7e81025ca0acfaaa31d9f4bf49bab1dcfc67a767f80edb4dc83b995397def1d4

Analysis

max time kernel
114s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4dc9331958fe14d7cdc81df302b3c0N.exe
Size

2.3MB
MD5

8e4dc9331958fe14d7cdc81df302b3c0
SHA1

168b6dcf39b9ffe04c67ad993577cdc83c5974b4
SHA256

7e81025ca0acfaaa31d9f4bf49bab1dcfc67a767f80edb4dc83b995397def1d4
SHA512

573adc4c9f800449dbb7b7ea4d2ec153388828232814482ef2ecd8664e82026128a81b1c45a49b5f5876b04cbced17e2d940c26dc61ecabc5a2c755d63a759bf
SSDEEP

49152:d8F4GBYEFMfVrt0HdZyZUKIKp9/bIA3e63wDknToN58zkfwHuVfcu5ZJFKsnfKUn:d8F4GBY3dR0HHyZ9p9DIAvADkQ8gfwOj

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016890-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2392	ctfmen.exe
2944	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2136	8e4dc9331958fe14d7cdc81df302b3c0N.exe
2136	8e4dc9331958fe14d7cdc81df302b3c0N.exe
2136	8e4dc9331958fe14d7cdc81df302b3c0N.exe
2392	ctfmen.exe
2392	ctfmen.exe
2944	smnss.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	8e4dc9331958fe14d7cdc81df302b3c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	8e4dc9331958fe14d7cdc81df302b3c0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	8e4dc9331958fe14d7cdc81df302b3c0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	8e4dc9331958fe14d7cdc81df302b3c0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shervans.dll	8e4dc9331958fe14d7cdc81df302b3c0N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	8e4dc9331958fe14d7cdc81df302b3c0N.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	8e4dc9331958fe14d7cdc81df302b3c0N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	8e4dc9331958fe14d7cdc81df302b3c0N.exe
File created	C:\Windows\SysWOW64\smnss.exe	8e4dc9331958fe14d7cdc81df302b3c0N.exe
File created	C:\Windows\SysWOW64\satornas.dll	8e4dc9331958fe14d7cdc81df302b3c0N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	8e4dc9331958fe14d7cdc81df302b3c0N.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\grcopy.dll	8e4dc9331958fe14d7cdc81df302b3c0N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	8e4dc9331958fe14d7cdc81df302b3c0N.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2136	8e4dc9331958fe14d7cdc81df302b3c0N.exe
2944	smnss.exe
2944	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	2944	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e4dc9331958fe14d7cdc81df302b3c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	8e4dc9331958fe14d7cdc81df302b3c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	8e4dc9331958fe14d7cdc81df302b3c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8e4dc9331958fe14d7cdc81df302b3c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8e4dc9331958fe14d7cdc81df302b3c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	8e4dc9331958fe14d7cdc81df302b3c0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2136	8e4dc9331958fe14d7cdc81df302b3c0N.exe
2944	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2392	2136	8e4dc9331958fe14d7cdc81df302b3c0N.exe	28
PID 2136 wrote to memory of 2392	2136	8e4dc9331958fe14d7cdc81df302b3c0N.exe	28
PID 2136 wrote to memory of 2392	2136	8e4dc9331958fe14d7cdc81df302b3c0N.exe	28
PID 2136 wrote to memory of 2392	2136	8e4dc9331958fe14d7cdc81df302b3c0N.exe	28
PID 2392 wrote to memory of 2944	2392	ctfmen.exe	29
PID 2392 wrote to memory of 2944	2392	ctfmen.exe	29
PID 2392 wrote to memory of 2944	2392	ctfmen.exe	29
PID 2392 wrote to memory of 2944	2392	ctfmen.exe	29
PID 2944 wrote to memory of 2708	2944	smnss.exe	30
PID 2944 wrote to memory of 2708	2944	smnss.exe	30
PID 2944 wrote to memory of 2708	2944	smnss.exe	30
PID 2944 wrote to memory of 2708	2944	smnss.exe	30

C:\Users\Admin\AppData\Local\Temp\8e4dc9331958fe14d7cdc81df302b3c0N.exe
"C:\Users\Admin\AppData\Local\Temp\8e4dc9331958fe14d7cdc81df302b3c0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 908
      4⤵
      Loads dropped DLL
      Program crash
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
28e10f54dc7fa1f3626caafcb9f5148f

SHA1
fdf10d6301c6962dbf88b2fe520ae6559d38c3d4

SHA256
bf4da2eff89ca32d665cdfe66638e65465bc759904a07591a448e1ef815ce38b

SHA512
0f76e7bca025434626f7efd9813ae96241a18d8f9c57bcc7aef355fabd35d01c51ed613f0e7a8fa9c372a809c08291c470def0e5e83c46d49dedfd1d12105ecd

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
e0516023ab708c0d8b467d1a8f5bba03

SHA1
c3ff63e86349cbd338c641afa9890f5f81561286

SHA256
3e7189ffe5f2f60f96790e182193bdf3e33676c34160e42738c06193def5fb12

SHA512
6dbac9927c68770e3f26181d5da6fe675322a7a80357b5beefbf95f9be6c71fc3168e106a9c62f11b140b860c9063710e4e83218bd86cf840f64f5be5ee7f6a2

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
a11876e1916c21ae536bad8cb222ce3f

SHA1
397bd9c5f03fc78280b9cc7c2a755ac53a292d75

SHA256
cc2107ab049461182374065ec81a12acbf003ac34b0a9e95f42dcf3cac499361

SHA512
2692255db3a806c35d133cf3bab58d84da3c4dacb4f1603dd7bdcc022761f861731c22296b43785d1c100a68909d0d11631b00fa565b87185d9ee79299572a57

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
2.3MB

MD5
6987bf24387434755b0208788384c158

SHA1
ef14e44c1e804681a26bf9e8fd32710ca2384333

SHA256
b1d317d3bf8db9abd24713f4d6bce273c76e27cc9b85a1093b7e29b27b96359a

SHA512
c5548242160460279af22c4ce8484b4faf25aaaf4400042cc740c47bcb48ff39b38cf85232dba2a5b7088fa0a59ea021bc2daaf7e3ee679e4f7f233a466589ef

Download Submit
memory/2136-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2136-2-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2136-13-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2136-26-0x0000000000400000-0x0000000000DC2000-memory.dmp

Filesize
9.8MB

Download
memory/2136-0-0x0000000000400000-0x0000000000DC2000-memory.dmp

Filesize
9.8MB

Download
memory/2136-20-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2136-35-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2392-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2944-34-0x0000000000400000-0x0000000000DC2000-memory.dmp

Filesize
9.8MB

Download
memory/2944-36-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2944-42-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2944-47-0x0000000000400000-0x0000000000DC2000-memory.dmp

Filesize
9.8MB

Download
memory/2944-48-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2944-50-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2944-49-0x0000000000400000-0x0000000000DC2000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads