8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 23:50 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Size

2.3MB
MD5

f3c617fd5d59a2acdc8d69c84d65d76e
SHA1

965c7dc9b4a773e03c8d33257182ca0aaae1e48b
SHA256

8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb
SHA512

3d8242ec6ea531b12a6110c7664c393d97548fa88d6b5c818d138137bc99bb93848e438294ea97a9f752560d68117636240c2364db5eb43f40fc87e90fbd9fb5
SSDEEP

49152:ujvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:urkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000193d9-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2904	ctfmen.exe
2568	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2640	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
2640	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
2640	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
2904	ctfmen.exe
2904	ctfmen.exe
2568	smnss.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shervans.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File created	C:\Windows\SysWOW64\smnss.exe	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File created	C:\Windows\SysWOW64\grcopy.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File created	C:\Windows\SysWOW64\satornas.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2640	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
2568	smnss.exe
2568	smnss.exe
2568	smnss.exe
2568	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml	smnss.exe
File opened for modification	C:\Program Files\AssertSet.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	2568	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
2568	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2904	2640	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe	31
PID 2640 wrote to memory of 2904	2640	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe	31
PID 2640 wrote to memory of 2904	2640	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe	31
PID 2640 wrote to memory of 2904	2640	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe	31
PID 2904 wrote to memory of 2568	2904	ctfmen.exe	32
PID 2904 wrote to memory of 2568	2904	ctfmen.exe	32
PID 2904 wrote to memory of 2568	2904	ctfmen.exe	32
PID 2904 wrote to memory of 2568	2904	ctfmen.exe	32
PID 2568 wrote to memory of 1520	2568	smnss.exe	33
PID 2568 wrote to memory of 1520	2568	smnss.exe	33
PID 2568 wrote to memory of 1520	2568	smnss.exe	33
PID 2568 wrote to memory of 1520	2568	smnss.exe	33

C:\Users\Admin\AppData\Local\Temp\8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
"C:\Users\Admin\AppData\Local\Temp\8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1028
      4⤵
      Loads dropped DLL
      Program crash
      PID:1520

Network

DNS

qepswmenen.info

smnss.exe

Remote address:

8.8.8.8:53

Request

qepswmenen.info

IN A

Response

qepswmenen.info

IN CNAME

7450.bodis.com

7450.bodis.com

IN A

199.59.243.227
GET

http://qepswmenen.info/imgs/krewa/nqxa.php?id=64blqycl&s5=3159&lip=10.127.0.165&win=fWinS

smnss.exe

Remote address:

199.59.243.227:80

Request

GET /imgs/krewa/nqxa.php?id=64blqycl&s5=3159&lip=10.127.0.165&win=fWinS HTTP/1.1
Host: qepswmenen.info
User-Agent: explwer

Response

HTTP/1.1 200 OK

date: Sat, 28 Sep 2024 23:50:41 GMT
content-type: text/html; charset=utf-8
content-length: 1238
x-request-id: ce2f94b8-139f-4479-b6d3-409074279caa
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtBLcaAvxbv+CBShupI3ywDURcoA/Sw17gyFTdHsZzvyhGy9bD2nljjlOHqzJejrV6DXo07IgPxsHvsOxcyAnQ==
set-cookie: parking_session=ce2f94b8-139f-4479-b6d3-409074279caa; expires=Sun, 29 Sep 2024 00:05:42 GMT; path=/
DNS

gzip.org

smnss.exe

Remote address:

8.8.8.8:53

Request

gzip.org

IN MX

Response

gzip.org

IN MX

�
DNS

alumni.caltech.edu

smnss.exe

Remote address:

8.8.8.8:53

Request

alumni.caltech.edu

IN MX

Response

alumni.caltech.edu

IN MX

alumni-caltech-edumail protectionoutlookcom
DNS

megginson.com

smnss.exe

Remote address:

8.8.8.8:53

Request

megginson.com

IN MX

Response

megginson.com

IN MX

aspmx3 googlemail�

megginson.com

IN MX

aspmx4�4

megginson.com

IN MX

aspmx2�4

megginson.com

IN MX

alt2aspmxlgoogle�

megginson.com

IN MX

��

megginson.com

IN MX

alt1��

megginson.com

IN MX

aspmx5�4
DNS

aspmx4.googlemail.com

smnss.exe

Remote address:

8.8.8.8:53

Request

aspmx4.googlemail.com

IN A

Response

aspmx4.googlemail.com

IN A

142.250.157.27
DNS

aspmx3.googlemail.com

smnss.exe

Remote address:

8.8.8.8:53

Request

aspmx3.googlemail.com

IN A

Response

aspmx3.googlemail.com

IN A

74.125.200.27
DNS

jk.uni-linz.ac.at

smnss.exe

Remote address:

8.8.8.8:53

Request

jk.uni-linz.ac.at

IN MX

Response

jk.uni-linz.ac.at

IN MX

mail1edvz�

jk.uni-linz.ac.at

IN MX

mail3�7

jk.uni-linz.ac.at

IN MX

mail2�7

jk.uni-linz.ac.at

IN MX

mail4�7
DNS

mail2.edvz.uni-linz.ac.at

smnss.exe

Remote address:

8.8.8.8:53

Request

mail2.edvz.uni-linz.ac.at

IN A

Response

mail2.edvz.uni-linz.ac.at

IN A

140.78.3.69
DNS

cdata.tvnet.hu

smnss.exe

Remote address:

8.8.8.8:53

Request

cdata.tvnet.hu

IN MX

Response

cdata.tvnet.hu

IN MX

�
DNS

attbi.com

smnss.exe

Remote address:

8.8.8.8:53

Request

attbi.com

IN MX

Response
DNS

courtesan.com

smnss.exe

Remote address:

8.8.8.8:53

Request

courtesan.com

IN MX

Response

courtesan.com

IN MX

millertdev
DNS

bigelowandholmes.com

smnss.exe

Remote address:

8.8.8.8:53

Request

bigelowandholmes.com

IN MX

Response
DNS

gnu.org

smnss.exe

Remote address:

8.8.8.8:53

Request

gnu.org

IN MX

Response

gnu.org

IN MX

eggs�
DNS

waqnqmnqnh.in

smnss.exe

Remote address:

8.8.8.8:53

Request

waqnqmnqnh.in

IN A

Response
DNS

rwrepwprhs.org

smnss.exe

Remote address:

8.8.8.8:53

Request

rwrepwprhs.org

IN A

Response

rwrepwprhs.org

IN A

162.249.65.106
DNS

mail3.edvz.uni-linz.ac.at

smnss.exe

Remote address:

8.8.8.8:53

Request

mail3.edvz.uni-linz.ac.at

IN A

Response

mail3.edvz.uni-linz.ac.at

IN A

140.78.3.83
DNS

hwrnsnewhs.net

smnss.exe

Remote address:

8.8.8.8:53

Request

hwrnsnewhs.net

IN A

Response
DNS

qshwwqanwa.info

smnss.exe

Remote address:

8.8.8.8:53

Request

qshwwqanwa.info

IN A

Response
DNS

qshwwqanwa.info

smnss.exe

Remote address:

8.8.8.8:53

Request

qshwwqanwa.info

IN A

Response
DNS

hnhqrewean.net

smnss.exe

Remote address:

8.8.8.8:53

Request

hnhqrewean.net

IN A

Response
DNS

mail4.edvz.uni-linz.ac.at

smnss.exe

Remote address:

8.8.8.8:53

Request

mail4.edvz.uni-linz.ac.at

IN A

Response

mail4.edvz.uni-linz.ac.at

IN A

140.78.3.82
DNS

aspmx2.googlemail.com

smnss.exe

Remote address:

8.8.8.8:53

Request

aspmx2.googlemail.com

IN A

Response

aspmx2.googlemail.com

IN A

142.250.150.26
DNS

alumni-caltech-edu.mail.protection.outlook.com

smnss.exe

Remote address:

8.8.8.8:53

Request

alumni-caltech-edu.mail.protection.outlook.com

IN A

Response

alumni-caltech-edu.mail.protection.outlook.com

IN A

52.101.11.7

alumni-caltech-edu.mail.protection.outlook.com

IN A

52.101.10.1

alumni-caltech-edu.mail.protection.outlook.com

IN A

52.101.9.24

alumni-caltech-edu.mail.protection.outlook.com

IN A

52.101.40.24

199.59.243.227:80

http://qepswmenen.info/imgs/krewa/nqxa.php?id=64blqycl&s5=3159&lip=10.127.0.165&win=fWinS

http

smnss.exe

404 B
2.2kB
6
6

HTTP Request

GET http://qepswmenen.info/imgs/krewa/nqxa.php?id=64blqycl&s5=3159&lip=10.127.0.165&win=fWinS

HTTP Response

200
142.250.157.27:25

aspmx4.googlemail.com

smnss.exe

152 B
3
74.125.200.27:25

aspmx3.googlemail.com

smnss.exe

152 B
3
140.78.3.69:25

mail2.edvz.uni-linz.ac.at

smnss.exe

152 B
3
162.249.65.106:80

rwrepwprhs.org

smnss.exe

152 B
120 B
3
3
142.250.157.27:25

aspmx4.googlemail.com

smnss.exe

152 B
3
142.250.157.27:25

aspmx4.googlemail.com

smnss.exe

152 B
3
140.78.3.83:25

mail3.edvz.uni-linz.ac.at

smnss.exe

152 B
3
142.250.157.27:25

aspmx4.googlemail.com

smnss.exe

152 B
3
142.250.150.26:25

aspmx2.googlemail.com

smnss.exe

152 B
3

8.8.8.8:53

qepswmenen.info

dns

smnss.exe

61 B
105 B
1
1

DNS Request

qepswmenen.info

DNS Response

199.59.243.227
8.8.8.8:53

gzip.org

dns

smnss.exe

54 B
70 B
1
1

DNS Request

gzip.org
8.8.8.8:53

alumni.caltech.edu

dns

smnss.exe

64 B
126 B
1
1

DNS Request

alumni.caltech.edu
8.8.8.8:53

megginson.com

dns

smnss.exe

59 B
235 B
1
1

DNS Request

megginson.com
8.8.8.8:53

aspmx4.googlemail.com

dns

smnss.exe

67 B
83 B
1
1

DNS Request

aspmx4.googlemail.com

DNS Response

142.250.157.27
8.8.8.8:53

aspmx3.googlemail.com

dns

smnss.exe

67 B
83 B
1
1

DNS Request

aspmx3.googlemail.com

DNS Response

74.125.200.27
8.8.8.8:53

jk.uni-linz.ac.at

dns

smnss.exe

63 B
156 B
1
1

DNS Request

jk.uni-linz.ac.at
8.8.8.8:53

mail2.edvz.uni-linz.ac.at

dns

smnss.exe

71 B
87 B
1
1

DNS Request

mail2.edvz.uni-linz.ac.at

DNS Response

140.78.3.69
8.8.8.8:53

cdata.tvnet.hu

dns

smnss.exe

60 B
76 B
1
1

DNS Request

cdata.tvnet.hu
8.8.8.8:53

attbi.com

dns

smnss.exe

55 B
110 B
1
1

DNS Request

attbi.com
8.8.8.8:53

courtesan.com

dns

smnss.exe

59 B
86 B
1
1

DNS Request

courtesan.com
8.8.8.8:53

bigelowandholmes.com

dns

smnss.exe

66 B
125 B
1
1

DNS Request

bigelowandholmes.com
8.8.8.8:53

gnu.org

dns

smnss.exe

53 B
74 B
1
1

DNS Request

gnu.org
8.8.8.8:53

waqnqmnqnh.in

dns

smnss.exe

59 B
112 B
1
1

DNS Request

waqnqmnqnh.in
8.8.8.8:53

rwrepwprhs.org

dns

smnss.exe

60 B
76 B
1
1

DNS Request

rwrepwprhs.org

DNS Response

162.249.65.106
8.8.8.8:53

mail3.edvz.uni-linz.ac.at

dns

smnss.exe

71 B
87 B
1
1

DNS Request

mail3.edvz.uni-linz.ac.at

DNS Response

140.78.3.83
8.8.8.8:53

hwrnsnewhs.net

dns

smnss.exe

60 B
133 B
1
1

DNS Request

hwrnsnewhs.net
8.8.8.8:53

qshwwqanwa.info

dns

smnss.exe

122 B
280 B
2
2

DNS Request

qshwwqanwa.info

DNS Request

qshwwqanwa.info
8.8.8.8:53

hnhqrewean.net

dns

smnss.exe

60 B
133 B
1
1

DNS Request

hnhqrewean.net
8.8.8.8:53

mail4.edvz.uni-linz.ac.at

dns

smnss.exe

71 B
87 B
1
1

DNS Request

mail4.edvz.uni-linz.ac.at

DNS Response

140.78.3.82
8.8.8.8:53

aspmx2.googlemail.com

dns

smnss.exe

67 B
83 B
1
1

DNS Request

aspmx2.googlemail.com

DNS Response

142.250.150.26
8.8.8.8:53

alumni-caltech-edu.mail.protection.outlook.com

dns

smnss.exe

92 B
156 B
1
1

DNS Request

alumni-caltech-edu.mail.protection.outlook.com

DNS Response

52.101.11.7

52.101.10.1

52.101.9.24

52.101.40.24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
7d905292a8b97f39fbd115daa7aae5bf

SHA1
2bac476154a5010ff9db918d7369ce995a514280

SHA256
c4c397c54b016f5dbfcef281976c840820b852d8f7ccf51a81774933d405ca6f

SHA512
182ef5bd5ffba9264a2ac59cbe1fe094e3de178aac6252cb41987cdbe0ebdc3fdd60eed7c6bb41c2bfc413bf9615a7aad7b73e3520e179dca17ebf374183e05f

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
657b9e36496ed81af0c9c1280a663966

SHA1
11092529b046098307bec84cc9f472029d2181a9

SHA256
267e216418b5a3cb5bfb99c1c3785cad5498c6f8f2caf56d442c3e6bed32ef8d

SHA512
df1f6acba2fdbd7f4b8e1fd456a37d5f8cbede1df5a520adb4564313c62cf2964df106a2381cb6078b45cc44aeb246675daa514822f7565ab71cc47431d8cba4

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
2a67f87074187016e5bb9ea5181447ff

SHA1
55cefebec4e3ec00845973ae34f0dc23a242c898

SHA256
9753d874718f1c9a23caa7fd18bf51d13ff143ca5508f27b26e084b3704231b1

SHA512
b150809051eb489a89a46b59b76d5c75e22134d1bfc1a0627bd755ecaa46eab113f2225ba36a902d04625abb7c0f3b7b34137a954e44c846bd0c40eb68cce1f1

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
2.3MB

MD5
5aba464bbcfb6278010d9ab7eb259fac

SHA1
d49f805cbd106fd4a02e12bccd0bd659d9d29edc

SHA256
02e44c28a98d3a4a5c20cbec29d8d92c9695041c2b7d75c71cece1ac6d8d6066

SHA512
8b0e3be04ab176feb5efa5bb2f649ea4e958807989a0d8c22077948e00709207a170a6c4b8a47eb35a4e8664532846472d6bdf93970ad113eba19dd068464701

Download Submit
memory/2568-36-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2568-52-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2568-47-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2568-45-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2568-46-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2568-44-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2568-42-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2640-20-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/2640-34-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2640-28-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2640-25-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2640-26-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/2640-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2640-13-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2640-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2904-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.