Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 22:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1ac044ae7ed3553b3cb1869f56916cb0N.exe
Resource
win7-20240705-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
1ac044ae7ed3553b3cb1869f56916cb0N.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
1ac044ae7ed3553b3cb1869f56916cb0N.exe
-
Size
119KB
-
MD5
1ac044ae7ed3553b3cb1869f56916cb0
-
SHA1
ab210202cbbe50d8b1690d10a72bd8de0fae4b2a
-
SHA256
45759b16cddc2ff8863275ba25b4f8859192b881292a189ec491cbb9c0804a92
-
SHA512
5e120da77afc9ce74dafc1c1f6f38c93e2c056771819b9c31ff81d5b12f5a84a38de512b1c967b56751f0d2d13882b55c2bb806f5b318f907cfc47269be8699f
-
SSDEEP
3072:SOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:SIs9OKofHfHTXQLzgvnzHPowYbvrjD/E
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00080000000171a6-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2356 ctfmen.exe 2704 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 1760 1ac044ae7ed3553b3cb1869f56916cb0N.exe 1760 1ac044ae7ed3553b3cb1869f56916cb0N.exe 1760 1ac044ae7ed3553b3cb1869f56916cb0N.exe 2356 ctfmen.exe 2356 ctfmen.exe 2704 smnss.exe 2696 WerFault.exe 2696 WerFault.exe 2696 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 1ac044ae7ed3553b3cb1869f56916cb0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 1ac044ae7ed3553b3cb1869f56916cb0N.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 1ac044ae7ed3553b3cb1869f56916cb0N.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 1ac044ae7ed3553b3cb1869f56916cb0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\grcopy.dll 1ac044ae7ed3553b3cb1869f56916cb0N.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 1ac044ae7ed3553b3cb1869f56916cb0N.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 1ac044ae7ed3553b3cb1869f56916cb0N.exe File created C:\Windows\SysWOW64\smnss.exe 1ac044ae7ed3553b3cb1869f56916cb0N.exe File created C:\Windows\SysWOW64\satornas.dll 1ac044ae7ed3553b3cb1869f56916cb0N.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 1ac044ae7ed3553b3cb1869f56916cb0N.exe File created C:\Windows\SysWOW64\shervans.dll 1ac044ae7ed3553b3cb1869f56916cb0N.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 1ac044ae7ed3553b3cb1869f56916cb0N.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 1ac044ae7ed3553b3cb1869f56916cb0N.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\va.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2696 2704 WerFault.exe 31 -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 1ac044ae7ed3553b3cb1869f56916cb0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 1ac044ae7ed3553b3cb1869f56916cb0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1ac044ae7ed3553b3cb1869f56916cb0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 1ac044ae7ed3553b3cb1869f56916cb0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 1ac044ae7ed3553b3cb1869f56916cb0N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2704 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2356 1760 1ac044ae7ed3553b3cb1869f56916cb0N.exe 30 PID 1760 wrote to memory of 2356 1760 1ac044ae7ed3553b3cb1869f56916cb0N.exe 30 PID 1760 wrote to memory of 2356 1760 1ac044ae7ed3553b3cb1869f56916cb0N.exe 30 PID 1760 wrote to memory of 2356 1760 1ac044ae7ed3553b3cb1869f56916cb0N.exe 30 PID 2356 wrote to memory of 2704 2356 ctfmen.exe 31 PID 2356 wrote to memory of 2704 2356 ctfmen.exe 31 PID 2356 wrote to memory of 2704 2356 ctfmen.exe 31 PID 2356 wrote to memory of 2704 2356 ctfmen.exe 31 PID 2704 wrote to memory of 2696 2704 smnss.exe 32 PID 2704 wrote to memory of 2696 2704 smnss.exe 32 PID 2704 wrote to memory of 2696 2704 smnss.exe 32 PID 2704 wrote to memory of 2696 2704 smnss.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ac044ae7ed3553b3cb1869f56916cb0N.exe"C:\Users\Admin\AppData\Local\Temp\1ac044ae7ed3553b3cb1869f56916cb0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 8244⤵
- Loads dropped DLL
- Program crash
PID:2696
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD599549d6659d29af0f92d9e1384b0a4e2
SHA141679955bd33026fe3b8cca09c2f3c9c6cee24c1
SHA256da9731a7d3cffb90cba468e3a8a10d6b5a868ef5928410df91f6969f141a91bd
SHA51292f357eac987ecf357d87a134a98d4615dc841f9b30619974de35ef37bd75ec26fc7b0a33ebee25f60cfe6ee1b3401bab23a0e5d2d9bddf537d627f7a54e8eb4
-
Filesize
119KB
MD51c868c36f7691f6e945576de5e6f90aa
SHA18e157b0180713c02f5f2317ecb3b04323b7a2081
SHA2560adb7160cbf660a615d649eb38b041ae48b4b2fb1d2c4718780466931f3b529c
SHA512b9ebb8973d50026e54ce200ea597647a6323cc1582241dfb01c8c8734299736634cefd834d2b8a337e11bd8f2bd7da0b664a63744c590332a7c321716ace0979
-
Filesize
4KB
MD51f4004ce50dc559fb960185b40d29dde
SHA1539805dca6fd2741e2a52cdfa81d5279ace614c2
SHA256a0adadf6e5f3807a2759a9df0dfe2f5789f01d0448fdca041daf2fc2197ff145
SHA512dc2e4957b8424fe87fad544d6c3434200c74d2ce59005955864e3191127cdee1309c283b61acba46cedd198818bf885792c770887b50deae95150e60f328e27c
-
Filesize
8KB
MD524faced3fef1b929522a31e9d0895b25
SHA1a3f1228611120ff64a6a2da32165c61ad10f5bab
SHA2560311e2ee1f6003608a2ddc49c032d1d65aa18125eb7236764fcca3087f56eaed
SHA5126f28b43c4466abd1a4c66ee7dc8a4f9865e619bd5eeadc7b5a2f672e12d1dd3f536359a0bc45065a4e44186b7a92c5fcfc559ff15b9d1fa119441126a550737b