f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 06:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Size

119KB
MD5

1b5a9399b6df4a14cc6e90aa736346a7
SHA1

fe611485e39a0bffb48d3b5e1518f047857d2566
SHA256

f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8
SHA512

60b5b015faba7334f04446ff095134b1cf87a9cef74925c556ddee74128307705f521f1e712ddeefdc2853fed2f0f4efcd8fbc62024c8cb0f7465e07a3fddbaa
SSDEEP

3072:/OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:/Is9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 13 IoCs

resource	yara_rule
behavioral1/memory/2860-0-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/files/0x0038000000015670-10.dat	UPX
behavioral1/memory/2860-16-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/files/0x000a000000012286-17.dat	UPX
behavioral1/memory/2860-18-0x0000000000340000-0x0000000000349000-memory.dmp	UPX
behavioral1/memory/2860-26-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2860-25-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/files/0x0007000000015cb8-28.dat	UPX
behavioral1/memory/1996-29-0x0000000000320000-0x0000000000340000-memory.dmp	UPX
behavioral1/memory/1996-34-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/2720-36-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2720-42-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2720-48-0x0000000000400000-0x0000000000420000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0038000000015670-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1996	ctfmen.exe
2720	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2860	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
2860	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
2860	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
1996	ctfmen.exe
1996	ctfmen.exe
2720	smnss.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
File created	C:\Windows\SysWOW64\satornas.dll	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
File created	C:\Windows\SysWOW64\shervans.dll	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\grcopy.dll	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
File created	C:\Windows\SysWOW64\smnss.exe	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	2720	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 1996	2860	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe	28
PID 2860 wrote to memory of 1996	2860	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe	28
PID 2860 wrote to memory of 1996	2860	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe	28
PID 2860 wrote to memory of 1996	2860	f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe	28
PID 1996 wrote to memory of 2720	1996	ctfmen.exe	29
PID 1996 wrote to memory of 2720	1996	ctfmen.exe	29
PID 1996 wrote to memory of 2720	1996	ctfmen.exe	29
PID 1996 wrote to memory of 2720	1996	ctfmen.exe	29
PID 2720 wrote to memory of 2504	2720	smnss.exe	30
PID 2720 wrote to memory of 2504	2720	smnss.exe	30
PID 2720 wrote to memory of 2504	2720	smnss.exe	30
PID 2720 wrote to memory of 2504	2720	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
"C:\Users\Admin\AppData\Local\Temp\f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 768
      4⤵
      Loads dropped DLL
      Program crash
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
770cdafff5d81c1958825743581c1369

SHA1
d3ccc819edeef4870a929fcf7d26256012233463

SHA256
beba180c03467b6a5c4329a58e878c1fd8765f43306282e5f8a183c3f7fc6de8

SHA512
d5eb7c366290a0dacada035f6ca1f8cc19ebb3cb81c11b3db297e337dce7f8be3031390cbb84c56000a5f080e7164b0191f57fdcf0838b6293cee4119f45678c

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
b016a5d7268a8f3fd0870d2568a7275f

SHA1
e65a4f4ea340ffa664a4d09c719dc9daee98acdc

SHA256
47fd29ba0d549257be2323b18c0fa0a471907f1663e3716eb0c231a82194c267

SHA512
9bf2816c4084c374d4327e085252e8e68add504a04d2ee31f31faf369dade7282c29dfa25089707ac0197b45a8de794a2121f236ccd9e9afdcf15a1b21b07ab8

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
dec387f893fedd1f3919e66a0ce7aee6

SHA1
0d832bd66f0cca99f7cba61078bc6f94d36795af

SHA256
d053627a185911ec860288cd2a8591d5a553f77133a437f00d6feb3b7e3b387c

SHA512
1abcdc94b3aa275f5ca41f643f14f54bc68bf7e2d4a11bcb43f0477cd6c8af1168c5c2712547bf0c29120019ad047ad8cecedb0a5c6e137ff1c4577d2ba38fda

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
119KB

MD5
d5cc40987efe0a9db81918c1c0e46e98

SHA1
1ddd7114a885197ea7b234234d8249e13de791cd

SHA256
ab72c16573871eb1396126aff461d67d446598739538262d497214d58d20bbdc

SHA512
4417f6c19967050b3321db16529b5f0c7778c5e1cb0997d2e1a98bc26b10794195084e80bc0b10b82a470240126f7ac22fe0e7e0fe969ab5bcb6159444e8d467

Download Submit
memory/1996-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-29-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/2720-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2720-42-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2720-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2860-26-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2860-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2860-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2860-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2860-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads