e6398b0d823005edfd169c1cbe21ba5bf67978205a81e5aa510421e89a00672f

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 02:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae27d89c768aa120e8d07ad842e8ebc0N.exe
Size

226KB
MD5

ae27d89c768aa120e8d07ad842e8ebc0
SHA1

25b106ef9600d6d0449c4e1ef74596fc17bd5070
SHA256

e6398b0d823005edfd169c1cbe21ba5bf67978205a81e5aa510421e89a00672f
SHA512

877586df14d936e3ceff656084ced1d051da8fbd74229a65e5a1daca6cfc12d99c8f5675fbf67815a3eac8c4660ec03b71e84f4cac89176b57b3acb76c67c398
SSDEEP

6144:6Is9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCtZ0:3KofHfHTXQLzgvnzHPowYbvrjD/L7QPS

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023467-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2240	ctfmen.exe
2376	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
4232	ae27d89c768aa120e8d07ad842e8ebc0N.exe
2376	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	ae27d89c768aa120e8d07ad842e8ebc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ae27d89c768aa120e8d07ad842e8ebc0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ae27d89c768aa120e8d07ad842e8ebc0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	ae27d89c768aa120e8d07ad842e8ebc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	ae27d89c768aa120e8d07ad842e8ebc0N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	ae27d89c768aa120e8d07ad842e8ebc0N.exe
File created	C:\Windows\SysWOW64\smnss.exe	ae27d89c768aa120e8d07ad842e8ebc0N.exe
File created	C:\Windows\SysWOW64\satornas.dll	ae27d89c768aa120e8d07ad842e8ebc0N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	ae27d89c768aa120e8d07ad842e8ebc0N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	ae27d89c768aa120e8d07ad842e8ebc0N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	ae27d89c768aa120e8d07ad842e8ebc0N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	ae27d89c768aa120e8d07ad842e8ebc0N.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	ae27d89c768aa120e8d07ad842e8ebc0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jvisualvm.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\Welcome.html	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4420	2376	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae27d89c768aa120e8d07ad842e8ebc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ae27d89c768aa120e8d07ad842e8ebc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	ae27d89c768aa120e8d07ad842e8ebc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	ae27d89c768aa120e8d07ad842e8ebc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	ae27d89c768aa120e8d07ad842e8ebc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ae27d89c768aa120e8d07ad842e8ebc0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 2240	4232	ae27d89c768aa120e8d07ad842e8ebc0N.exe	91
PID 4232 wrote to memory of 2240	4232	ae27d89c768aa120e8d07ad842e8ebc0N.exe	91
PID 4232 wrote to memory of 2240	4232	ae27d89c768aa120e8d07ad842e8ebc0N.exe	91
PID 2240 wrote to memory of 2376	2240	ctfmen.exe	92
PID 2240 wrote to memory of 2376	2240	ctfmen.exe	92
PID 2240 wrote to memory of 2376	2240	ctfmen.exe	92

C:\Users\Admin\AppData\Local\Temp\ae27d89c768aa120e8d07ad842e8ebc0N.exe
"C:\Users\Admin\AppData\Local\Temp\ae27d89c768aa120e8d07ad842e8ebc0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1612
      4⤵
      Program crash
      PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2376 -ip 2376
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
c731db9f724aabd22ae8fbf1cbd0c946

SHA1
117130eec922380e47b6a552081c393e3ca5855c

SHA256
3e9759b8bf504fdb654a80e67674b662dde1578f73839bae4ff11a3c29951d47

SHA512
3615ec1f79026f34805131d5cd01da117223c6f748ab276956b823d2f7f634722101eb3158c61d8d7c4a878fdfa727efcabd63568f575cf9fb3a70a0f8c9614f

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
226KB

MD5
4bfff0ba760f05b52ac8f1078609ecaa

SHA1
6e2bd3403d88ae9d1750d91a18e2ec52cfcf9e56

SHA256
de80888f9dc9f6420f985cfb4787401a8551ac1f9ebd3b31047c415c971db9e6

SHA512
bd1d0b04a21f9cd50fc9375a05409dbaf963cedd10161ed0c73fc509089e7c0dc4113be018b80bd6b0c7eb645b42a84877911120059ab078845a20ee507dc0ef

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
220bf248b16c64261825794a92cd712c

SHA1
66c6209d332c4c0bf12c62ee9ddf2b5724354726

SHA256
a521d09a1e2cfaab5a6956c03fdf641d62cadd9178f432727aef2ab043fc478e

SHA512
ad4013236e0219034f6a055a861c2c0a5425d189735b44e44948eb0c9f964a3697a414e5742165e1be2d236de90e8ac4481500df5149f593181ee6df6fb93c24

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
3f2db9d9e32c7938f1e0c7bc3f50f657

SHA1
4ae7c12bb28fe113484a4a5ca863f365e624c7d2

SHA256
12e2c6f23c75f886d14775c52c5d5811cc3d370214901444b46ed19e700b76bd

SHA512
ef625a9c02259f13e37f0ba53b5168f0e2e67f874d87ada416bccf1e2e6c6ae9d9bc162c22313e9b7fd7c561f347572ce1e0bea330e8d0d52d642286f249e484

Download Submit
memory/2240-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2240-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2376-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2376-37-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2376-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2376-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2376-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4232-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4232-23-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4232-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4232-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads