵
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
88e94bb0cda50d44e69a7447ca5ac002

SHA1
6d9cd03bb95373231f771160fba63a8f81754e8c

SHA256
5979d949a3275a407342809a5e6282f6821b5437243d014a8fdbdf2d7dd4aec2

SHA512
c03e46c6ba9d7c76185c3f294c51ec5fa9f5f42cafdb817665fbda112e22c23c7824ff154b673e4b2370f42d7ff2fed095c7e05bd34935d9d9f6717339c09f3e

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
41KB

MD5
88601b3bd5406db86e3a988dde87a4fb

SHA1
bbe476c964eb2fb7132b5bf2c28b0b1379036db1

SHA256
2545746abab641170cf5884104f6c00479c526e1d704bc2cf6470c8858bda61f

SHA512
e0d4fad89556c2f906864e415daea0776d43b65a495ee3aaf10ddb039e775f889e02e73741b302fa27a7e028c4de5eacb42374b8f3396960b59bcff54685ce9c

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
64ca622e62afa648e0a8f90a21676508

SHA1
7f1ca83a5532dc3f85744b0c686465974cdaed7b

SHA256
3d26bac112eed45a32d70d805c807090840fe93723220e271bf8eb025015c9ad

SHA512
f0e77aeb6f39a5d12874ebaea057c95832211cc5a172eaed1f475f43a219901c9b1540ad32d230a3c1ea1863b4ea2cfbe8020c50accce903c676202c957fa51a

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
1e98feeb1591367e427e9700aa6f85cc

SHA1
bc6776504fb3ac7c1887395cb3765bcb338d3681

SHA256
fd9bc96d655143d61ca4fbb2f660a965864f2441e14b6020818b8db75a14c4df

SHA512
004e3c9d13083a1d250ed880ea33d547c0b16c0cfa84946d0430eff4d8ac96eeed3184f670cdc8a4710496e6104d9bbae3c627dbdb3ed55ab40268459ffaaf1e

Download Submit
memory/2100-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2100-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2100-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2100-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4992-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4992-36-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4992-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5044-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads