Analysis
-
max time kernel
145s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/04/2024, 20:28
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Resource
win7-20240221-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
-
Size
119KB
-
MD5
61d1ce1394a03e9888be992eb836f1c8
-
SHA1
e8a0a43358742522d6ee2e86983c99fc8ff60cc2
-
SHA256
334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6
-
SHA512
05cf347c79f56fb9a45e37c01a1c2c7efb644b171412f57b0b86ce14ef8f92cbb26e3327f921d7300483f749dadc398acfa05daba1dc3d78fb31bda6102ac411
-
SSDEEP
3072:TOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:TIs9OKofHfHTXQLzgvnzHPowYbvrjD/E
Score
9/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 13 IoCs
resource yara_rule behavioral1/memory/2244-0-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral1/files/0x0009000000015c5d-10.dat UPX behavioral1/memory/2244-14-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/files/0x000c000000012262-17.dat UPX behavioral1/memory/2244-18-0x0000000000350000-0x0000000000359000-memory.dmp UPX behavioral1/files/0x0008000000015e5b-28.dat UPX behavioral1/memory/2244-31-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral1/memory/2536-26-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral1/memory/2244-24-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/memory/2744-38-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral1/memory/2744-41-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/memory/2744-45-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/memory/2744-48-0x0000000000400000-0x0000000000420000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0009000000015c5d-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2536 ctfmen.exe 2744 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2244 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe 2244 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe 2244 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe 2536 ctfmen.exe 2536 ctfmen.exe 2744 smnss.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\ctfmen.exe 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe File created C:\Windows\SysWOW64\satornas.dll 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\smnss.exe 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\shervans.dll 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe File created C:\Windows\SysWOW64\grcopy.dll 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\uz.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml smnss.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2456 2744 WerFault.exe 29 -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2744 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2536 2244 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe 28 PID 2244 wrote to memory of 2536 2244 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe 28 PID 2244 wrote to memory of 2536 2244 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe 28 PID 2244 wrote to memory of 2536 2244 334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe 28 PID 2536 wrote to memory of 2744 2536 ctfmen.exe 29 PID 2536 wrote to memory of 2744 2536 ctfmen.exe 29 PID 2536 wrote to memory of 2744 2536 ctfmen.exe 29 PID 2536 wrote to memory of 2744 2536 ctfmen.exe 29 PID 2744 wrote to memory of 2456 2744 smnss.exe 30 PID 2744 wrote to memory of 2456 2744 smnss.exe 30 PID 2744 wrote to memory of 2456 2744 smnss.exe 30 PID 2744 wrote to memory of 2456 2744 smnss.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe"C:\Users\Admin\AppData\Local\Temp\334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 8564⤵
- Loads dropped DLL
- Program crash
PID:2456
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD5d52157a0bea2382b1c7ec165210c2302
SHA16e4c32f0d48cce491a937295df54e40773f1f893
SHA256c4be80435ecbc68441af74ae297478bc36addc922c50bbf8ed1794cf2a2d169e
SHA512bb434a61045abc141ff7492cfdebba5bef9b8b6b34a119a61a5f3647b775c02bf2ee4d002261cdd3ad33528caedef2776acad0cf538717914d865edf67274467
-
Filesize
119KB
MD54a844e4658df7aae6ec904bc10fc0075
SHA1245a795dad17e3a2c8b75386a0243c3014414cbc
SHA2560ef04ce70b6782442d2dfd13ba1f8dfa442b8078c1db8f1547959dc348869930
SHA512fc443b3f57736fb05ba5a3bbdc8cc5f1d58755f702cd59d5c1f7ede57c1380883a8df3be1a51e898be8ac06a2b0f4398115fcf1fdd3b5e12ddabb49085fc2424
-
Filesize
4KB
MD5bc3c41c9a088b88a21d6285ea87a6f10
SHA16a6a86e8267fca71bf5b58c6f0c2defe1c88b8e6
SHA256dc0987d6fb19fff2dde4dbc86ea8e33f9c1b4a3ab1cbd79d96313b99d31d1e65
SHA512185cf6b01daf004dbb5702f2c8dc620f3501d9f379295299983bc2a4b221c374ecf5ed1d3c1c3dd25e91b54b1be493a63b29c749f9ca411bbcd3f3bb4c67e4f6
-
Filesize
8KB
MD5c983fa5c88fa921587313a9ad37027c7
SHA1fbe3a7bf061b202c0f3152fad4247e07f0c95be3
SHA25625801230ae269cae6665f88bc690a5d738320b3cfb5c26e5b5ef4caa75f0b134
SHA512c465bad3d14949f157e90d20f25ac98d4caf1a85c0754fb4b49d78e94a90d9852d5d7cb0b63bc23a06d56a0da76d5170bc81c8dae9d20a7bc4c8f74765a500f8