718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 22:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
Size

352KB
MD5

9f13a4c88366d50659f82e04e33dae28
SHA1

1b09e27587f46dfe2d7c6d67a1cb9dac1d455f6f
SHA256

718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca
SHA512

efd9fbe4929d3b9b7e6c787f6cf1c4731db3855dd6d22d1c8059d269c3f1c8ea92004f24adc17a3e2d61c67e57f39f80366324575bf2665be215d30e65390256
SSDEEP

6144:LIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCe8i:eKofHfHTXQLzgvnzHPowYbvrjD/L7QPs

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral1/memory/2272-16-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/files/0x0032000000015c4c-10.dat	UPX
behavioral1/memory/2272-19-0x0000000000350000-0x0000000000359000-memory.dmp	UPX
behavioral1/files/0x000d000000012345-17.dat	UPX
behavioral1/files/0x0007000000015c9c-32.dat	UPX
behavioral1/memory/2508-27-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/2272-26-0x0000000000400000-0x0000000000460000-memory.dmp	UPX
behavioral1/memory/2272-25-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2584-40-0x0000000010000000-0x000000001000D000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0032000000015c4c-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2508	ctfmen.exe
2584	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2272	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
2272	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
2272	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
2508	ctfmen.exe
2508	ctfmen.exe
2584	smnss.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
File created	C:\Windows\SysWOW64\shervans.dll	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
File created	C:\Windows\SysWOW64\grcopy.dll	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
File created	C:\Windows\SysWOW64\smnss.exe	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
File created	C:\Windows\SysWOW64\satornas.dll	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2384	2584	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2508	2272	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe	28
PID 2272 wrote to memory of 2508	2272	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe	28
PID 2272 wrote to memory of 2508	2272	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe	28
PID 2272 wrote to memory of 2508	2272	718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe	28
PID 2508 wrote to memory of 2584	2508	ctfmen.exe	29
PID 2508 wrote to memory of 2584	2508	ctfmen.exe	29
PID 2508 wrote to memory of 2584	2508	ctfmen.exe	29
PID 2508 wrote to memory of 2584	2508	ctfmen.exe	29
PID 2584 wrote to memory of 2384	2584	smnss.exe	30
PID 2584 wrote to memory of 2384	2584	smnss.exe	30
PID 2584 wrote to memory of 2384	2584	smnss.exe	30
PID 2584 wrote to memory of 2384	2584	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe
"C:\Users\Admin\AppData\Local\Temp\718b024915d6bbf006d20fa9fa629430fb9ab639efb98e645f67a99a18cac5ca.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 816
      4⤵
      Loads dropped DLL
      Program crash
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
bad24792b6e3c9e86cc7c6f2a5c1b913

SHA1
c76e58f73143e9da6a2dfd2c845978da9c18f239

SHA256
90bc3f4a1ea38e1d815f681914aed5c1396bcc06a4cfab9a55b0351606ce7e31

SHA512
7369032d73004af2446f2f8c2f64631c6008c84ee24e9ddc34e07b9a2acef5df48dd44650d8f5d39ba11718943055d9a5f5941f0319cf310938c3ad08513f403

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
352KB

MD5
12ceed47621d4a36a23736c7604a34f3

SHA1
4a2f43ec5d02e76b63bde41b1240bbe1e58134c2

SHA256
332e2497cba36aa15354be62e59c1ff5d1fc8fff218ee868fc5a6d4e52d7b420

SHA512
cc26d93b8ad559ff6417c73599c75a47114e5bfec59e3c9b2eb0ff6415f3ad1c589bbe8ed79c574373cc18cc8fc9f9012d415bd7bb2a82815bde3704f108341d

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
00b50a285c18ef17f2f0a70a9c76e5ae

SHA1
20867130e3422a8b78d040a03c2cb4f266756e17

SHA256
b5084a2a78ca4e3518d43485819fe348838d9d9e196972adf9814e0103358c34

SHA512
a17f2a64d3c8980b427b14b8f8f8ef5c84ba46e6e028d3d8c724c30e23091ec872c1c4a00791fced65f30c74a6c468e716d37e498baace1e642315033d20b97e

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
2339e6171b20d97ff9b59bb50211515f

SHA1
122d4f04b5c1cf04c3db04cff5b246298712f613

SHA256
c085d46faeabdbac2cb5b41d07461e32de74725a6e38d7dd11793c71d5210eab

SHA512
5a997181ba9ed0811cdf94c81185f7e3eb051352e5b8b01248e6cee881d357b7ef1cabc2b5d0c2992cf85d688ca98057aa34aab0189c3c634ab9f93309fbc6e9

Download Submit
memory/2272-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2272-19-0x0000000000350000-0x0000000000359000-memory.dmp

Filesize
36KB

Download
memory/2272-26-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2272-1-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2272-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2508-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2584-35-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2584-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2584-46-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads