8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 00:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
Size

240KB
MD5

17bf82719f7896487428709fddd7e1a5
SHA1

4fea65862f54fc9360579b89a497537dfd8daf52
SHA256

8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200
SHA512

f3aaad5490a52d22bcb4ba3fad6b916ad28bcd210c827aa58505de6eedc12fdf0123545652e4fa4627025522cf291bb6dd9a430a6cf476c6a704cfbfcfe304da
SSDEEP

1536:Rq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9bB:Rq5ud9qHFO8Kf3rIIbB

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 12 IoCs

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/files/0x000c000000014890-10.dat	UPX
behavioral1/memory/2040-16-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/files/0x000c000000012253-17.dat	UPX
behavioral1/memory/2040-27-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2648-26-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/3008-37-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/files/0x0033000000015083-34.dat	UPX
behavioral1/memory/2040-24-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2040-19-0x0000000000340000-0x0000000000349000-memory.dmp	UPX
behavioral1/memory/3008-40-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/3008-44-0x0000000000400000-0x0000000000420000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000014890-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2648	ctfmen.exe
3008	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2040	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
2040	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
2040	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
2648	ctfmen.exe
2648	ctfmen.exe
3008	smnss.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\satornas.dll	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
File created	C:\Windows\SysWOW64\smnss.exe	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
File created	C:\Windows\SysWOW64\shervans.dll	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
File created	C:\Windows\SysWOW64\grcopy.dll	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
File created	C:\Windows\SysWOW64\satornas.dll	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2892	3008	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2648	2040	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe	28
PID 2040 wrote to memory of 2648	2040	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe	28
PID 2040 wrote to memory of 2648	2040	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe	28
PID 2040 wrote to memory of 2648	2040	8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe	28
PID 2648 wrote to memory of 3008	2648	ctfmen.exe	29
PID 2648 wrote to memory of 3008	2648	ctfmen.exe	29
PID 2648 wrote to memory of 3008	2648	ctfmen.exe	29
PID 2648 wrote to memory of 3008	2648	ctfmen.exe	29
PID 3008 wrote to memory of 2892	3008	smnss.exe	30
PID 3008 wrote to memory of 2892	3008	smnss.exe	30
PID 3008 wrote to memory of 2892	3008	smnss.exe	30
PID 3008 wrote to memory of 2892	3008	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe
"C:\Users\Admin\AppData\Local\Temp\8eee8bfd0003e8da83e9e57e5a284851cad32b4ddfa27cc08ff504b363468200.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 860
      4⤵
      Loads dropped DLL
      Program crash
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\grcopy.dll

Filesize
240KB

MD5
4e78645892ee436ef7a631d62b1714ce

SHA1
2c7c8e02bb95a2ebeaf681375b1d3a84b8828890

SHA256
9626965c0f5bab0085662cd98fee5194003e80501be731ea09c14f19c309bdf9

SHA512
5136635592a331d191af7b238537477e9e11b6d9f9800b02ee89af25c4fed3ec42cb53e8a44b780cbc9479b5736497ec24b3d367c5fad39a4954c78eee32737c

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
eb1089a899f529fdbef048a8de207cff

SHA1
5f0fe855f1dce45f1d84df7ee50fc61c4a699007

SHA256
eee8e0770b97ea3b724c2138aca0185f37540348e170f6e005b945fc41c3b87f

SHA512
28684820184a05239c4b40bdabd590ff7d996fb6626617e191d2f27dc5da6b962b14772e4d1fb4672a9cb166981a32a84ce3625f30fdf17c70a56e9b2233c12b

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
7c867fa0e6dbcf1c96951ac304364b7f

SHA1
c2b1ebcdc6396607b827bafd705f8e34acbeff50

SHA256
0e43779129b1ded4eea0ea00478f2aec913a5c23148e34515017e15fb5dc05c3

SHA512
7b55e1de8202bb3b8f1167bfe4bacc5fa880da84caee2b691a32dab2342b3424e60d0db78b6f8be7af0f9dfab29188feb4628a72844d5a15eadc95f3f1deba58

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
2219cb6ed39bfa711194fbcc586b1754

SHA1
b89ecb280b843b6fcfee98e9664a2a2acd3aac42

SHA256
2da6f4fead664c4cf28e08e3ab5b911f3e8478ac326d4858de99ef2ec3d2d1c1

SHA512
cb43af978489b5c3ab0ed60f46d61817860fa4ee9cc6c88774a32a3ff8d264ad15be46a5b1d0e754ca769c39ccc16326672fbc301516c41f562c34366e1e2d30

Download Submit
memory/2040-19-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2040-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2040-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2040-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2040-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2648-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2648-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3008-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3008-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3008-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads