4d16dd8a675ee29d89b73c0ff8055132782c5708c4f22ef920cc5bee7207aaa8

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dc941dfefa427e989034ba3891e3cf0N.exe
Size

75KB
MD5

1dc941dfefa427e989034ba3891e3cf0
SHA1

3c0c34555b2c40ed7141c71b76a154e4d72c077f
SHA256

4d16dd8a675ee29d89b73c0ff8055132782c5708c4f22ef920cc5bee7207aaa8
SHA512

4799b22eed54dba235dede4dc3dc94a96cc5453d7d91ea7c28ee82f4456eee76b0eee9cb63be64985b269c5f63009d70f3765db7ac4168dd03d3971ba758a463
SSDEEP

1536:Zx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T36:DOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPC

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023493-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2580	ctfmen.exe
4524	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
3680	1dc941dfefa427e989034ba3891e3cf0N.exe
4524	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	1dc941dfefa427e989034ba3891e3cf0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1dc941dfefa427e989034ba3891e3cf0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	1dc941dfefa427e989034ba3891e3cf0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	1dc941dfefa427e989034ba3891e3cf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	1dc941dfefa427e989034ba3891e3cf0N.exe
File created	C:\Windows\SysWOW64\shervans.dll	1dc941dfefa427e989034ba3891e3cf0N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	1dc941dfefa427e989034ba3891e3cf0N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	1dc941dfefa427e989034ba3891e3cf0N.exe
File created	C:\Windows\SysWOW64\smnss.exe	1dc941dfefa427e989034ba3891e3cf0N.exe
File created	C:\Windows\SysWOW64\satornas.dll	1dc941dfefa427e989034ba3891e3cf0N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	1dc941dfefa427e989034ba3891e3cf0N.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	1dc941dfefa427e989034ba3891e3cf0N.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	1dc941dfefa427e989034ba3891e3cf0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3696	4524	WerFault.exe	92

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	1dc941dfefa427e989034ba3891e3cf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1dc941dfefa427e989034ba3891e3cf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1dc941dfefa427e989034ba3891e3cf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	1dc941dfefa427e989034ba3891e3cf0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	1dc941dfefa427e989034ba3891e3cf0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4524	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 2580	3680	1dc941dfefa427e989034ba3891e3cf0N.exe	91
PID 3680 wrote to memory of 2580	3680	1dc941dfefa427e989034ba3891e3cf0N.exe	91
PID 3680 wrote to memory of 2580	3680	1dc941dfefa427e989034ba3891e3cf0N.exe	91
PID 2580 wrote to memory of 4524	2580	ctfmen.exe	92
PID 2580 wrote to memory of 4524	2580	ctfmen.exe	92
PID 2580 wrote to memory of 4524	2580	ctfmen.exe	92

C:\Users\Admin\AppData\Local\Temp\1dc941dfefa427e989034ba3891e3cf0N.exe
"C:\Users\Admin\AppData\Local\Temp\1dc941dfefa427e989034ba3891e3cf0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1460
      4⤵
      Program crash
      PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4524 -ip 4524
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
bf966b2872e88c6e978c4c3919491e60

SHA1
35b8ffad4d8d7a25889e2467b2a08b5a10dc44d3

SHA256
4baf41e0098d3d25043bd266dc0eb2a4b08ed5696eea706d3f4ced60e4a5e1e9

SHA512
e81f36b6b0601557392f6fa7e39cc57905af69c224374f619e323d107355ce7d28f7c679d97e28946e8dad815eb191f3d273c74a206dc19f0bb621e666a4ed25

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
75KB

MD5
afbccd084b2fcaf45244a9bde56e1550

SHA1
11fbc6bfc7e41c801f174dc5985d3f88c1727aa9

SHA256
0222a604988da644ea1e1bbb8884f9d1014f48d0a59a776f24d5b9b63c9a64b6

SHA512
01af891c31492159b203f8732f391059913b0b166c1dff6d05c06f2a34a85b9d1c1c18f9d2905ce45f257964e779498efbf226c149b0ed5da0cc61d8b6d89f6c

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
d522dcd8b8f24a7164207607cf4e16be

SHA1
ea30fc09a4ab150004d01f08b5b603ba69084c6b

SHA256
3d1d0c3882a359fff64ca44960ba9ed19c519ac1e53e227692bf3a94cb089376

SHA512
7d9c3f798c6f7b8cc01b3fbda5cc393d81f4cd1a9fe067ca8510a6e125e342ae597ef64d7de88d423f1dd43b8b33123bfa2a652c0c9a6a688ef4604f31fdd95f

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
55094e8b6ed89cc52965712d26454b24

SHA1
4800cbeae1b35a53257da63727087d142590f679

SHA256
f98f6a508bb4470c173d6cd02f7e1f783254bbc6cdb8db58b06fa214bc076657

SHA512
1250fbfa1a52c80508218f7f52c07bde89f20fc1656b3af09b18df43fe024ddfab5e29717759317598db9037359499755806abaa8f7885a42c7cbca7d03865c5

Download Submit
memory/2580-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3680-17-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3680-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3680-23-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4524-35-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4524-36-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads