42581f5bea73e151c2b1b1156133709d95f21f6cf6779d0ee20a873b9925c60c

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f6d0f943d6a0bc76f573a6686008cc0N.exe
Size

75KB
MD5

2f6d0f943d6a0bc76f573a6686008cc0
SHA1

2dc234f1fbe8dcb4731f4edd5cbf5b8fa71039b1
SHA256

42581f5bea73e151c2b1b1156133709d95f21f6cf6779d0ee20a873b9925c60c
SHA512

1ffd09748252255d4c6955c3c8911518cb116f0226f2590ddf5d854f6b0a117c33cad21dad01ada32ce4c35b1a531909dda4c4e4822ad3219afebea5d998864a
SSDEEP

1536:Xx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3B:BOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPp

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000019246-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2684	ctfmen.exe
2816	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
1884	2f6d0f943d6a0bc76f573a6686008cc0N.exe
1884	2f6d0f943d6a0bc76f573a6686008cc0N.exe
1884	2f6d0f943d6a0bc76f573a6686008cc0N.exe
2684	ctfmen.exe
2684	ctfmen.exe
2816	smnss.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	2f6d0f943d6a0bc76f573a6686008cc0N.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	2f6d0f943d6a0bc76f573a6686008cc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2f6d0f943d6a0bc76f573a6686008cc0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2f6d0f943d6a0bc76f573a6686008cc0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\grcopy.dll	2f6d0f943d6a0bc76f573a6686008cc0N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	2f6d0f943d6a0bc76f573a6686008cc0N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	2f6d0f943d6a0bc76f573a6686008cc0N.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	2f6d0f943d6a0bc76f573a6686008cc0N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	2f6d0f943d6a0bc76f573a6686008cc0N.exe
File created	C:\Windows\SysWOW64\smnss.exe	2f6d0f943d6a0bc76f573a6686008cc0N.exe
File created	C:\Windows\SysWOW64\satornas.dll	2f6d0f943d6a0bc76f573a6686008cc0N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	2f6d0f943d6a0bc76f573a6686008cc0N.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	2f6d0f943d6a0bc76f573a6686008cc0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2172	2816	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f6d0f943d6a0bc76f573a6686008cc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	2f6d0f943d6a0bc76f573a6686008cc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	2f6d0f943d6a0bc76f573a6686008cc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2f6d0f943d6a0bc76f573a6686008cc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2f6d0f943d6a0bc76f573a6686008cc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	2f6d0f943d6a0bc76f573a6686008cc0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2684	1884	2f6d0f943d6a0bc76f573a6686008cc0N.exe	30
PID 1884 wrote to memory of 2684	1884	2f6d0f943d6a0bc76f573a6686008cc0N.exe	30
PID 1884 wrote to memory of 2684	1884	2f6d0f943d6a0bc76f573a6686008cc0N.exe	30
PID 1884 wrote to memory of 2684	1884	2f6d0f943d6a0bc76f573a6686008cc0N.exe	30
PID 2684 wrote to memory of 2816	2684	ctfmen.exe	31
PID 2684 wrote to memory of 2816	2684	ctfmen.exe	31
PID 2684 wrote to memory of 2816	2684	ctfmen.exe	31
PID 2684 wrote to memory of 2816	2684	ctfmen.exe	31
PID 2816 wrote to memory of 2172	2816	smnss.exe	32
PID 2816 wrote to memory of 2172	2816	smnss.exe	32
PID 2816 wrote to memory of 2172	2816	smnss.exe	32
PID 2816 wrote to memory of 2172	2816	smnss.exe	32

C:\Users\Admin\AppData\Local\Temp\2f6d0f943d6a0bc76f573a6686008cc0N.exe
"C:\Users\Admin\AppData\Local\Temp\2f6d0f943d6a0bc76f573a6686008cc0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 960
      4⤵
      Loads dropped DLL
      Program crash
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
0c989ddcf6ebc3fdebd87cbc24ad014d

SHA1
dd23cb37dfae8b4a8dff30f2172b67df224286d2

SHA256
54063f51af503479ea26f4fc15232a133afe1d8dcc06dd11a61c0ba3566a20cc

SHA512
489f03d02e2b6c1ccae8e1d6a7f89e317374cf9841a43d119fed9a914366f58dadf1e8142d32c4fb62e2ae8188b93fb6f278db04481bcfdfb6df80f3add4c1f5

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
75KB

MD5
dee6df62d63abef93940a33014343ade

SHA1
f62a834d7f5836eca784c0b80a10a3704c891599

SHA256
c824af854809e3d574f808bcb97933c8d531ba1fc231801b2c696343a59e541a

SHA512
52b46127ebb013226ec7e3904d29b1c019b0712af747b58d5dd5a80b8d8ff952de7c734cf6a39a6988fbca1b8d03b3be9fa255a980e2736b3c17af004530cacb

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
525cb324fb3529e80c67f700ace9a808

SHA1
f839ff9acaab97d645c6743bdaadff83b74a2e6f

SHA256
e6bb1bdfb7d43b420998cd4d16e3856db4f5ca66eee6fb23336446325fb6f7b4

SHA512
6b92cb1b699ace1522e371895b5b6f4d1e32cf844af5edcddb6948a5f8b297ae058d3b677e2e7e3a0dfd4448073406bbf50d6a913ca6c5d79a081edde25ffbd3

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
a9c7f456fb6d4e5c82d22e8186e73ccb

SHA1
1b2457c7caf9b026205cf1ef70462328d3391daf

SHA256
d6ae57e03034591ad0a5cdcd577e8a7ac57fec8b664fb0b77392701fdd224b1f

SHA512
d0ade0d19eeb0581db6363b964437697e77923741fe4b443459d22e6f9442024e0aad398d8b427676d4fa40dfdda7776075d68b6e02b6882712fae8c4841fe12

Download Submit
memory/1884-11-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1884-22-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1884-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2684-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2816-39-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2816-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2816-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads