7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01a

General

Target

7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
Size

2.4MB
MD5

18a30dc10b5ec40019b53ba5c5170dd0
SHA1

a48365f3f9d8cfb5279bbeb58fb7fd652a662503
SHA256

7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01a
SHA512

63977dae26929f09adb4a4c8bb1cb8710a4e79be058d4f286c027b4c27c3c1e4771db73a3ef259b55a902861726f0096f9ad0ad0b48291a24b51e887566caa9f
SSDEEP

49152:GR/laMbYAp7s5nceEv7MuGOe4jPyTmE7ZIIKR01GSM8prnoo:GRNvpAceMjGL4jaCE7ZGCxh

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234de-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3964	ctfmen.exe
4920	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
4920	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
File created	C:\Windows\SysWOW64\shervans.dll	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
File created	C:\Windows\SysWOW64\grcopy.dll	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
File created	C:\Windows\SysWOW64\smnss.exe	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
File created	C:\Windows\SysWOW64\satornas.dll	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2536	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
2536	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
4920	smnss.exe
4920	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3960	4920	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2536	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
4920	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3964	2536	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe	82
PID 2536 wrote to memory of 3964	2536	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe	82
PID 2536 wrote to memory of 3964	2536	7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe	82
PID 3964 wrote to memory of 4920	3964	ctfmen.exe	83
PID 3964 wrote to memory of 4920	3964	ctfmen.exe	83
PID 3964 wrote to memory of 4920	3964	ctfmen.exe	83

C:\Users\Admin\AppData\Local\Temp\7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe
"C:\Users\Admin\AppData\Local\Temp\7748a7a6393fc9998d98fefcda3c23e4c313067f50f3965c20992b3daba0d01aN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1492
      4⤵
      Program crash
      PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4920 -ip 4920
1⤵
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
159dcf27f8b5b674a133cc5178ea1abd

SHA1
192678b2b76a8c4f562ff97d12e30d570476f752

SHA256
d615adb96d5a4185f8de14004cfdef56a25f7571296a91bc54a53b9ff6ff6d73

SHA512
9ee6d8730d5a0dfcf5719daee9781c9bbbd3cb64ac6ea8564daf5087ecfba931fd699cec564e57266db906e84210b85add2134366e195fb4e99e22e7be01f644

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
2.4MB

MD5
0d471b01cba0be052e5c7c6cc135ea38

SHA1
d908ce1755e48e0b4642655091bd9888156130bd

SHA256
897d95b9decd5cb3dde3ff1fff78143eb0bd8004c669c990de663bc58ec894de

SHA512
4f64ebe48cb408b93ae9dc37adbcc076ca69a692c2605fe88ecd921b36319fc2ea01940d99055b138f21b992565b382ddcb6326f75d3001f1caf4954007fc5c4

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
a14f1a883eaf054053e0f07021e260fc

SHA1
3814ab910894d6467d20e31f4798f1dd5aa69635

SHA256
ee34c9a9d5cf33ab588f75157fd0f66d92d155793bcf9ed31217d8880e3c9783

SHA512
474f2cfff745e5b9f75cdc81e31e5202cbd6bc1c099467f3173c9659c436b2c970da1bc106dfd2de8ead57aa080ab916ce8fabd3aaf73d141ba800f27b85f2c9

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
d8da9a8b1dbbca72f1b211a4a0dfe4f1

SHA1
2f8b4d1edbcebd1c6617fb4a108f3e31a0c719f3

SHA256
d72fd0390018393e7f17b6b740b566ec54cdc691b18ee081a08cbc2f1bdcdef1

SHA512
af9799be1df8bbad5d5ba3a3457244d94954ded2c586baff50cc28e9b93586bf1e644684159c725f5b8019a82bd53728794ccd9149bd81743e0d1c8538392d0a

Download Submit
memory/2536-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2536-14-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2536-30-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2536-0-0x0000000000400000-0x0000000000DCC000-memory.dmp

Filesize
9.8MB

Download
memory/2536-27-0x0000000000400000-0x0000000000DCC000-memory.dmp

Filesize
9.8MB

Download
memory/2536-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3964-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4920-33-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4920-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4920-32-0x0000000000400000-0x0000000000DCC000-memory.dmp

Filesize
9.8MB

Download
memory/4920-42-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4920-41-0x0000000000400000-0x0000000000DCC000-memory.dmp

Filesize
9.8MB

Download
memory/4920-43-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads