fdcbe2bcb080aab88ab953a637f13ee45489ddb9cf8d4858fc3116bd6722ba51

Analysis

max time kernel
102s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c658cf720eb3d7cde0ba1d5e631f510N.exe
Size

75KB
MD5

1c658cf720eb3d7cde0ba1d5e631f510
SHA1

dc5ac3d4f6d76d9c2fd1302363ff7c91780c9e4f
SHA256

fdcbe2bcb080aab88ab953a637f13ee45489ddb9cf8d4858fc3116bd6722ba51
SHA512

e7cb4a3cd30266b9948ce95f8664917dcc4ef4c2e6c2345d93e5445053bfc3a9ee7d685dd3c38a8a4647f9fead522c725f5e81b5ff72c625e98bf53c1c7b9666
SSDEEP

1536:Ax1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3v:oOjWuyt0ZsqsXOKofHfHTXQLzgvnzHP3

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023451-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
816	ctfmen.exe
2912	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	1c658cf720eb3d7cde0ba1d5e631f510N.exe
2912	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	1c658cf720eb3d7cde0ba1d5e631f510N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1c658cf720eb3d7cde0ba1d5e631f510N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	1c658cf720eb3d7cde0ba1d5e631f510N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	1c658cf720eb3d7cde0ba1d5e631f510N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\satornas.dll	1c658cf720eb3d7cde0ba1d5e631f510N.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	1c658cf720eb3d7cde0ba1d5e631f510N.exe
File created	C:\Windows\SysWOW64\shervans.dll	1c658cf720eb3d7cde0ba1d5e631f510N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	1c658cf720eb3d7cde0ba1d5e631f510N.exe
File created	C:\Windows\SysWOW64\smnss.exe	1c658cf720eb3d7cde0ba1d5e631f510N.exe
File created	C:\Windows\SysWOW64\satornas.dll	1c658cf720eb3d7cde0ba1d5e631f510N.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	1c658cf720eb3d7cde0ba1d5e631f510N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	1c658cf720eb3d7cde0ba1d5e631f510N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	1c658cf720eb3d7cde0ba1d5e631f510N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4296	2912	WerFault.exe	92

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	1c658cf720eb3d7cde0ba1d5e631f510N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1c658cf720eb3d7cde0ba1d5e631f510N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1c658cf720eb3d7cde0ba1d5e631f510N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	1c658cf720eb3d7cde0ba1d5e631f510N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	1c658cf720eb3d7cde0ba1d5e631f510N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 816	2488	1c658cf720eb3d7cde0ba1d5e631f510N.exe	91
PID 2488 wrote to memory of 816	2488	1c658cf720eb3d7cde0ba1d5e631f510N.exe	91
PID 2488 wrote to memory of 816	2488	1c658cf720eb3d7cde0ba1d5e631f510N.exe	91
PID 816 wrote to memory of 2912	816	ctfmen.exe	92
PID 816 wrote to memory of 2912	816	ctfmen.exe	92
PID 816 wrote to memory of 2912	816	ctfmen.exe	92

C:\Users\Admin\AppData\Local\Temp\1c658cf720eb3d7cde0ba1d5e631f510N.exe
"C:\Users\Admin\AppData\Local\Temp\1c658cf720eb3d7cde0ba1d5e631f510N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1480
      4⤵
      Program crash
      PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2912 -ip 2912
1⤵
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
2ab39f999af0c84dc21f197068d8ea58

SHA1
938a8c6fb9ae99a143c0d0d909f2a546554d0781

SHA256
d45639d9aa4b19703f44344b367bf4eca098f6250d9f4be08934be5922e90c94

SHA512
e424f17afbc28247615ce23e811341114ab9ed416a06a276023cc8d2d18de69377864c30926094dd81d23b6b8ec063fab71f302d290e55b15805af4c61abb6bd

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
75KB

MD5
ea9953c57ae2c967464cb9311ed488a0

SHA1
b69f43fa9b37918c92eafbb68816a1538430dc68

SHA256
fad8c4f3d5b69e8e7d7fc4a3d3f71f718107c68f1de5b9197e577954487873cf

SHA512
48c310b496749b4e17d442a148e5b2897b7154e8591a6775677cee901c48d153b938401b037491ba69b2a7168627ad9fba4596d3bed52a441090d6aed92cb4c0

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
51dbe226daf2f9f1b0861d966abbcebd

SHA1
b8d8a697629fa6c59d91c069c97b52ff1bb5c92e

SHA256
a17abe61d4c59ffae91e2181504703fdcb53d5a7a7594109f4be60620b673385

SHA512
f0b10f15faa225e2c57147c8507a4868eef79036cff92ba18143df9e172ae2029e1336d5b864dd39c3cee1b22c80bf262c74b0650e7a5867f4b6bc91360d26eb

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
dc64f2ac9bb1e8b49937f2df1ec2e77d

SHA1
b2825930353f5080a19752d663c683ec48c37488

SHA256
932f8f9e76c9a8fb1addbe4ad35d7c4685f01a9dabc3855c2d1b830096e65bdd

SHA512
60c7700d6efab1f7a9a5d080be9eb432be585a8a1b4d52acdbc99d9df770f2c317c5fd7fd5a8ffbc56adf59d72b79ca17bca1f96b4488283fdcce18ca9bbcbe2

Download Submit
memory/816-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2488-17-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2488-22-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2488-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2912-35-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2912-36-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads