bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94

General

Target

bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Size

195KB
MD5

28adad392a7893b3353722630c9d3d6d
SHA1

685951f18dc6ac11fa98474585d1cef32d535602
SHA256

bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94
SHA512

48ea8b190dd57100f8282001f2f821093a346c2b354c2fd9144189ed7f3f13af8843b1b4a8cb61c7ea8237af3556a75a39c3eabaf4a58df81d774dd5a34c07cf
SSDEEP

6144:/Is9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCyOW:KKofHfHTXQLzgvnzHPowYbvrjD/L7QPo

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00090000000234da-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4312	ctfmen.exe
3892	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
3892	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\grcopy.dll	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
File created	C:\Windows\SysWOW64\smnss.exe	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
File created	C:\Windows\SysWOW64\satornas.dll	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3272	3892	WerFault.exe	86

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4312	2736	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe	85
PID 2736 wrote to memory of 4312	2736	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe	85
PID 2736 wrote to memory of 4312	2736	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe	85
PID 4312 wrote to memory of 3892	4312	ctfmen.exe	86
PID 4312 wrote to memory of 3892	4312	ctfmen.exe	86
PID 4312 wrote to memory of 3892	4312	ctfmen.exe	86

C:\Users\Admin\AppData\Local\Temp\bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
"C:\Users\Admin\AppData\Local\Temp\bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1336
      4⤵
      Program crash
      PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3892 -ip 3892
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
2c44c2749a67af8f91833a866416fb52

SHA1
7d4fe8251d79cd999eb3a489dc9c98cda59cd979

SHA256
af7e55a61c75c26604a1b2e81e5f43f97bf6a59e7efee2f6bdcb0f6a2cbd13b6

SHA512
9012a814b332b080298c2474d66bce06a02498d1d4f0e02a4a7fa7d3e0e47323d854730eda991a3cf06b7ca61bc72b19f0c54308cb304a820fabe9495e9f3eb0

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
195KB

MD5
f2b6faf094fb49b84379bf328e628a5a

SHA1
c53639b5022573dae573367d0617aeb1589d0977

SHA256
8d545ea9e92eda46868452e1cfcb07cf733738b49be66fcdce1cf164aa4ae0b8

SHA512
4540abdc8faa168c366fb6814dc2c342c5507bd52b8442918ef38578f29fde77b37cdfe2ccfa85c9ed7384201064b1c311792a40d1ca97bb8d9345c851562261

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
e043eca02f1c5d851406d38665c69b70

SHA1
aa8e51f70f04a2c7beedb5cf5630072e175fe4ff

SHA256
8ecebe611fc6905c2f0dbdd3dbb9e628f5f787b67b06c73774bb2637826a94d2

SHA512
f87b80fbd280a501ca3472fb1568d6e0865c893951b6f4367749826733854e6ad842809f04ad3d992d6eb45caa2615a47fed12fa83af069083ae4a2aff05ce95

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
ca7c3837c5f07080497d4177e7adef4d

SHA1
2999f6ce0c0300dd3c35864e1788e160fb9415d7

SHA256
4e02ea84653c7987d73bd3e107cd0f19e42ad48bb8dfb62aa2d45f54ce81d361

SHA512
18465b8d9bed9cbca38ba9ad55fa4476b1efe730deda2c044e2288a37f0e2b82e11ffeea8102c2bf94440fad645b427ae976b9e5e91de31692d12da8f155dede

Download Submit
memory/2736-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2736-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2736-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2736-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3892-30-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3892-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3892-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4312-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4312-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads