abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
Size

118KB
MD5

39d1c54933870ae853f5acefb496079f
SHA1

42d9c6ec9144478c28e4b38339ec0ce37946bb63
SHA256

abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d
SHA512

474a73edbe7af4a4ca39afca0b35227d1ff87c625fac6d61b64b92889b3bafa4ac8f477a24639cb9e21e517b368a8d91dcb2b4002c33ba82102e472e6a619353
SSDEEP

3072:COjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:CIs9OKofHfHTXQLzgvnzHPowYbvrjD/m

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 13 IoCs

resource	yara_rule
behavioral1/memory/2104-0-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/files/0x003400000001471d-10.dat	UPX
behavioral1/memory/2104-14-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/files/0x000c0000000144e4-17.dat	UPX
behavioral1/memory/2104-18-0x0000000000380000-0x0000000000389000-memory.dmp	UPX
behavioral1/memory/2104-27-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2104-26-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/files/0x0007000000014b63-28.dat	UPX
behavioral1/memory/2544-31-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/2544-30-0x0000000000320000-0x000000000033F000-memory.dmp	UPX
behavioral1/memory/2648-35-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral1/memory/2648-42-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2648-48-0x0000000000400000-0x000000000041F000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x003400000001471d-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2544	ctfmen.exe
2648	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2104	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
2104	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
2104	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
2544	ctfmen.exe
2544	ctfmen.exe
2648	smnss.exe
1032	WerFault.exe
1032	WerFault.exe
1032	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
File created	C:\Windows\SysWOW64\smnss.exe	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
File created	C:\Windows\SysWOW64\satornas.dll	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
File created	C:\Windows\SysWOW64\shervans.dll	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
File created	C:\Windows\SysWOW64\grcopy.dll	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1032	2648	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2544	2104	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe	28
PID 2104 wrote to memory of 2544	2104	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe	28
PID 2104 wrote to memory of 2544	2104	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe	28
PID 2104 wrote to memory of 2544	2104	abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe	28
PID 2544 wrote to memory of 2648	2544	ctfmen.exe	29
PID 2544 wrote to memory of 2648	2544	ctfmen.exe	29
PID 2544 wrote to memory of 2648	2544	ctfmen.exe	29
PID 2544 wrote to memory of 2648	2544	ctfmen.exe	29
PID 2648 wrote to memory of 1032	2648	smnss.exe	30
PID 2648 wrote to memory of 1032	2648	smnss.exe	30
PID 2648 wrote to memory of 1032	2648	smnss.exe	30
PID 2648 wrote to memory of 1032	2648	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe
"C:\Users\Admin\AppData\Local\Temp\abef900a0e21e65b8d26605a7df6e315684d91210124d9122f7f6a2110c2452d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 844
      4⤵
      Loads dropped DLL
      Program crash
      PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
817d864551e9f027c54242cebb6103f2

SHA1
be77ce0ecaf4d7dac784ac196061a6c99012fc0c

SHA256
cfc0bad6d8a51d53ac14f098c93d34f55dab55ba42636aaad3bb662886b9a699

SHA512
3016e145e72efb30cb8317dfeb970a1ae63b860249df9200bd4723c5071debbf9f92a96f00ff469ab51145568371181f32f573383162858426ce4f870c5ebce8

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
adbfe1230584ab9b5a5ff19da7686974

SHA1
4100a0d52946885b86551f2fa31f29f3705d7da6

SHA256
358526d109dc16feac717428772c6707c37282e00f2d53fdc03dcbea38eac3c0

SHA512
43c3be19d02c5619e5260ac87e0816d161c642398ca0619b5af04b4c5fda352d9af6840902c6c713442bc1e52cac7c6202eac681bedcd4a16cb627fde2333ca6

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
ba24e9a806c9ff53dd98371faf2a074e

SHA1
347ad3951ee8bc7dca3678fcd10a30d6c4df1bc1

SHA256
5428bc60224c8e280893debfc1c0b17834d5f9986c4e234ffbb4f1cc79fde2fb

SHA512
adc66780792d018c71fe62879923a27adfda0187ee1552dfca2798db6dfb34a755e294919946407264ef2f6fd406d99a51ee405aba075c22ef18e812b97610b4

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
118KB

MD5
b2fd5c125c6b2fd7969c77b6b369b1a9

SHA1
2287ba74c5c37c1bb44f67de1c17ffe5f9cc0255

SHA256
34702d2e3af2b5434f52660b91b53f52bc56d5a28f6374160175aa5b3d0a8642

SHA512
e0b02081ce5d9bb24833187842562d548e0f02757c37b0fd412b146b905d8fad8d8662e2e68b37d8b32b346e9140250e20ce62eab0f5a25e5a96cda566500431

Download Submit
memory/2104-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2104-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2104-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2104-18-0x0000000000380000-0x0000000000389000-memory.dmp

Filesize
36KB

Download
memory/2104-14-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2544-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-30-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2648-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2648-42-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2648-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads