8102d0546d92d1ed4d831e7fcb0b3685f66207ce04660b00ac041522a9a7abc1

Analysis

max time kernel
115s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6218ad3b70f0e78e207f1f20073a1e10N.exe
Size

2.3MB
MD5

6218ad3b70f0e78e207f1f20073a1e10
SHA1

7870c93135ffd240749d8b4c6d9dca14a300eb02
SHA256

8102d0546d92d1ed4d831e7fcb0b3685f66207ce04660b00ac041522a9a7abc1
SHA512

e578670f3dd33b828bbd83b130af87d68950acb450bcbd31e4ae4388d15b448c0942eee81d5a71c8a66102c882e9b130f225fbe7041527b0d2958aef785dd8d8
SSDEEP

49152:njvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:nrkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000015d59-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1796	ctfmen.exe
2724	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2388	6218ad3b70f0e78e207f1f20073a1e10N.exe
2388	6218ad3b70f0e78e207f1f20073a1e10N.exe
2388	6218ad3b70f0e78e207f1f20073a1e10N.exe
1796	ctfmen.exe
1796	ctfmen.exe
2724	smnss.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	6218ad3b70f0e78e207f1f20073a1e10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	6218ad3b70f0e78e207f1f20073a1e10N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	6218ad3b70f0e78e207f1f20073a1e10N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	6218ad3b70f0e78e207f1f20073a1e10N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	6218ad3b70f0e78e207f1f20073a1e10N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	6218ad3b70f0e78e207f1f20073a1e10N.exe
File created	C:\Windows\SysWOW64\satornas.dll	6218ad3b70f0e78e207f1f20073a1e10N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	6218ad3b70f0e78e207f1f20073a1e10N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	6218ad3b70f0e78e207f1f20073a1e10N.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	6218ad3b70f0e78e207f1f20073a1e10N.exe
File created	C:\Windows\SysWOW64\shervans.dll	6218ad3b70f0e78e207f1f20073a1e10N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	6218ad3b70f0e78e207f1f20073a1e10N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	6218ad3b70f0e78e207f1f20073a1e10N.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2388	6218ad3b70f0e78e207f1f20073a1e10N.exe
2724	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2652	2724	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6218ad3b70f0e78e207f1f20073a1e10N.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6218ad3b70f0e78e207f1f20073a1e10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	6218ad3b70f0e78e207f1f20073a1e10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	6218ad3b70f0e78e207f1f20073a1e10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	6218ad3b70f0e78e207f1f20073a1e10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6218ad3b70f0e78e207f1f20073a1e10N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2388	6218ad3b70f0e78e207f1f20073a1e10N.exe
2724	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1796	2388	6218ad3b70f0e78e207f1f20073a1e10N.exe	30
PID 2388 wrote to memory of 1796	2388	6218ad3b70f0e78e207f1f20073a1e10N.exe	30
PID 2388 wrote to memory of 1796	2388	6218ad3b70f0e78e207f1f20073a1e10N.exe	30
PID 2388 wrote to memory of 1796	2388	6218ad3b70f0e78e207f1f20073a1e10N.exe	30
PID 1796 wrote to memory of 2724	1796	ctfmen.exe	31
PID 1796 wrote to memory of 2724	1796	ctfmen.exe	31
PID 1796 wrote to memory of 2724	1796	ctfmen.exe	31
PID 1796 wrote to memory of 2724	1796	ctfmen.exe	31
PID 2724 wrote to memory of 2652	2724	smnss.exe	33
PID 2724 wrote to memory of 2652	2724	smnss.exe	33
PID 2724 wrote to memory of 2652	2724	smnss.exe	33
PID 2724 wrote to memory of 2652	2724	smnss.exe	33

C:\Users\Admin\AppData\Local\Temp\6218ad3b70f0e78e207f1f20073a1e10N.exe
"C:\Users\Admin\AppData\Local\Temp\6218ad3b70f0e78e207f1f20073a1e10N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 908
      4⤵
      Loads dropped DLL
      Program crash
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
30b9e0f26fd12c01bce67377f89f0b03

SHA1
a73064f88aad384dcf965feaab13640d460c687b

SHA256
86ec21234ca35c4857f29cae918f1a7b1510282de9733e9eaba4c8c5475003a9

SHA512
51f57d5adde61519da9ba452e4787797c63e9325efd73afa4691bc8f3b48408e686bff0076ca6995d77532c6416277210e41dfd676bcb32e0aa2b80556159a3c

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
2.3MB

MD5
d93983572449cc6d5b8c36ccb2f1058f

SHA1
e15f3a50f376e6f8f5465f8d78bb109a7949623e

SHA256
39cde54c81384ea0961272aaabe5f882c7d9c257f7ecd11af2ce20a64dbc4767

SHA512
8c463d7100e3f2f06e4b1a364c1c11d3c2e82697057697039000429d0a993209da45e685ad2db563619f3b997f7dd5d11674b3838a499801a746f08a1d80717b

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
7ffdc8032a88f0c46717587bdafd56b7

SHA1
9021c6559a4a2b4a495b9f53eb38f25e937c4dcb

SHA256
ba187ca009a0fd3537bd5cc5275f3bbe2f0cedea233c7d31101c76e539c2cb7f

SHA512
232e60ae54374d573e06fd42479dea680cd980c9cc564a9a52792fdc525185ec71a1aa02b24e492ddc0e2423e4ab99ded925d95043737b664012e23086769121

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
258cdb9b389ee94c74628d07a31a45e4

SHA1
ba100c43adbc809ec2de01a5eea1521b80e8d1fe

SHA256
65eaf3551ee87bf271d135920dcd7ddb798068ed058113997a59c1c185f65357

SHA512
886727b1118d57c17e09085b167a109010d88144eabdf99e80b04e4713270159b68bdec6b04ae282f859a4fbdd0d8e3cddcb2f56733694f5d37c5e1b095fadb8

Download Submit
memory/1796-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1796-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2388-31-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2388-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2388-26-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/2388-25-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/2388-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2388-30-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2388-13-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2388-24-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2724-42-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2724-45-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2724-43-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2724-50-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2724-52-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2724-51-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads