Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 16:55
Static task
static1
Behavioral task
behavioral1
Sample
f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe
Resource
win10v2004-20240802-en
General
-
Target
f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe
-
Size
2.3MB
-
MD5
3acf0f8250e73855a38a3391f6839300
-
SHA1
303df2cf9b94808dae96640115b9fa55c30f9637
-
SHA256
f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171
-
SHA512
8b70668c1bbb0d624836f50a3d61c951eeae4376ef99b410731f8b3d7debf29340caa6aa4260b81b220a97943311238e233eaf204cb4052c9e9106bf48bb576e
-
SSDEEP
49152:3jvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:3rkI9rSjA5aDo73pzF2bz3p9y4HgIoov
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000700000002344a-11.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2496 ctfmen.exe 3640 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 1676 f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe 3640 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe File opened for modification C:\Windows\SysWOW64\shervans.dll f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe File created C:\Windows\SysWOW64\smnss.exe f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe File created C:\Windows\SysWOW64\satornas.dll f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe File opened for modification C:\Windows\SysWOW64\satornas.dll f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe File created C:\Windows\SysWOW64\shervans.dll f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe File created C:\Windows\SysWOW64\grcopy.dll f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1676 f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe 1676 f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe 3640 smnss.exe 3640 smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\he.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\Welcome.html smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.HTM smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\Java\jdk-1.8\jmc.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\Java\jre-1.8\README.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt smnss.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt smnss.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4052 3640 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3640 smnss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1676 f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe 3640 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1676 wrote to memory of 2496 1676 f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe 82 PID 1676 wrote to memory of 2496 1676 f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe 82 PID 1676 wrote to memory of 2496 1676 f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe 82 PID 2496 wrote to memory of 3640 2496 ctfmen.exe 83 PID 2496 wrote to memory of 3640 2496 ctfmen.exe 83 PID 2496 wrote to memory of 3640 2496 ctfmen.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe"C:\Users\Admin\AppData\Local\Temp\f6c4e719a3d232fe70157ad15e5e19affcc65692e43296c83247fe9f3b1d5171N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 17804⤵
- Program crash
PID:4052
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3640 -ip 36401⤵PID:3228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5e3e41ff0b45d40324f70d27e8e6ee6cb
SHA1c56d0aa94f7532b12f40094a371a3c0d3b98ce29
SHA256c7fea055ed66593bcf08318763be9485342acb04151300668d3e0f024764994f
SHA512f75f8918229325d786a53377200184abfed731530bdda4c8e33d83146cbb45bf81caafa6d9ad1ad614b081030b5f2450d618961f065c749477202eb28249016b
-
Filesize
2.3MB
MD5b0b82985179373b1bfae7819c41075cb
SHA194d080d7f86113e28d8566f74212a910963095e7
SHA25641e65044c187df85ed3e6722e4396c0b0034310f5a80594ef2dfbf7af407430e
SHA5129f559e32c371a43e587cd0bfe1af0137a58a093e92a0569cbb47cad5b303f53fc8ac789e48ae7e1ea8689bc38ba8ff2c2d5585341de190b1ea6f9d52aba1236b
-
Filesize
183B
MD5b34c5527375cd05f2cdc4878488d982e
SHA132644a490f6f652e59157a8d37f8b02c4080694b
SHA256dff059524c751cfedbd744c6a04721d678e2ad9481269c68a5447ee7b81090a2
SHA5120c33461c19c5165514b80efd1d8c73a649054c771cdc94e9787fedf307629f070c1ed4d67a65c23e0dedbb3cbd77d111176ee7b164bf8469a6ece9386366b93c
-
Filesize
8KB
MD5e71d44a50dab97cc56aba47dbd3f736c
SHA1450e31e738a5cff2917339182a50e4b1bc302e3c
SHA2568de425a9b6d77baa8b9d88ce1f9d7dda32057c39fc39ab17845c47a4d8910f08
SHA5125fbd89cd98345f5e52f0e6b8586167a13715592c2e918cde51e291a504d9d8725e7a5f499d1c066582f16b4eb110bf537572eb0223d73fb7f9ef348546e87f60