1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Size

120KB
MD5

80d5bd632ae012d76536279fd467d87e
SHA1

d2007ae0a2232adb673ec872546b334018258d8d
SHA256

1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2
SHA512

2a568fc7a6572b24fd8a1af288e3efcac60fffcb6ac6508da1c1eef3b639d0232da7f0e843b9a551154b87be53870907db0b5e7d2d65ff87149fdd7a080c5d02
SSDEEP

3072:WOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:WIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 12 IoCs

resource	yara_rule
behavioral1/memory/2468-0-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/files/0x000b000000012303-10.dat	UPX
behavioral1/memory/2468-14-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/files/0x000c0000000122e4-17.dat	UPX
behavioral1/memory/2468-18-0x00000000002D0000-0x00000000002D9000-memory.dmp	UPX
behavioral1/files/0x0008000000012678-29.dat	UPX
behavioral1/memory/2468-27-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2924-32-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/2468-26-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2700-36-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2700-43-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral1/memory/2700-49-0x0000000000400000-0x0000000000420000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012303-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2924	ctfmen.exe
2700	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2468	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
2468	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
2468	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
2924	ctfmen.exe
2924	ctfmen.exe
2700	smnss.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smnss.exe	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File created	C:\Windows\SysWOW64\shervans.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File created	C:\Windows\SysWOW64\grcopy.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File created	C:\Windows\SysWOW64\satornas.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	2700	WerFault.exe	29

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2924	2468	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe	28
PID 2468 wrote to memory of 2924	2468	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe	28
PID 2468 wrote to memory of 2924	2468	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe	28
PID 2468 wrote to memory of 2924	2468	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe	28
PID 2924 wrote to memory of 2700	2924	ctfmen.exe	29
PID 2924 wrote to memory of 2700	2924	ctfmen.exe	29
PID 2924 wrote to memory of 2700	2924	ctfmen.exe	29
PID 2924 wrote to memory of 2700	2924	ctfmen.exe	29
PID 2700 wrote to memory of 2752	2700	smnss.exe	30
PID 2700 wrote to memory of 2752	2700	smnss.exe	30
PID 2700 wrote to memory of 2752	2700	smnss.exe	30
PID 2700 wrote to memory of 2752	2700	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
"C:\Users\Admin\AppData\Local\Temp\1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 796
      4⤵
      Loads dropped DLL
      Program crash
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
74d4f5b52410855e072b4b85c87e58c6

SHA1
7d917b19199ae1a9d8267467ccab79a9abe979ef

SHA256
667ad7cf97cc10d35767745c5a1185f8ea7a7c96d89af97fe5d13ff7ea67710f

SHA512
857ed124a0fc12b25fc35643665267bfe9530d9179095fad73510880c7c6ec4e29524eade52deeda6deea1dc7f04ad3b8b95b5ac7e1073fd64ab1737c00a17f9

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
120KB

MD5
0eba41b118aad7cad754db200be9c781

SHA1
49182decd6d900f0a62fa22282b97692312862b0

SHA256
444a2503603afcc22f23a34076c0ead3c711503efe2ee8ab9d08b385f1ea6852

SHA512
17a30291eb1061925b7dc290033b0ea0b121764cdd38a23efc3fbba7088a4e7a3ced24855a283e6f9afd6857c1bfc4108a932912d907334ea80414878a05b38c

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
ee5288f9b19fd30b3b1c4669410f31cf

SHA1
ffad51a418cbb95ea4490484f1f77ba22c2c2912

SHA256
79ba23a51d08afbd4ebae23a5235a995bd3941eb5f705919269611ac34ad6f0b

SHA512
bf3d3e0a74a2295d9da77f99e61c959219b5def5d4a7e394242217cdf1e58573215cdd16df92af94b32c8f6214a3f87aee5f5b93dcc97607778763fc9015db30

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
71085f8cdaa478197d6db1a8593fd5cf

SHA1
0137f68926fbddc8c8370624ea4e5dd943897ca3

SHA256
04b710a2abf77c6b45ca4a5ad3e998c46ff7ec40399552684fff38381dc267a9

SHA512
34467b7201f93778dd29e6d5fc18f90bf5e5056fea3f725aac9a2ff5ff0f88b62edccc27cf625ee582e7aec66f240d0d2e153b9c46504f104364e4deecfa73a3

Download Submit
memory/2468-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2468-18-0x00000000002D0000-0x00000000002D9000-memory.dmp

Filesize
36KB

Download
memory/2468-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2468-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2468-14-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2700-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2700-43-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2700-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2924-34-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/2924-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2924-31-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads