b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
Size

118KB
MD5

0b49a269b9f3f3a7b542bc147c1e03ee
SHA1

07f8977cb56940d209a01b0dd53ffa5acb67f5d3
SHA256

b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea
SHA512

f7dc59cd7716f9c2459b6b4697488dc51e485d46fd8a6a24aff4e2a1dece7b7167240bfcfd802a37da937068eaa41ef3b89c5def44e1d807ce6d89fdc9d8a1e2
SSDEEP

3072:bOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPX:bIs9OKofHfHTXQLzgvnzHPowYbvrjD/M

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 12 IoCs

resource	yara_rule
behavioral1/memory/1888-0-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/files/0x000b000000015cbd-10.dat	UPX
behavioral1/memory/1888-16-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/files/0x0009000000012248-17.dat	UPX
behavioral1/memory/1888-18-0x00000000002B0000-0x00000000002B9000-memory.dmp	UPX
behavioral1/memory/1888-25-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/1888-26-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/memory/2504-30-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/2680-33-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/files/0x0030000000015d24-34.dat	UPX
behavioral1/memory/2680-39-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2680-45-0x0000000000400000-0x000000000041F000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000015cbd-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2504	ctfmen.exe
2680	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
1888	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
1888	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
1888	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
2504	ctfmen.exe
2504	ctfmen.exe
2680	smnss.exe
2516	WerFault.exe
2516	WerFault.exe
2516	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shervans.dll	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
File created	C:\Windows\SysWOW64\shervans.dll	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
File created	C:\Windows\SysWOW64\satornas.dll	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
File created	C:\Windows\SysWOW64\grcopy.dll	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
File created	C:\Windows\SysWOW64\smnss.exe	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2516	2680	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2504	1888	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe	28
PID 1888 wrote to memory of 2504	1888	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe	28
PID 1888 wrote to memory of 2504	1888	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe	28
PID 1888 wrote to memory of 2504	1888	b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe	28
PID 2504 wrote to memory of 2680	2504	ctfmen.exe	29
PID 2504 wrote to memory of 2680	2504	ctfmen.exe	29
PID 2504 wrote to memory of 2680	2504	ctfmen.exe	29
PID 2504 wrote to memory of 2680	2504	ctfmen.exe	29
PID 2680 wrote to memory of 2516	2680	smnss.exe	30
PID 2680 wrote to memory of 2516	2680	smnss.exe	30
PID 2680 wrote to memory of 2516	2680	smnss.exe	30
PID 2680 wrote to memory of 2516	2680	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe
"C:\Users\Admin\AppData\Local\Temp\b7eef5d97d6b20e5619107b5bd25a745d49633aede7bd3afc58a2181e7637bea.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 840
      4⤵
      Loads dropped DLL
      Program crash
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\grcopy.dll

Filesize
118KB

MD5
f3a8194c3c6d61889b031e85647365e6

SHA1
497353de88ee6249656ecd95966e86f9cc07ac4a

SHA256
2ede7d43cf41df6a2c3e7a1b3f206f423d19db0cfb65421d313dda2b5ea0c3d3

SHA512
b40340c11912e72e3c78e14ae075d59af8181e4639ba6792928b6aa67ac1b21098a53e0e0df4a270d7c28ccf55363ed7f9bf3623fb41e6cd6cf3a5e99b15dbd3

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
8aaaf6c2045ff4d1669a6333551db1b3

SHA1
828a5f61f7eb1b4c27cdf366f3f8f59953a01edd

SHA256
65301455c2c5a3683f192666d8f04953e4ad85233d3bded0f170893ddb9f48d0

SHA512
047229196eacdee622be7e7048dcf736474ae24d5003f9aa9d90ff95888ed6f41d19239960099736593206e027647f4aee5b6ee513491445ac9de4eb6cf211a4

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
cd331045854e21d343cfec5e1c5c200b

SHA1
f8f43a38e54ea0110636d58a25a843d5217a5335

SHA256
54ba9df5ec5b246b585ce95359b822f6ca6bb9286ceb1990e2a576fbb07d1dd1

SHA512
4f0aa4ad30eb4e7305ab825cbfd5bd3c181025757b4ec1c8411c486c212a588acebd066a2d46d0301eef170c39da62d3cdf2be196383f4d9343089882aec9127

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
1c950a9ac2ab442ebdab934c6da49843

SHA1
18d621505fc6e73b26ac71dab1c6b022c38c5909

SHA256
7cb95eeacb6493319be13e7f2380be4cbffd25a25618e8e74d0b8c4324189ea7

SHA512
b367f2afd3d6cfa1d7908bfd41d2f1f845872f249ef0c583c915a65106ffbc5f1b70b32d1b925b8c0af4695020a5fcd69f1a318d05c345607c4d9726dd7c3c28

Download Submit
memory/1888-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-18-0x00000000002B0000-0x00000000002B9000-memory.dmp

Filesize
36KB

Download
memory/1888-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1888-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2504-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2680-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2680-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2680-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads