22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020

General

Target

22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
Size

2.3MB
MD5

e9c005cc7665fc55216828c6990dbb00
SHA1

85e65ce913daf5b8a020e6d5fc893f6d11aea628
SHA256

22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020
SHA512

4bc413a4722bbf0337dc9aebad025aa222c0f61f8e5d24d651e802580b0e838bca534665493dc2f4c2b17b7c575da3e1467a6c59921ec652d6e9a9babee08eea
SSDEEP

49152:Yjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:YrkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0031000000023b8d-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1220	ctfmen.exe
4156	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
532	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
4156	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
File created	C:\Windows\SysWOW64\smnss.exe	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
File created	C:\Windows\SysWOW64\satornas.dll	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
532	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
532	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
4156	smnss.exe
4156	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
228	4156	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
532	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
4156	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 1220	532	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe	90
PID 532 wrote to memory of 1220	532	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe	90
PID 532 wrote to memory of 1220	532	22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe	90
PID 1220 wrote to memory of 4156	1220	ctfmen.exe	91
PID 1220 wrote to memory of 4156	1220	ctfmen.exe	91
PID 1220 wrote to memory of 4156	1220	ctfmen.exe	91

C:\Users\Admin\AppData\Local\Temp\22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe
"C:\Users\Admin\AppData\Local\Temp\22f776e408322da328270dfaa26f597fed8bdaeb1a0c6bb02d528ab3f9b14020N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1468
      4⤵
      Program crash
      PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4156 -ip 4156
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
c19fb4abdee0d98b8a9bf3731adff783

SHA1
89cfbb028d47c17c1dd5ae8278b522722f5f6c47

SHA256
5cd86759c2d3a84fe825614222717dd8a70ffbfccddfeb478bfb82aaa9cdc057

SHA512
9fda8560a42b938d8f858b81c1af14ac61b089c69d41c0f706ea83d50eb665658d6f6332d9ff7078d0cc0dcba752b1fa4f4ceb0204deae52ba4351c386b908f7

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
2.3MB

MD5
f7a9380fc6b83dc0ded46cc6636bf98b

SHA1
b760da851bbbf6d19bb33095e9cecd51e2b6b369

SHA256
0dd478389f0b367ff8f39212ce14412f8e7f10d42bca73d18a15cd10d3af64a6

SHA512
dd51660854307d0251af11f6e7dd9a50881984712271f718ce71677d44d16cba867fee5fb3582540e6acd2bf4db13c4ac74dc2b5a5a93e62efbe304ec0bec644

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
a36d35d3c6cd2ed0d178488dd67c3fce

SHA1
28f35c73b13193bf22800122a3c6d0665a96790a

SHA256
c40ee76c15c93d6616f2abeda495902295064ceec351e3fad69051b57cea6248

SHA512
9f674ba65e246ae011554752cb1138b3023a4227089d91f44cefc81e9309f4b9d118c46345c9c2a46ac78fc2ef14813e9589e14b34ad95c55acc5c2ce17ecac3

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
58c6560da4401794afa466d0c030656d

SHA1
68e8d69468eb12952b2b03c194c9475a2277c529

SHA256
671bc9ffd4b89fb0e4d1a6526ca575c3034bf8d9ff5abaf6ae353059d812c4c5

SHA512
d27da42615da427b666f7a6b84cbb36be73da4ac11ca22b8545280b1d69106a4aa1c9abb05d986b2b6b6289cbc6c94f6826c47be00b483197c41769136f36393

Download Submit
memory/532-27-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/532-14-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/532-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/532-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/532-32-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/532-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1220-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1220-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4156-33-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/4156-34-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4156-41-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/4156-42-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4156-43-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads