9a6e97029c1431b455739dc43fd6bc82d6a3309dee9b8f06c1ed2fa7b2b022fc

Analysis

max time kernel
115s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51e02c5dc29a230ffafda7f6505db390N.exe
Size

119KB
MD5

51e02c5dc29a230ffafda7f6505db390
SHA1

e28fa26444cd2f3b73fce14052b5687d838c812e
SHA256

9a6e97029c1431b455739dc43fd6bc82d6a3309dee9b8f06c1ed2fa7b2b022fc
SHA512

95d1e67fa78fcd9994cd6b1dd6c54d17f7fd03ae4ad23dfadd8f425713e18b4a7b0803ecca69daacf29b821488cf18372174f88e8b646a45ede6107db5628e13
SSDEEP

3072:KOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:KIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016cdf-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2888	ctfmen.exe
2648	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2900	51e02c5dc29a230ffafda7f6505db390N.exe
2900	51e02c5dc29a230ffafda7f6505db390N.exe
2900	51e02c5dc29a230ffafda7f6505db390N.exe
2888	ctfmen.exe
2888	ctfmen.exe
2648	smnss.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	51e02c5dc29a230ffafda7f6505db390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	51e02c5dc29a230ffafda7f6505db390N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	51e02c5dc29a230ffafda7f6505db390N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	51e02c5dc29a230ffafda7f6505db390N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shervans.dll	51e02c5dc29a230ffafda7f6505db390N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	51e02c5dc29a230ffafda7f6505db390N.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	51e02c5dc29a230ffafda7f6505db390N.exe
File created	C:\Windows\SysWOW64\satornas.dll	51e02c5dc29a230ffafda7f6505db390N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	51e02c5dc29a230ffafda7f6505db390N.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	51e02c5dc29a230ffafda7f6505db390N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	51e02c5dc29a230ffafda7f6505db390N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	51e02c5dc29a230ffafda7f6505db390N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	51e02c5dc29a230ffafda7f6505db390N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
824	2648	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51e02c5dc29a230ffafda7f6505db390N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	51e02c5dc29a230ffafda7f6505db390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	51e02c5dc29a230ffafda7f6505db390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	51e02c5dc29a230ffafda7f6505db390N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	51e02c5dc29a230ffafda7f6505db390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	51e02c5dc29a230ffafda7f6505db390N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2888	2900	51e02c5dc29a230ffafda7f6505db390N.exe	30
PID 2900 wrote to memory of 2888	2900	51e02c5dc29a230ffafda7f6505db390N.exe	30
PID 2900 wrote to memory of 2888	2900	51e02c5dc29a230ffafda7f6505db390N.exe	30
PID 2900 wrote to memory of 2888	2900	51e02c5dc29a230ffafda7f6505db390N.exe	30
PID 2888 wrote to memory of 2648	2888	ctfmen.exe	31
PID 2888 wrote to memory of 2648	2888	ctfmen.exe	31
PID 2888 wrote to memory of 2648	2888	ctfmen.exe	31
PID 2888 wrote to memory of 2648	2888	ctfmen.exe	31
PID 2648 wrote to memory of 824	2648	smnss.exe	32
PID 2648 wrote to memory of 824	2648	smnss.exe	32
PID 2648 wrote to memory of 824	2648	smnss.exe	32
PID 2648 wrote to memory of 824	2648	smnss.exe	32

C:\Users\Admin\AppData\Local\Temp\51e02c5dc29a230ffafda7f6505db390N.exe
"C:\Users\Admin\AppData\Local\Temp\51e02c5dc29a230ffafda7f6505db390N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 824
      4⤵
      Loads dropped DLL
      Program crash
      PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
f329e80e9af2a6ab21dfb606964242be

SHA1
c9912b4226696e93ddc6452bc37dab7df42b1220

SHA256
d09cc699c1e7cb4948dc55b019847c9aa6216d5d0e435afa67f46add76086907

SHA512
e9530772fbc2a8ad7d96e96005c9642088eab216fafd48b2bf558e4133388a62ffb839ec43750aff107b5d8c0febf9f41723b914d291a6ccef93dd304ee2ba64

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
119KB

MD5
1af0b4180bed66b7ac41fb43a8974fdf

SHA1
d7b439e1b7b1453d03d15579f5feef5685a4dc14

SHA256
21987bb85cbc53341a0e8078221f4cfbcfac6748b3734928290e2f3d6edd3114

SHA512
6027fbd43d3776600cff6fb14b629f9937b2d63cb79e952f66aba5c521163667e19ba830c4e96ad2037023cef701d7031be4c71df3f0c3b06a54f0ba8f01d017

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
f47a60e5f62dd321de130d883550af76

SHA1
e4de7548adbd101a7a466c26f53054a552e27144

SHA256
d74daa0f721a983be9d27e7ce717192145196e323da03265568e5c3826f4cc32

SHA512
5ad5955373d556ddc6b7588247070f8c37dfdb82c84f8d74a9a206b324b82516c5a1ad8e9fe81abdb91fccd41329c2d156d4f7c1c0158d5e5ad40a9bbc8dd8b6

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
1a7573b3c0437c9a4418d7f02fee8216

SHA1
fc8ff60bf5bdbda3b464a2124fdc81c08b5aa736

SHA256
d490d0b04fae64afc269c44af052441628a2428a27f16f694ae925b3e65d5e40

SHA512
490e3ffffa063dfedb2960caa385654bac5bc5037c70867c8ec42682a42d9b9e7e1e08344b466213edb6133b85c57a0452400fc28159597889f087046f992a4d

Download Submit
memory/2648-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2648-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2648-44-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2888-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2900-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2900-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2900-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2900-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2900-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads