f943830b8655054fc335287f728f99e537d53257936ef6ceb72ddf06cf225f73

General

Target

f623163a9c25a7ac53482557aba945f0N.exe
Size

119KB
MD5

f623163a9c25a7ac53482557aba945f0
SHA1

54b1ad27af640a69c77a221822960db8cf833c34
SHA256

f943830b8655054fc335287f728f99e537d53257936ef6ceb72ddf06cf225f73
SHA512

6db949364040b9ae3bdcc161fe993a889a99c8094ff92ea58d7803d7cd2de75f5e27b6d106fd844b6c6aaed7211ee9c53f8323e3208ffad708eca144d5965b59
SSDEEP

3072:TOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:TIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002343e-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3388	ctfmen.exe
3100	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
1696	f623163a9c25a7ac53482557aba945f0N.exe
3100	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	f623163a9c25a7ac53482557aba945f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f623163a9c25a7ac53482557aba945f0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f623163a9c25a7ac53482557aba945f0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	f623163a9c25a7ac53482557aba945f0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shervans.dll	f623163a9c25a7ac53482557aba945f0N.exe
File created	C:\Windows\SysWOW64\smnss.exe	f623163a9c25a7ac53482557aba945f0N.exe
File created	C:\Windows\SysWOW64\satornas.dll	f623163a9c25a7ac53482557aba945f0N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	f623163a9c25a7ac53482557aba945f0N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	f623163a9c25a7ac53482557aba945f0N.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	f623163a9c25a7ac53482557aba945f0N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	f623163a9c25a7ac53482557aba945f0N.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\grcopy.dll	f623163a9c25a7ac53482557aba945f0N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	f623163a9c25a7ac53482557aba945f0N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1476	3100	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f623163a9c25a7ac53482557aba945f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	f623163a9c25a7ac53482557aba945f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f623163a9c25a7ac53482557aba945f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f623163a9c25a7ac53482557aba945f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	f623163a9c25a7ac53482557aba945f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	f623163a9c25a7ac53482557aba945f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 3388	1696	f623163a9c25a7ac53482557aba945f0N.exe	91
PID 1696 wrote to memory of 3388	1696	f623163a9c25a7ac53482557aba945f0N.exe	91
PID 1696 wrote to memory of 3388	1696	f623163a9c25a7ac53482557aba945f0N.exe	91
PID 3388 wrote to memory of 3100	3388	ctfmen.exe	92
PID 3388 wrote to memory of 3100	3388	ctfmen.exe	92
PID 3388 wrote to memory of 3100	3388	ctfmen.exe	92

C:\Users\Admin\AppData\Local\Temp\f623163a9c25a7ac53482557aba945f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f623163a9c25a7ac53482557aba945f0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 1320
      4⤵
      Program crash
      PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3100 -ip 3100
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
a710aa03ad464cdb403c630237281212

SHA1
4dd8eaddb0193b1419ee8365e56791c35b814892

SHA256
67b1d0335e42353568f42d0831222344e68fc51c44c8a681a7fb25b3bc8b0692

SHA512
b123edc92d6fce734ddffeb1ae71f05c1787852ca26631f2be83f9681ed5b82f832834a4c7346a72d4690cd0419ad5a008fe7364fe71a3138b5dc84bf76383a0

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
119KB

MD5
c27a0dceba4784db6a364afbe27f2fdf

SHA1
11e8e1ab66d4850ec92a08613252bac64b530093

SHA256
3485787a6c639136554c477cc4cedbe3e8160adad54e52bc4f8283b5e4c70593

SHA512
fae37bf8cc725d76433877e4c083e5b8d6a70e3ac45e7054a25aec725b307bcd1fd5f86c7281509e24bee9a6f922c40630744a1d95fd3bf044e40c39d9554f55

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
60ffe526913edeadf759e4c03bca6ae4

SHA1
960eac1dff169cc1cbbf50b2fc1957130ad7215f

SHA256
8ba09189f0484c6735dbab6c43f23523c088d2f40256592cc84f72f8613c2b6c

SHA512
5514f9e665ceaf2c512c646d437c66f57368406d0157f65072e42dbfa193e69843b692cfe4d92dd0f3b353f2cfa5a42d3a941b6d10130f230ea61f28c27a84ec

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
17508f3e97d42036675bc868c3e48b60

SHA1
846937bb2240b14346ed4f927c78ad7410e30ac1

SHA256
b4cfef2d9dbe55d38121bbc85f332852b77485b42bf11848759daab4fb875208

SHA512
29b37135cc37956495e4e99d91a28a04125a9ef054a15f75d45ba4d0362c95e134909be6b37d590f1231554af030246893e82c04ff8c0c3aa2c52b110d4b6d75

Download Submit
memory/1696-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1696-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1696-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1696-13-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3100-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3100-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3100-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3100-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3388-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3388-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads