dbcc1bec2dbc4002cfdade40966eb639ccf4da67a7b9728f444beb1d35ed4f7f

Resubmissions

12-06-2024 08:28

240612-kcy2jawckj 10

10-06-2024 17:27

240610-v1ktxsvbpk 10

Analysis

max time kernel
29s
max time network
31s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
10-06-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mydoom/3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Size

41KB
MD5

3e67d212278e1af5be913d236399fcf6
SHA1

f993125ed4af1de6a551a6e0843a6d124cd46f27
SHA256

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464
SHA512

f7e6394c9f9fdd6a03c72aaece5b4911cb821680a632f94b622b12d94cff9873d93b2c6604016524bdab4dd6e4b70b532c440f6b296138677be19e078ad23ec7
SSDEEP

768:/eMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09sy:/q5VwWDjDkdTRqHFOn8tIbbeYiuZIFSl

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\shervans.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

ctfmen.exesmnss.exe

pid process

3808 ctfmen.exe
4092 smnss.exe
Loads dropped DLL 2 IoCs

Processes:

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exesmnss.exe

pid process

1296 3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
4092 smnss.exe

pid	process
3808	ctfmen.exe
4092	smnss.exe

pid	process
1296	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
4092	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smnss.exe3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

Drops file in System32 directory 12 IoCs

Processes:

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exesmnss.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shervans.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File created	C:\Windows\SysWOW64\grcopy.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File created	C:\Windows\SysWOW64\satornas.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

Drops file in Program Files directory 64 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe

Modifies registry class 6 IoCs

Processes:

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exesmnss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

smnss.exe

description pid process

Token: SeDebugPrivilege 4092 smnss.exe

description	pid	process
Token: SeDebugPrivilege	4092	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exectfmen.exe

description	pid	process	target process
PID 1296 wrote to memory of 3808	1296	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe	ctfmen.exe
PID 1296 wrote to memory of 3808	1296	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe	ctfmen.exe
PID 1296 wrote to memory of 3808	1296	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe	ctfmen.exe
PID 3808 wrote to memory of 4092	3808	ctfmen.exe	smnss.exe
PID 3808 wrote to memory of 4092	3808	ctfmen.exe	smnss.exe
PID 3808 wrote to memory of 4092	3808	ctfmen.exe	smnss.exe

C:\Users\Admin\AppData\Local\Temp\Mydoom\3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
"C:\Users\Admin\AppData\Local\Temp\Mydoom\3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\ctfmen.exe
ctfmen.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\smnss.exe
C:\Windows\system32\smnss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe
Filesize
4KB

MD5
58e287b04e88c601b064ca8ac422fe97

SHA1
67c07888ace004acdd8a4b63c20fda2ef21525dc

SHA256
cc5256fe4f97a0c5b46632a1e3dc8df8c0f8767926136e6a36d1b4b8206af0f0

SHA512
66dbc37f376b9a98b3e969eb03b994e05fb269720305225ab822c26003ada028cd7fc5e6e865bbbd8cde24d87d03638c331a2202f30c9a7a929f3b3f874f4b8b

Download Submit
C:\Windows\SysWOW64\grcopy.dll
Filesize
41KB

MD5
c6d5efae8042a4364f84e9559e0268cd

SHA1
76fdb4dd52f2627bd9de30da9475a0f4e741ce5b

SHA256
5dcda2a76a2ec2928605efc21be5b6b3ccbc2a34397256022b454ef49af92ad3

SHA512
bcf3447ffc5cadec204ca32f9d56c44435009c5d1ffc0042c1fb91ba6b14e2c85bbbde4b0a2da80dc6908327149e4f41c56027c3e3d5dcb4775c48934602b242

Download Submit
C:\Windows\SysWOW64\satornas.dll
Filesize
183B

MD5
32272cac7eb27aa343a534659b139871

SHA1
a3a3cf772c898147122a42faca803d46bd8c8ae3

SHA256
b4fbcc778a843b95e4cad57edfb8a80bc821edf108aa3bfd3139f4f1704b4f2b

SHA512
e24389dd6e08c1ff15233fe827464a3b406b8f249f59a3dd87f5b9c1cf7e1835ac2dd743327fa3b9fa3598a44a45dbc5b75541cbec5fe965f2aad557d22fe65c

Download Submit
C:\Windows\SysWOW64\shervans.dll
Filesize
8KB

MD5
09b1b148683bff62a592fa7e80516394

SHA1
d2c002ab2f3a9b72f3f21ad47c1fb9b1c06db5e3

SHA256
88f200100cbf70c9006b9a779bdf31aeb0c5a32b724068ae41e3c7eff249f41f

SHA512
57fb78c01dc8905d4ec0c8f31fc7530139f8a91f279c9ebbcfad3803d50a1b4176c9e33111847707c39cb5efbf8a0a103693d3e68893d5c5e91951ce26f5aaa9

Download Submit
memory/1296-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1296-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1296-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1296-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4092-30-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4092-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4092-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4092-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download