84b493d8221b8066c5ec006a484906cb3407efc07be499483781f08f96ce52a1

Analysis

max time kernel
115s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a00847c1d1efa315df3193c3b51395e0N.exe
Size

119KB
MD5

a00847c1d1efa315df3193c3b51395e0
SHA1

de5f9fb26074447ecb7d688bcd23739cc988264b
SHA256

84b493d8221b8066c5ec006a484906cb3407efc07be499483781f08f96ce52a1
SHA512

ef815b27e75d4fb8ef98bcae8a03bddf0917f3899e0471740919cbf992b416ebf6b5f2e5aaad40117ffe30e0373976403cbb10d34ced8f6fcc39534ccc3a8749
SSDEEP

3072:cOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:cIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000800000001613b-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2664	ctfmen.exe
2728	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2136	a00847c1d1efa315df3193c3b51395e0N.exe
2136	a00847c1d1efa315df3193c3b51395e0N.exe
2136	a00847c1d1efa315df3193c3b51395e0N.exe
2664	ctfmen.exe
2664	ctfmen.exe
2728	smnss.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	a00847c1d1efa315df3193c3b51395e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a00847c1d1efa315df3193c3b51395e0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	a00847c1d1efa315df3193c3b51395e0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	a00847c1d1efa315df3193c3b51395e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	a00847c1d1efa315df3193c3b51395e0N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	a00847c1d1efa315df3193c3b51395e0N.exe
File created	C:\Windows\SysWOW64\smnss.exe	a00847c1d1efa315df3193c3b51395e0N.exe
File created	C:\Windows\SysWOW64\satornas.dll	a00847c1d1efa315df3193c3b51395e0N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	a00847c1d1efa315df3193c3b51395e0N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	a00847c1d1efa315df3193c3b51395e0N.exe
File created	C:\Windows\SysWOW64\shervans.dll	a00847c1d1efa315df3193c3b51395e0N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	a00847c1d1efa315df3193c3b51395e0N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	a00847c1d1efa315df3193c3b51395e0N.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\DismountUninstall.php	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1996	2728	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a00847c1d1efa315df3193c3b51395e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	a00847c1d1efa315df3193c3b51395e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a00847c1d1efa315df3193c3b51395e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a00847c1d1efa315df3193c3b51395e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	a00847c1d1efa315df3193c3b51395e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	a00847c1d1efa315df3193c3b51395e0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2664	2136	a00847c1d1efa315df3193c3b51395e0N.exe	30
PID 2136 wrote to memory of 2664	2136	a00847c1d1efa315df3193c3b51395e0N.exe	30
PID 2136 wrote to memory of 2664	2136	a00847c1d1efa315df3193c3b51395e0N.exe	30
PID 2136 wrote to memory of 2664	2136	a00847c1d1efa315df3193c3b51395e0N.exe	30
PID 2664 wrote to memory of 2728	2664	ctfmen.exe	31
PID 2664 wrote to memory of 2728	2664	ctfmen.exe	31
PID 2664 wrote to memory of 2728	2664	ctfmen.exe	31
PID 2664 wrote to memory of 2728	2664	ctfmen.exe	31
PID 2728 wrote to memory of 1996	2728	smnss.exe	32
PID 2728 wrote to memory of 1996	2728	smnss.exe	32
PID 2728 wrote to memory of 1996	2728	smnss.exe	32
PID 2728 wrote to memory of 1996	2728	smnss.exe	32

C:\Users\Admin\AppData\Local\Temp\a00847c1d1efa315df3193c3b51395e0N.exe
"C:\Users\Admin\AppData\Local\Temp\a00847c1d1efa315df3193c3b51395e0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 804
      4⤵
      Loads dropped DLL
      Program crash
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
48c3ea7001423c96d3910fdc81cee8a7

SHA1
d16842b9a3aa14cc7499c134c47ff6f1a39e19f5

SHA256
c3e9c4382d2089c96499cce8599db0559b0205e570046c94eaea7c56e7db1dd8

SHA512
97402b1c44c2f4baeeb070e229333a7aa2a086a8cf3f29300945dda2554ab5c5462073d6434bfcb0c95b0b82893dd53082073ef847cc6dc7cd6aacd74b5d71ed

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
cf48d998939ba91ea6391b68f3c2038d

SHA1
6e09dfd3e0e0a8b8336ece9abecbbc01a8bd7e16

SHA256
8d96c1fdb9b4cc217a96e8facb2c30171a89b34aa4cab70ee3a922d19cd47304

SHA512
528d59244f394f69362fe7f2fd957a96469bfe2b141e1bb51eca893ecc9cdd70755ad83fc7dc1e2313466a0ea428c15c808e9810623f833848935f7485d19695

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
6dfee32a12a643b8a0c79c5b4c1824d7

SHA1
cc11ec7f69460a812cc4b54e41e5cdc9626bf6e1

SHA256
4a987134b062ef36d7d996877cc79721a2ef98c13c478379c48eb8def5e079fc

SHA512
8fbb93c5daf0cd47002d90f967e310ae827c60714616563ed91ed12796785975bac92a8c6bbfe9b2cada034bd07ac23417b8a5dc84c39e906ffeafb8cb7d9b2e

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
119KB

MD5
22c4ed78c1c69d338e78f14fd5f43a83

SHA1
9098a57ececbe5ad498fd9a00931c90ec26f27dd

SHA256
be92d835911e5bc249b77f39654f08c162961d3176938385a717370d7294f771

SHA512
57ab76c6e59bd0c5646826081a5b2f29b5be9f4d28e98e9e0574f7b2721f0eb8066771cedd36cf3f585a478a68b8ee5c1f829313d6874d9540a9f8cc9a2b0d4a

Download Submit
memory/2136-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2136-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2136-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2136-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2664-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2664-29-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/2664-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2664-35-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/2728-42-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2728-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads