8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb

Analysis

max time kernel
94s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Size

2.3MB
MD5

f3c617fd5d59a2acdc8d69c84d65d76e
SHA1

965c7dc9b4a773e03c8d33257182ca0aaae1e48b
SHA256

8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb
SHA512

3d8242ec6ea531b12a6110c7664c393d97548fa88d6b5c818d138137bc99bb93848e438294ea97a9f752560d68117636240c2364db5eb43f40fc87e90fbd9fb5
SSDEEP

49152:ujvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:urkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023437-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3504	ctfmen.exe
4340	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
3224	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
4340	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File created	C:\Windows\SysWOW64\shervans.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File created	C:\Windows\SysWOW64\grcopy.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File created	C:\Windows\SysWOW64\smnss.exe	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
File created	C:\Windows\SysWOW64\satornas.dll	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3224	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
4340	smnss.exe
4340	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\README.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	4340	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3224	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
4340	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 3504	3224	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe	82
PID 3224 wrote to memory of 3504	3224	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe	82
PID 3224 wrote to memory of 3504	3224	8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe	82
PID 3504 wrote to memory of 4340	3504	ctfmen.exe	83
PID 3504 wrote to memory of 4340	3504	ctfmen.exe	83
PID 3504 wrote to memory of 4340	3504	ctfmen.exe	83

C:\Users\Admin\AppData\Local\Temp\8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe
"C:\Users\Admin\AppData\Local\Temp\8168cfffcb1d97b08b1892063bd84589bea9333c7b7db5bbb87cc85ddd8620cb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1700
      4⤵
      Program crash
      PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4340 -ip 4340
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
4fd3cf5a283dd25a7e3c7136cddc7090

SHA1
603804339504d4d8c1a515630e2280e441e973af

SHA256
40deb411baade37833547d83c813628b903cefabeb96435a69e3111208b1010f

SHA512
e10cd0a7fbd5cb8c031b66b54973ca65498e2beea2fd7e1e0fd85dcfae8e4854a8eadb6189bec1cda2991ec827984accb6c860a34aad9d847a8738d8d1c009a9

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
2.3MB

MD5
3c76bd30ac236eed9f00804fa2ecec78

SHA1
30349d872e4b31d414d930603060167a4a43e49a

SHA256
8135821e6baba6a574fcaddcaa5f0514e9048908ca276bd6eff0c272531e7a58

SHA512
03311c7bdfcd8a2779094bdd9c9148b7140a0e4b03ec7e71712aad0489c98ec977957e54014321c25a04ff69c65c6786eaac96467271d5cce912fc72fafe65d2

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
ff21884c6a796f8d85b58127cf41d2ed

SHA1
fb818efe0285e1ec8bc1b07d6e264d368acc84a4

SHA256
dfac9fc1d3dda1ff21b9a08f81384197dac7a9df66e95622fab52968a99ee097

SHA512
832010795e36fb4a86dea982a82905e9b63f191dacd18dc11c88a3f32d02353671cc84ccac5bee930f879f317eee79a0ec60ce93737ac7a73f7bddf17d606277

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
58c2678601434ba2cd89dac9f10c9c15

SHA1
d5b537eb9bdd6a20c6cfb845ebf0d5d1a2063cf7

SHA256
733030d3a1d3b4075d2d7f184a9f0a961557f57a7b2c40156387182b5644a7f1

SHA512
3cab49e1443e139bca67a1cde1be016815da7ed76f0e46b389bfe5004821a9d92995d75dfcafe035e396469291c14d0b20c48063a9e2b114b9c97437246fef16

Download Submit
memory/3224-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/3224-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3224-14-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3224-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3224-30-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3224-29-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/3504-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3504-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4340-33-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/4340-34-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4340-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4340-42-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/4340-43-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4340-45-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4340-44-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/4340-46-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads