ec6d0e3f9da911c77c2ad759220a26515e1a9111998fda19d3296bebe0796fdc

Analysis

max time kernel
106s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e5f41799603f7cb238821b079e3e10N.exe
Size

2.3MB
MD5

f6e5f41799603f7cb238821b079e3e10
SHA1

efb656af7767415dac199ad1b014b0fa3af573b0
SHA256

ec6d0e3f9da911c77c2ad759220a26515e1a9111998fda19d3296bebe0796fdc
SHA512

38e119988dbcb608c8a62e7a5062479bd6043cf8f2e705160be66cba524dc8154f04838aea3e8dfad45579106ab12379b1c4de6aeedbeb38ac864f7e83e251b6
SSDEEP

49152:0jvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:0rkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234c7-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4304	ctfmen.exe
2908	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
5024	f6e5f41799603f7cb238821b079e3e10N.exe
2908	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	f6e5f41799603f7cb238821b079e3e10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f6e5f41799603f7cb238821b079e3e10N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f6e5f41799603f7cb238821b079e3e10N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	f6e5f41799603f7cb238821b079e3e10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	f6e5f41799603f7cb238821b079e3e10N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	f6e5f41799603f7cb238821b079e3e10N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	f6e5f41799603f7cb238821b079e3e10N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	f6e5f41799603f7cb238821b079e3e10N.exe
File created	C:\Windows\SysWOW64\satornas.dll	f6e5f41799603f7cb238821b079e3e10N.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	f6e5f41799603f7cb238821b079e3e10N.exe
File created	C:\Windows\SysWOW64\smnss.exe	f6e5f41799603f7cb238821b079e3e10N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	f6e5f41799603f7cb238821b079e3e10N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	f6e5f41799603f7cb238821b079e3e10N.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
5024	f6e5f41799603f7cb238821b079e3e10N.exe
2908	smnss.exe
2908	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\Welcome.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jvisualvm.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1924	2908	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6e5f41799603f7cb238821b079e3e10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	f6e5f41799603f7cb238821b079e3e10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f6e5f41799603f7cb238821b079e3e10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f6e5f41799603f7cb238821b079e3e10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	f6e5f41799603f7cb238821b079e3e10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	f6e5f41799603f7cb238821b079e3e10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5024	f6e5f41799603f7cb238821b079e3e10N.exe
2908	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 4304	5024	f6e5f41799603f7cb238821b079e3e10N.exe	91
PID 5024 wrote to memory of 4304	5024	f6e5f41799603f7cb238821b079e3e10N.exe	91
PID 5024 wrote to memory of 4304	5024	f6e5f41799603f7cb238821b079e3e10N.exe	91
PID 4304 wrote to memory of 2908	4304	ctfmen.exe	92
PID 4304 wrote to memory of 2908	4304	ctfmen.exe	92
PID 4304 wrote to memory of 2908	4304	ctfmen.exe	92

C:\Users\Admin\AppData\Local\Temp\f6e5f41799603f7cb238821b079e3e10N.exe
"C:\Users\Admin\AppData\Local\Temp\f6e5f41799603f7cb238821b079e3e10N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1724
      4⤵
      Program crash
      PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2908 -ip 2908
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
12d1fce9fb67b453c17ad9f75830d790

SHA1
9f34281ea0b65c6452139cd668ee421d50e2854e

SHA256
6239f3bcf0359faeb5d6cff29a30b9f0bec2b64b0ad0d5a94b157af3aefd236c

SHA512
9978032ed46aa529734cce821ec3383ea227ce7be2255c8690faf34772c2f5cd20570108b72dbe555e378bb5b71f95ee3b7b5ebcdd42166af81b6dd04f16b7e8

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
2.3MB

MD5
9a6820e577197d56539daa80347d90a0

SHA1
9a9495c59800b283f8d7ee9c8af5ef677dc35be7

SHA256
e219c5121b98655ae12ee07ff9aacd0e944e0519f2ac0e1d894d391a43cee53d

SHA512
233467a6eda11bc58833a22f4a8d49b7abc583299f62a41c747d7c27edf643b2be738186a7a4fdc544c357e9704ba4be316bf0efee3391b78e5a048363d71543

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
1589b50ebe27a2a0dc2e6096baf5b409

SHA1
e92764f71ea477679326da839c18127098f2dd19

SHA256
b817f0d32cb5f1da0d2ff16eeff849e0589e2ae05d1367877013e5a966dd8acf

SHA512
5a6f5a414e77d9c23cb8057081b40130ffcd511f2c27b7ab842c3b9512c06bdd3e522aa987bc7d35fe421a26c64deb1ec38fb77e6e003b32b99469fdd555449f

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
093ea22a1961a3f700791732a0db8f9c

SHA1
fdfbbda2cd927cc3728566bcab139864715c1bf3

SHA256
b4d1cfcb7d67b91c2d25762b22ce8bd59f7fbfb0e4b4fee268dfe1f5d28384ea

SHA512
85b9a5c4cd6a51f5faa762b7e6f17ee167fa4dbecd46e04d206b6f7e8bc3143694c4fa68c04ad6c5f2872d23cd3745912b4307ecc409bfd5fb0396c03d74183c

Download Submit
memory/2908-33-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2908-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2908-46-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2908-44-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2908-45-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2908-43-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2908-42-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2908-34-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4304-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4304-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5024-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5024-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/5024-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/5024-32-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/5024-14-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5024-29-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads