985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd

Analysis

max time kernel
145s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
Size

2.3MB
MD5

77f59d68727acc87da5dd18c10c5327e
SHA1

f18ca4f1d2bd7cd96c99db5f72eb4cab7442097d
SHA256

985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd
SHA512

d691aca860f12f042097db7c90b8313c786e0619112f8f17b37b41139e836b54852c99a31e8a1723465305003c22a9b9b2fe591f4dc8bae0ea48ed200fb8cb4f
SSDEEP

49152:Rjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:RrkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000015f4e-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2072	ctfmen.exe
2732	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
1152	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
1152	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
1152	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
2072	ctfmen.exe
2072	ctfmen.exe
2732	smnss.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shervans.dll	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
File created	C:\Windows\SysWOW64\grcopy.dll	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
File created	C:\Windows\SysWOW64\smnss.exe	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
File created	C:\Windows\SysWOW64\satornas.dll	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1152	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
2732	smnss.exe
2732	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2200	2732	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1152	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
2732	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2072	1152	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe	31
PID 1152 wrote to memory of 2072	1152	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe	31
PID 1152 wrote to memory of 2072	1152	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe	31
PID 1152 wrote to memory of 2072	1152	985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe	31
PID 2072 wrote to memory of 2732	2072	ctfmen.exe	32
PID 2072 wrote to memory of 2732	2072	ctfmen.exe	32
PID 2072 wrote to memory of 2732	2072	ctfmen.exe	32
PID 2072 wrote to memory of 2732	2072	ctfmen.exe	32
PID 2732 wrote to memory of 2200	2732	smnss.exe	33
PID 2732 wrote to memory of 2200	2732	smnss.exe	33
PID 2732 wrote to memory of 2200	2732	smnss.exe	33
PID 2732 wrote to memory of 2200	2732	smnss.exe	33

C:\Users\Admin\AppData\Local\Temp\985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe
"C:\Users\Admin\AppData\Local\Temp\985064a0e5b1d348d94c7427483b25debac4467a649c671207aa2cabfdcf9dfd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 896
      4⤵
      Loads dropped DLL
      Program crash
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
626b75c1bfe29e445500875ef086a935

SHA1
99153c29b3b1f297a949ed12fc0250f4cbe9d46f

SHA256
6884ea6425a1aecf9ab41e7caad5f36559d3bcd48c2b9e44a0b1ea5c55b61365

SHA512
a7a20b16e61cba14a571ec29e2eae5551dd098c907929ff3da5f474d425a83fab673c501dee801b8d831abea2b8eae4843709a846e6671f7c10f67df8497dde2

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
2.3MB

MD5
867be880cff475c4eb87d1649c522f7a

SHA1
4e3f4ed25fb73de023e1363484a24d17074782e9

SHA256
00d17ad7980cc15ed3fb6c0306c26ed0621552b4d4e56792191732aa0deb4cfc

SHA512
e3d15f1092139885203dddb447085010b579b642a9d1e4ced0e0734f6c000eed0a72c6bee7e4dd96ed3dd09eb0264728aaa0dfb585966808de397313d7dfcd3d

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
450b492119e589d7d124262c3cc3d88b

SHA1
cde413b5f1452d5d10fa239ca36f88bb5f3108e8

SHA256
a347122e71fedaeeefa8755ebac87e3c3c82b0475761be3efadd8850e50333e4

SHA512
52f4ff76f8148f8e7d9a4241f09a0cdc733a6a0ec360f85757b9c2ea0fc939935a56dd953182d6cc23c61253b4185ea613efb7ca7d3585fe25f7d16572d517e3

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
d0d6f2f0b2fe34f00a9c1c621e5e1395

SHA1
d7740872c4cfe6e9adee6b0325d6804ae46e9b2f

SHA256
b6c25eca311ec3de0cd8e5297648597b30570960898700ba01225cb5c05068c7

SHA512
51ae9f1840f5d4e98627d1f21871b88389b8d86abfbee2479b4290481ca039179691bfb3a535806cf20e770e1afcf4b467cb3f62ccce36f8284abf6dc63fa92c

Download Submit
memory/1152-28-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1152-24-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/1152-29-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/1152-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/1152-13-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1152-6-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2072-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2732-39-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2732-43-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2732-36-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2732-48-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2732-51-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2732-50-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2732-49-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads