Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe
Resource
win10v2004-20240508-en
General
-
Target
f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe
-
Size
75KB
-
MD5
3e26376479d7d154bcaa2d45b919a6c2
-
SHA1
75e4251d8d637ba3cf1d28e18df7ea93fa853e9d
-
SHA256
f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044
-
SHA512
3b5c58b7902c6ccbe6258cefa72612e3f25c93d646b5593e22e89fcd5d094aac77b2ec04052b06f2dc052eefd967b438f5b1979c1a4fc84ba29daafe6940def2
-
SSDEEP
1536:6x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:qOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule behavioral1/files/0x002d000000014665-9.dat UPX behavioral1/memory/2880-11-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/files/0x000d00000001232e-16.dat UPX behavioral1/memory/2880-17-0x0000000000350000-0x0000000000359000-memory.dmp UPX behavioral1/memory/2880-26-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral1/memory/2756-31-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral1/memory/2620-39-0x0000000010000000-0x000000001000D000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral1/files/0x002d000000014665-9.dat acprotect -
Executes dropped EXE 2 IoCs
Processes:
ctfmen.exesmnss.exepid Process 2756 ctfmen.exe 2620 smnss.exe -
Loads dropped DLL 9 IoCs
Processes:
f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exectfmen.exesmnss.exeWerFault.exepid Process 2880 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe 2880 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe 2880 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe 2756 ctfmen.exe 2756 ctfmen.exe 2620 smnss.exe 2728 WerFault.exe 2728 WerFault.exe 2728 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exesmnss.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
smnss.exef95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe -
Drops file in System32 directory 12 IoCs
Processes:
f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exesmnss.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\ctfmen.exe f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe File created C:\Windows\SysWOW64\grcopy.dll f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe File opened for modification C:\Windows\SysWOW64\shervans.dll f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe File created C:\Windows\SysWOW64\smnss.exe f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe File created C:\Windows\SysWOW64\ctfmen.exe f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe File created C:\Windows\SysWOW64\shervans.dll f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe File created C:\Windows\SysWOW64\satornas.dll f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe File opened for modification C:\Windows\SysWOW64\satornas.dll f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe -
Drops file in Program Files directory 64 IoCs
Processes:
smnss.exedescription ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml smnss.exe File opened for modification C:\Program Files\7-Zip\History.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt smnss.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2728 2620 WerFault.exe 29 -
Modifies registry class 6 IoCs
Processes:
smnss.exef95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
smnss.exedescription pid Process Token: SeDebugPrivilege 2620 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exectfmen.exesmnss.exedescription pid Process procid_target PID 2880 wrote to memory of 2756 2880 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe 28 PID 2880 wrote to memory of 2756 2880 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe 28 PID 2880 wrote to memory of 2756 2880 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe 28 PID 2880 wrote to memory of 2756 2880 f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe 28 PID 2756 wrote to memory of 2620 2756 ctfmen.exe 29 PID 2756 wrote to memory of 2620 2756 ctfmen.exe 29 PID 2756 wrote to memory of 2620 2756 ctfmen.exe 29 PID 2756 wrote to memory of 2620 2756 ctfmen.exe 29 PID 2620 wrote to memory of 2728 2620 smnss.exe 30 PID 2620 wrote to memory of 2728 2620 smnss.exe 30 PID 2620 wrote to memory of 2728 2620 smnss.exe 30 PID 2620 wrote to memory of 2728 2620 smnss.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe"C:\Users\Admin\AppData\Local\Temp\f95f323f382c6671416f77104361c6c8be822a6012ceeea90f77b518d7965044.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 8284⤵
- Loads dropped DLL
- Program crash
PID:2728
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD56391a5b6708f4d4996a52f1eaee6abd8
SHA1af01cef882bbc720bb13a9736480a309c288eb3e
SHA25642b81f8f2d21f5700bde1a75a65104590dff4bb9c1ec7ffeb65d72317feda85d
SHA512ef67326edad822ff91c3a2925b88322bb07f98468373bcc074b0d3d08643e6496bfbfd13d46a1f62371d54c024b2b90d4aaa245f16a719e2e36ac1b632fb7320
-
Filesize
75KB
MD528f44f2cf74eac776ddef3048c8b7d1a
SHA15a64f84076177edf31b91aa74c4ddd220c62e97a
SHA256cd5192cddb79401c9c461c906c70c335a3210bad90b27f9d7ba4bd1f2bf06b49
SHA512b130ba99d3e338b3f7a2f8db35f4303978c28db65eeecadf7f0f433d8809549437957e8354089f6c095907d3ed3557355681a386276c55b51be681af6906c73d
-
Filesize
4KB
MD5af4d5e1c277efad7353a242b6d37307a
SHA17d98685588dd8bb193b38224630f526e8daea790
SHA256ec98dce8c1914cf5121fb009dbd266a5b04c0a66bde52ba01f65363345efed4d
SHA51284b2763229929c9f839d79a92272565e4d83a0e49a8a7a5a594221dc2877791fe19ae61527cb5ebdaf9417efd0349694c35155d64a5e126ee869d2dc566da25f
-
Filesize
8KB
MD53d35e1c88abfc7f16049f7d5dcc02212
SHA16fa757de4ec00b5937ebb15ffc735cfb451cafc1
SHA256afd4b44c5e99232da031b0efed2fe9a387e1fa1e815981ade99f7eaabcb45a7d
SHA512aa0723a87e019156e0482ebb2e8c485d8ebd4a3c79038de4fc1e0a7fcd223066d58051aceba89097da56cffd65f90a7293b0b846862b4573a656fc5caaa7b701