Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 06:10
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Resource
win7-20240508-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe
-
Size
119KB
-
MD5
1b5a9399b6df4a14cc6e90aa736346a7
-
SHA1
fe611485e39a0bffb48d3b5e1518f047857d2566
-
SHA256
f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8
-
SHA512
60b5b015faba7334f04446ff095134b1cf87a9cef74925c556ddee74128307705f521f1e712ddeefdc2853fed2f0f4efcd8fbc62024c8cb0f7465e07a3fddbaa
-
SSDEEP
3072:/OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:/Is9OKofHfHTXQLzgvnzHPowYbvrjD/E
Score
9/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 11 IoCs
resource yara_rule behavioral2/memory/4412-0-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/files/0x00090000000233fe-10.dat UPX behavioral2/files/0x0008000000023404-15.dat UPX behavioral2/memory/4412-16-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/files/0x000700000002328e-20.dat UPX behavioral2/memory/4412-22-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/4412-23-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/memory/3180-25-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral2/memory/2688-30-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/2688-37-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/memory/2688-39-0x0000000000400000-0x0000000000420000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00090000000233fe-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 3180 ctfmen.exe 2688 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 4412 f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe 2688 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ctfmen.exe f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe File opened for modification C:\Windows\SysWOW64\shervans.dll f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe File opened for modification C:\Windows\SysWOW64\satornas.dll f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe File created C:\Windows\SysWOW64\shervans.dll f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe File created C:\Windows\SysWOW64\grcopy.dll f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe File created C:\Windows\SysWOW64\smnss.exe f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe File created C:\Windows\SysWOW64\satornas.dll f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\tt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\readme.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml smnss.exe File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3248 2688 WerFault.exe 84 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2688 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4412 wrote to memory of 3180 4412 f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe 83 PID 4412 wrote to memory of 3180 4412 f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe 83 PID 4412 wrote to memory of 3180 4412 f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe 83 PID 3180 wrote to memory of 2688 3180 ctfmen.exe 84 PID 3180 wrote to memory of 2688 3180 ctfmen.exe 84 PID 3180 wrote to memory of 2688 3180 ctfmen.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe"C:\Users\Admin\AppData\Local\Temp\f26c67bb637f1a2263cb6187a1e5ed14b0bbce107f8013724dd36f8b00ec47a8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 14804⤵
- Program crash
PID:3248
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2688 -ip 26881⤵PID:3220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f278c40df3432a0974d7fc5a240cf6ab
SHA105f786eacf6e6c5dfd41c9065b810e19fa60aa69
SHA2564a2cf99d65a0683211358e2dc5ab831f9c5386268aed5772d63f89a019c13854
SHA512ca7a4cf50cbc9353547df2a9e83a8a7bb64a2eeb35db010c323e78af88a5a44d88594f259a299c463e9284fcf0a19987927573a3a2e968039a9539ad7df48a00
-
Filesize
119KB
MD573dd12a20fbef46ac315db459e1cafe3
SHA1d55a9526d2a8bcbe335f9b3f0b6e77c4c1f04c88
SHA256443e0452854ab57451cce30d737cb633775cb3fd1a66fca1d958d5a1060654b5
SHA5129861c528a257aca653b1177aef5975471f4166ddf005e98a7e806c0521d3eb348db2ca0f204c99fa1b93426d77d5493a033d8ef9d46dcac9ab7d811db9b05ddc
-
Filesize
183B
MD5ec5301ec1ce8a68567dd59bb23cfec0e
SHA1387c924125607220b67ba209ff3b2106f381f9bf
SHA256a0a842b46d449ed072fa6d79fb4984051433c8834ee9dc6569a37cbe5ee29b89
SHA5121d044498f742dd7899d8dd3b12ef5cf96e1ffd3b4205e087e01b1cc423f9531edc5cde5b737f04d54d8a3c79d559dba56703689286cc7d398b77d1bb48459784
-
Filesize
8KB
MD5d8bc420a722128752e62902469916ec0
SHA1512e2f5d570f5e8ce63c71c70d0495a500bfb16f
SHA2560f9adc314d7010183d3f34dcd3d92c9e64c9503686a73323a1c1b093f60e33e0
SHA51267e262116e7cdfd5a30501bdbf2b73f1018e7e239db1829abbc0cd22eeafd2f47ff58f576ea6fb29513872f5c20fbd63d9d840c5ef829caf12f8c37f2eb17348