6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9

General

Target

6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
Size

2.3MB
MD5

825daf731bf5e5c1e833a1f9e2b92a10
SHA1

921a66e85e76318473d14cac8e3e338b1aa16655
SHA256

6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9
SHA512

20fc3bdc78d74f8a7c91bc361862deb7ce0d3df42c752c1c7a289bbe9b37ab9711851394b6796501c5f68909c743767f720108e250a704d5613ffd7b7520a1f2
SSDEEP

49152:Kjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:KrkI9rSjA5aDo73pzF2bz3p9y4HgIoov

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234b2-11.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
740	ctfmen.exe
4208	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
4208	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shervans.dll	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
File created	C:\Windows\SysWOW64\smnss.exe	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
File created	C:\Windows\SysWOW64\satornas.dll	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2864	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
2864	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
4208	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4500	4208	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	smnss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2864	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
4208	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 740	2864	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe	82
PID 2864 wrote to memory of 740	2864	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe	82
PID 2864 wrote to memory of 740	2864	6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe	82
PID 740 wrote to memory of 4208	740	ctfmen.exe	83
PID 740 wrote to memory of 4208	740	ctfmen.exe	83
PID 740 wrote to memory of 4208	740	ctfmen.exe	83

C:\Users\Admin\AppData\Local\Temp\6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe
"C:\Users\Admin\AppData\Local\Temp\6d886eadbff80170a8974d6f6d4eefb3d7ce1f06b672af2224f933fbe1bddbd9N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1472
      4⤵
      Program crash
      PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4208 -ip 4208
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
907ad19b051264a78689f97c7584730c

SHA1
cb1538e0d280169e867d767e81a035a59c4d8411

SHA256
95e86559b48e1c78fb3ba26e91737dd5e6d9c116c6b8b7456a429daa36a34b3d

SHA512
03b006ff5eb1f57027a4041ef5506f0afdb6e90c0983cc3f4f0f97acfa70bc9b597f796c68e26a203dbe6b02f7ae887dd120147a477110b86b49ef05bfe3cd1c

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
2.3MB

MD5
1bc07dbc2721bb4007a3226dffb42913

SHA1
83b12844df090e256012f01cf3391ad18a439440

SHA256
b0f64137cfa8b157a55a8c26ed9086ecfc3dd1d5c51cea1272be0ee1958f58fd

SHA512
74c50f6f43ea036bd5116fb388f49fb2aa942c06dce7cbb5b1ea8b039b874a4b4159e88d877f58896c51ed5cd4ed4e7fb03ae6c9238c5fbc48593f21b2dcc62e

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
0f485fc865c49f7d6836af61a2852700

SHA1
e8e61d7a8633eb943ec08cb525f6c877dc907ab8

SHA256
b562be6861e79a8586986896ed5f9280864bdabf76d547b26a72368d54b965a0

SHA512
201cb66f5290f6fdd608be9f6ebe6945c7ba996329e1abadabd292d9224d4b6f23b842c5341f1e3a4ec6d2f5959ea6e8d56bc06c9f3267d7ff8eb9a4d4a20174

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
063223fa6ce0a678323d6d836b15be74

SHA1
8fd6c81721c2d802dcfed71815fff1959214dadc

SHA256
0a73ee9597cee2a791f745e96329ae56488118363bcae9a91354da3e84669bcf

SHA512
cab96bb56ad11baf2a07a4e5955d4a14cbf4f85b103779fac8f8835aa434a9037e1d394168e202581ed4e91ed408cbd5f28877c79c0272977c30afb576f1a8ca

Download Submit
memory/740-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/740-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-30-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2864-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2864-0-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2864-14-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2864-29-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/2864-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4208-36-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4208-33-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download
memory/4208-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4208-44-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4208-43-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4208-42-0x0000000000400000-0x0000000000DCE000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads