e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 03:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
Size

75KB
MD5

00caeda1718371b2b302c8b60348dfdc
SHA1

ec7ac79ca6190f5b91543278f404e154a3aa4e84
SHA256

e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f
SHA512

f7cc198432f9ae6ad9dbf5f3b3f5cc114f8df38579a7c5e6ee09e7c884960b818cd18bff4cdc0caf0ca1251cde192fa4c8b5d64c379f3381a0dfaa5cdce28c90
SSDEEP

1536:zx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3v:NOjWuyt0ZsqsXOKofHfHTXQLzgvnzHP3

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral2/files/0x000800000002326c-9.dat	UPX
behavioral2/memory/3964-11-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/3964-19-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/files/0x0008000000023269-21.dat	UPX
behavioral2/memory/3632-22-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/3964-29-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/3632-27-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/3664-38-0x0000000010000000-0x000000001000D000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002326c-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3632	ctfmen.exe
3664	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
3964	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
3664	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
File created	C:\Windows\SysWOW64\smnss.exe	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
File created	C:\Windows\SysWOW64\grcopy.dll	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
File created	C:\Windows\SysWOW64\satornas.dll	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1700	3664	WerFault.exe	92

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 3632	3964	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe	91
PID 3964 wrote to memory of 3632	3964	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe	91
PID 3964 wrote to memory of 3632	3964	e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe	91
PID 3632 wrote to memory of 3664	3632	ctfmen.exe	92
PID 3632 wrote to memory of 3664	3632	ctfmen.exe	92
PID 3632 wrote to memory of 3664	3632	ctfmen.exe	92

C:\Users\Admin\AppData\Local\Temp\e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe
"C:\Users\Admin\AppData\Local\Temp\e07a15021b513b0646c01e2ee4a0cadccbcf440b50275f19040949d6ae1c672f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 1328
      4⤵
      Program crash
      PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3664 -ip 3664
1⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
1caf4f1c2775af076dc8cd96efae551c

SHA1
8b1cd4644579cbdfb066571f13f66336b0d53290

SHA256
21212d7d996a55d7f9ec2d6cdd0fba811477f076d9513e3a2e9da671b725ae4f

SHA512
c61f9f83abe12df99246c529bcb87d14ba3832d3bbb9b0ea2bd4b27833eb0f0715f46784ca480025799585c5e2c32d87d84240de0613c80183fba472975f34ff

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
75KB

MD5
61980dc8cc09fe50505601d7301e7c6b

SHA1
ff8769372296d918746f1d1d996868f61d61b6a1

SHA256
cbc737bbb1c7270fd9f5c7be5ebebfec8188c88530a250bb5c4fa14166612ef1

SHA512
37e81b99c43aa56e4daae6571d1c2da2800cb553b596837259170acd439e606c1a5189ba4a67f4c10fd4b650264f64099d15bb74f695cc01388dc5df0b14c9f9

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
26ff7f6504c292a81cbf0c954cde33d4

SHA1
4bc665a04be1209ec78d58d8e0dc24c02d87f475

SHA256
7dc7854528a24bef8ab23d1e0235939617f40248ab71738607e3999016ca0663

SHA512
741459babdc5611490d4560f96bbac0999b8b51b2692602fd60346e7469fbd5fd9b5af99c9db78afa4d85fef965d1b7def80bdf79af1b41a49631d3a2401178f

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
3b69ebb93789175e8c1be27195ff21cd

SHA1
b98d6f3ed2d23c51ef819821fd25bf9bfdce12fc

SHA256
3359434c4c0cf35d7e662c94c0a3f9a346c566941782f92b2a4e3fbe6860fea5

SHA512
7c25a3467e0ece8175e8d49b6f5ab372230629150bb129d626428730f054072abeaa571a94c0503fd07ffa894797f1eee2186ebd0010de290bd1540ef5694efc

Download Submit
memory/3632-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3632-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3664-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3664-39-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3964-11-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3964-18-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3964-19-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3964-29-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads