cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
Size

75KB
MD5

ce026b87a9d673dd9a5be7a934dee4f1
SHA1

747eb36d2a8474409b3e15323fc98b7a7303cec4
SHA256

cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792
SHA512

7573fdf0f5f72bd66d6f053c94229abffccfcb6eb5904e25191e59fdb1ac00ca7dff160bb1d7f0db1e401383fb799e04cd0532af7d17a394c9ea8fb139222bd1
SSDEEP

1536:wx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:4OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016105-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2896	ctfmen.exe
2616	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2976	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
2976	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
2976	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
2896	ctfmen.exe
2896	ctfmen.exe
2616	smnss.exe
680	WerFault.exe
680	WerFault.exe
680	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
File created	C:\Windows\SysWOW64\shervans.dll	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
File created	C:\Windows\SysWOW64\grcopy.dll	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
File created	C:\Windows\SysWOW64\smnss.exe	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
File created	C:\Windows\SysWOW64\satornas.dll	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
680	2616	WerFault.exe	31

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2896	2976	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe	30
PID 2976 wrote to memory of 2896	2976	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe	30
PID 2976 wrote to memory of 2896	2976	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe	30
PID 2976 wrote to memory of 2896	2976	cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe	30
PID 2896 wrote to memory of 2616	2896	ctfmen.exe	31
PID 2896 wrote to memory of 2616	2896	ctfmen.exe	31
PID 2896 wrote to memory of 2616	2896	ctfmen.exe	31
PID 2896 wrote to memory of 2616	2896	ctfmen.exe	31
PID 2616 wrote to memory of 680	2616	smnss.exe	32
PID 2616 wrote to memory of 680	2616	smnss.exe	32
PID 2616 wrote to memory of 680	2616	smnss.exe	32
PID 2616 wrote to memory of 680	2616	smnss.exe	32

C:\Users\Admin\AppData\Local\Temp\cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe
"C:\Users\Admin\AppData\Local\Temp\cc6fc2e7501f194eb2a0b945c2d67061a6bfc8fa4f419e58d44d539ab1063792.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 836
      4⤵
      Loads dropped DLL
      Program crash
      PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
c0157c92c58bcca6ad0d81d60888aa99

SHA1
37c246f0541441b9049509d7696426b51df6b908

SHA256
37dfc77a0e590f0a3b791c6548abdfc9e2fc51863411a3c607d8fa338342822d

SHA512
b11d1aafdf1be26828c13e48edfbba50a7a4bc98191e76f1919239ba99144a70659b2afddcacab04c72f48f15799d846cc780075af0e84a082782bdde0b3d647

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
75KB

MD5
f738d7f890500f58f6796d0ed88cdb1a

SHA1
ecd2088165279a342ab2357a191d654f2d812919

SHA256
b1152f1281784ec98c9ea009d2f3696c5db29ce26a2ab44820f7567b1e77cf0d

SHA512
01f148107df0a1b3b4685c9a9edfcebdfd799571e0c7ec4bc8d560a9391ed5013fe57e8d9a7f54f04c44ec7f95f6c89ef29f41a691eab4c5ff16a9e516fde70d

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
ec9304f5dff7adb00ead261aa7c196bd

SHA1
cd34378a980e1f5bf123af9f397a2472b4187b5a

SHA256
d5fdc395155bdf277d648abc61c3e95c38c4d94f32b352e5cb3fa0f3fc7cb07d

SHA512
93e191c0e9e3a9d09d306d4e422c470b9e959bdc7bba0c16956bb677206fd147d2133cd2da62f38bd28c0c4ecf72237e0c50b7d87328a73b9fb683708cd9edfb

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
a147a7badf8c123b9395f56150da5409

SHA1
ef6c8bbdd150f2337499eed9e3ac77d49ca91feb

SHA256
5d0bc38779eae605370a4286a178b5dc240b7ce4eae31558bcf0aa39b78ef16d

SHA512
6438ad9391a74f0f3a8862190d363784b32e8f57cc5e3783c305d9b691c27c67511764a64a261acb797ddb5e6885e62b5605b4ab7a97fb4f625bcb24d9f736bb

Download Submit
memory/2616-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2616-45-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2616-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2896-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2976-25-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2976-31-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2976-23-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2976-24-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2976-11-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads