58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
Size

75KB
MD5

2396fa26b10aa216662ca8545954ddea
SHA1

082325cd57e15c2a44fd8f0ea9947ecdd2165d03
SHA256

58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494
SHA512

e57508ee546e0a443bbdf5bdf3f9197db046b2f0d0a5d5c888754e2624b2942e8187a94784d6a4a4456716cf6df2b9e04b31fe2e3ba0ad02dfe080bd9812e691
SSDEEP

1536:cx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:UOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral1/files/0x002f0000000133b7-9.dat	UPX
behavioral1/memory/2484-15-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2484-17-0x0000000000340000-0x0000000000349000-memory.dmp	UPX
behavioral1/files/0x000c0000000132c6-16.dat	UPX
behavioral1/memory/2604-32-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/2484-26-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2756-39-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2756-41-0x0000000010000000-0x000000001000D000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x002f0000000133b7-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2604	ctfmen.exe
2756	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2484	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
2484	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
2484	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
2604	ctfmen.exe
2604	ctfmen.exe
2756	smnss.exe
1640	WerFault.exe
1640	WerFault.exe
1640	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
File created	C:\Windows\SysWOW64\smnss.exe	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
File created	C:\Windows\SysWOW64\shervans.dll	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
File created	C:\Windows\SysWOW64\grcopy.dll	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
File created	C:\Windows\SysWOW64\satornas.dll	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\GroupRevoke.doc	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1640	2756	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2604	2484	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe	28
PID 2484 wrote to memory of 2604	2484	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe	28
PID 2484 wrote to memory of 2604	2484	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe	28
PID 2484 wrote to memory of 2604	2484	58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe	28
PID 2604 wrote to memory of 2756	2604	ctfmen.exe	29
PID 2604 wrote to memory of 2756	2604	ctfmen.exe	29
PID 2604 wrote to memory of 2756	2604	ctfmen.exe	29
PID 2604 wrote to memory of 2756	2604	ctfmen.exe	29
PID 2756 wrote to memory of 1640	2756	smnss.exe	30
PID 2756 wrote to memory of 1640	2756	smnss.exe	30
PID 2756 wrote to memory of 1640	2756	smnss.exe	30
PID 2756 wrote to memory of 1640	2756	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe
"C:\Users\Admin\AppData\Local\Temp\58ba12e6966fa940dc20e19cc7e8b7c28e8266ef9e9e192d4bfb82f9e8fdd494.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 852
      4⤵
      Loads dropped DLL
      Program crash
      PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
ccc5ebb07661837e66433fb57264ff7c

SHA1
da77fb5bcded65746956bf935faffa47932c5e75

SHA256
3bc042e209226ea39bd4f4dc431a287f15bc43fc54668a3a9a6361d5135259fe

SHA512
da180d067680e87c24c5b29b6e8b0e71955d9c5783ff0aedee7376e1c123a63cdb641a944fa5bb7c314600d901e6639ad20fef9f7eedeca774f2e70e01c0eeb5

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
75KB

MD5
5da146533930f785bc240cb6f4ddcdf8

SHA1
5c9c55599b10eed797e37a5d38d7ac472c02ef60

SHA256
f893d9f823a335bf49f923974352e1b9d0d5e605f814610719fc0878f83c6b58

SHA512
877be162e514a0b345cc379f20b41eb3fdd443256930bb886ca40806e615dfba90e6ac1b1295537588f9ca899e3b80a83f7e4c7c507096e341b48ef0fe4fa2a6

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
3ed1313da7790667e4b0d3b32c6d9716

SHA1
5b402ec3453fcab6937f5dcadd6f09728a110bce

SHA256
4448cd660281ccec8c3cfaa73b2ad055965328939c629ca4815ec42de7c85ff1

SHA512
fdcdcd7c484e4010a3bf2a7114c618132baa00ac5515c006b473e8212f651dc15a5ed2a1c6374bd42815a3004f773120de8654a3a86efbfc75c5b988acf21234

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
a21c8622b3e6215ab71d2e8410106798

SHA1
7d7f928eb0efad399231d670349327429521f140

SHA256
0e81797246d0c0b3af02afc9f55f33c763c31cb52e7cc6ee5879c43064656ff1

SHA512
ba48ba7b14ba0ace9e9ce0ac8a50099db95035cb2a281f2cbe2941fa140e8d12a677e018b50e66e0ac16ee364451f45851f933496707025e6591c5276ee913dc

Download Submit
memory/2484-26-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2484-17-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2484-23-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2484-15-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2604-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2756-40-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2756-41-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2756-45-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads