f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
Size

41KB
MD5

35005decb9b3a244cd91f57242f327fd
SHA1

db45317bfb459044d3440d533e9c69a78a056d63
SHA256

f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e
SHA512

4d2567fc694859e9577e7fae147f0f1056f25d6b04d4e703b13be99395ab921e1b74c8d6941412fec60805af616c4f5abf9aca976e6813bef42f9039cc45e7ee
SSDEEP

768:VeMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09Cy:Vq5VwWDjDkdTRqHFOn8tIbbeYiuZIFSz

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 11 IoCs

resource	yara_rule
behavioral2/memory/4296-0-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/files/0x000a0000000233c1-10.dat	UPX
behavioral2/files/0x00070000000233ce-15.dat	UPX
behavioral2/memory/4296-18-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/files/0x000800000001db0e-22.dat	UPX
behavioral2/memory/4296-21-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/3760-25-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/4296-24-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/3700-29-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/3700-36-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/3700-37-0x0000000000400000-0x000000000041F000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a0000000233c1-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3760	ctfmen.exe
3700	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
4296	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
3700	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\grcopy.dll	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
File created	C:\Windows\SysWOW64\satornas.dll	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
File created	C:\Windows\SysWOW64\shervans.dll	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
File created	C:\Windows\SysWOW64\smnss.exe	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3204	3700	WerFault.exe	90

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3760	4296	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe	89
PID 4296 wrote to memory of 3760	4296	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe	89
PID 4296 wrote to memory of 3760	4296	f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe	89
PID 3760 wrote to memory of 3700	3760	ctfmen.exe	90
PID 3760 wrote to memory of 3700	3760	ctfmen.exe	90
PID 3760 wrote to memory of 3700	3760	ctfmen.exe	90

C:\Users\Admin\AppData\Local\Temp\f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe
"C:\Users\Admin\AppData\Local\Temp\f11546565905781b7f2d7363bbe61f45ceaef25384fc0cebb00ccc1bb267509e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1348
      4⤵
      Program crash
      PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3700 -ip 3700
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
76d3a939d05f206cd55a9d7aeb90a930

SHA1
a84490c6fe724ac6e00788b3ef4756c6f6e2926d

SHA256
3d1976a9e1a57c80acd5aa59eb9e2036694fecc584022ee5b14cf7aeab838777

SHA512
f0814c5d7aa441c519ebd9e37dbeb6d7d315078f855fe566a7293262ca2fe2c52020c5a8e7c9c489a894a0d82b8a625333d447514d608df8808daccafd484b8c

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
41KB

MD5
9a01014bfec516a434e238114d2fd7f8

SHA1
7f8a0dabf5a78814030b5783a8b244585e5f83f1

SHA256
8eab392351f0c3c1b2bf99572af5cd4de82b8b065d1279797aac4e776970d565

SHA512
24eb17f0c266273b67df776789895e1c4205b84bb4fdf7f6abda8afb6240472c1709a4b013b5a023292ff85121678ff26fa4a0f9f7ed29c449a305174ac6c509

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
3a9e4576d49fdf723909790bd40f315f

SHA1
01e276b2e1d587684392d109aed31537f5a90e5f

SHA256
1ab80106569f9119df89491ff022ff03b624f7ec264d2b653913d00890c53ad4

SHA512
99f19d51f8a294579fc623c0024a8ccf41cab3fc846eaa02afbe45e6be80ff1393bb0d2b35daa61acbe35b631b9b79f83e2637626d27bf400c4e1989fbd38ab7

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
1226994d48d792ff9d1de38acaecb9e9

SHA1
a050c509d039d83a297a3d25b4b825612f60ab92

SHA256
e2fb5994baf014d228f31c76026e647ee5339a53d558ddf89a2432a71089f4aa

SHA512
0cc0a0e979163d676ca90fb93001ddee4872d21b6b1ebe6f0a0b855bac8d887e658830bb596ba92b3709fb3fbcfa4b60f593dcfb5289a8601b8d79c75d4fde94

Download Submit
memory/3700-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3700-36-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3700-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3760-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4296-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4296-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4296-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4296-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads