318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb

General

Target

318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
Size

2.3MB
MD5

6795e1d303b6ffa9b9fdaeaeac35bee7
SHA1

373734016d1261151b632f5ca17914eca92e2821
SHA256

318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb
SHA512

69bcfed71817c187aad2a2a9edc6f0912b1191182d8fdee048435c17f87d8d117904f6cb66bd5f810e2581fe93c0c21dfd250e107f8c9eafdd1c4d90c2511b4f
SSDEEP

49152:Bjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:BrkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023468-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3652	ctfmen.exe
2216	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
244	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
2216	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
File created	C:\Windows\SysWOW64\smnss.exe	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
File created	C:\Windows\SysWOW64\satornas.dll	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
File created	C:\Windows\SysWOW64\shervans.dll	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
File created	C:\Windows\SysWOW64\grcopy.dll	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
244	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
2216	smnss.exe
2216	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	2216	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
244	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
2216	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 3652	244	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe	91
PID 244 wrote to memory of 3652	244	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe	91
PID 244 wrote to memory of 3652	244	318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe	91
PID 3652 wrote to memory of 2216	3652	ctfmen.exe	92
PID 3652 wrote to memory of 2216	3652	ctfmen.exe	92
PID 3652 wrote to memory of 2216	3652	ctfmen.exe	92

C:\Users\Admin\AppData\Local\Temp\318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe
"C:\Users\Admin\AppData\Local\Temp\318ca44c88998a2f54ea5e5ff85010481e0bbedfe2f71320483ed34fe7a564bb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1488
      4⤵
      Program crash
      PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2216 -ip 2216
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
36cc381d3f2f3cb6897eb59d63dd2e52

SHA1
56efcffc2bd3be91521fbf710b6aed5d930bc5fb

SHA256
f456701a43053da8679c37ed0e71115905729f5762708b33a24251ee224f084a

SHA512
ed9fe604e435f57cb8d3d071ec957a0745179025c191043f70cdedad0c91ef17f046cbc4c967521586d3c84d2172ede4883db098e0f6f988c2b434aafba88661

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
2.3MB

MD5
df75593a6dd20170254655851fc91d4b

SHA1
ce832ed043b09780314f407e3fa21262ebbeef1f

SHA256
a68b1b44ada62da6ecae33ce919f5aaf9d9d93d6266924e6a646148cb76b9c7d

SHA512
6dcc0ad6e3cc5a21b02dadf7a31990448cb4106bc5a9e6d8951294b681ebe95e5693bb2164bfee0e596ed4a8e1e6f885ef5fee9af862591e053093ab20af9e37

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
fbdfa8234fb326b811a8cc618139f2fd

SHA1
79ea4bc9b8d2fac86649b22b1f4c774471c538b3

SHA256
db281ed28711e879b187d826f7836d84a548e04051a9122d7f05dabb21f064ce

SHA512
f961daa0bdb21b2a06c6b0501eaf66267b121adadd2b281e3ad637a59716bee14ab4a7552acea81685d33c23fc0b029f7d7f2ace922b2453d4ec4c5ad8be2f52

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
d7340b5785c02b177112e8d873a66ad1

SHA1
0a9803e5d2cb20e3c3daf041973fdc30aa9f1e07

SHA256
95da1b46d9835dd24d4ccbc82f1d12e64f1963c2a66f421e57e5e5d70a7a254c

SHA512
6cb403cd350dffc5758a0a8899a4522b85d3d6a57d3839b65cc11ba5c559b2ee44b97799c4a55ca2387985cbf7d6423a40d679e5c5a4b5323fda99dbddf5dd3d

Download Submit
memory/244-29-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/244-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/244-17-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/244-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/244-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/244-32-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2216-33-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2216-34-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2216-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2216-43-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2216-42-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2216-44-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3652-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3652-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads