e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
Size

41KB
MD5

6f9f4448028eab2240086b07f303fbe0
SHA1

ca2723b731a66cc6275f5a009b6b4bbc668ad1ff
SHA256

e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5
SHA512

bdebcb2550faa504d23243562f9e55c0b3a058a5220505e0f13cbc06d97e8b3217add94e7d9551bce14c1fa704db7a9d8f19a58ab6b61afbd95c59bd66efe997
SSDEEP

768:6eMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09syp:6q5VwWDjDkdTRqHFOn8tIbbeYiuZIFSL

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 13 IoCs

resource	yara_rule
behavioral1/memory/1136-0-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/files/0x000a00000001466c-10.dat	UPX
behavioral1/memory/1136-12-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/files/0x000900000001222c-17.dat	UPX
behavioral1/memory/1136-18-0x00000000003A0000-0x00000000003A9000-memory.dmp	UPX
behavioral1/memory/1136-25-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/files/0x000700000001560a-27.dat	UPX
behavioral1/memory/1136-34-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2964-32-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/memory/2156-29-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/2964-39-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2964-44-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/memory/2964-45-0x0000000010000000-0x000000001000D000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a00000001466c-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2156	ctfmen.exe
2964	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
1136	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
1136	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
1136	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
2156	ctfmen.exe
2156	ctfmen.exe
2964	smnss.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shervans.dll	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
File created	C:\Windows\SysWOW64\smnss.exe	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
File created	C:\Windows\SysWOW64\satornas.dll	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
File created	C:\Windows\SysWOW64\grcopy.dll	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	2964	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2156	1136	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe	28
PID 1136 wrote to memory of 2156	1136	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe	28
PID 1136 wrote to memory of 2156	1136	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe	28
PID 1136 wrote to memory of 2156	1136	e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe	28
PID 2156 wrote to memory of 2964	2156	ctfmen.exe	29
PID 2156 wrote to memory of 2964	2156	ctfmen.exe	29
PID 2156 wrote to memory of 2964	2156	ctfmen.exe	29
PID 2156 wrote to memory of 2964	2156	ctfmen.exe	29
PID 2964 wrote to memory of 2636	2964	smnss.exe	30
PID 2964 wrote to memory of 2636	2964	smnss.exe	30
PID 2964 wrote to memory of 2636	2964	smnss.exe	30
PID 2964 wrote to memory of 2636	2964	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe
"C:\Users\Admin\AppData\Local\Temp\e2b703a090211bf99379f5bd20b47fd82da4a5903b597f28b1aa8262e8297ba5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 816
      4⤵
      Loads dropped DLL
      Program crash
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
829c2191ac4349a6b53bf47bffe1102c

SHA1
44dbb4ef98c183d73331b56f3f5a648a21e4c0b2

SHA256
0dd13e402b5d5b61ffa533b9daaa07acefce17b3e099f5739f3bbbb82c74e05b

SHA512
5af46cd3d867111d246e0ea7220aa94199c30fdc59a4ea521385ff71aa46ebc70dc59b9d4a2b7d407d33c3a3f2c9d3d121f2b7c5d751349a6419ee8c3c9e1162

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
41KB

MD5
1ef77910b1127c0d5b10e61edd6f4e5a

SHA1
1976b8f1523abc610520f7349bc73a331f2243c9

SHA256
85452488a3805dfcf3d2e1c6f09dcafba70ac68301c77fdb51646f9996d58bdc

SHA512
1aef51b9f55eb1c26b2a5fb3c255e3f29194cdb414a1653e00762710a12a263288398c3985cb7028718facb119083381f893bd2544cce71b3649bc2f0d95b7b3

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
18b1e7bb7e069565ad6b9dfea3d04284

SHA1
4bf9f2667cb812eeaefb25eeef1ca37d2c362cec

SHA256
362a2e5f2cfdcc633abf198361824d3bc2c634c7dc8433f96172bc67f5607f30

SHA512
0457b1040f3b955e5a7373cea5b8875e4cb3c22fc037bef06abe8df15b8302810c85fda55ca77143e10b8f503eca61ee2f1db3529cd15f67a65cd46d14467b8c

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
ef3f5671c4d4c1644b1d9368a9fbaaff

SHA1
a350440b6466f789d40fc52e5145b54d8a182d10

SHA256
5874fb8d66b46ae47e9518d299576004e224a0beab49fba60e667efeac90494c

SHA512
11a11d0bd15a4d13bac873de38163050fd3e64b6c3c2a7716cbfbd13d8d8df750227c9628fa6421a66f3f11f31396d20f3de458c4a83bd0295fc294c288fd710

Download Submit
memory/1136-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1136-18-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download
memory/1136-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1136-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1136-34-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1136-30-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download
memory/2156-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2964-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2964-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2964-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2964-45-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads