Analysis
-
max time kernel
84s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 05:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
120 seconds
General
-
Target
199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe
-
Size
119KB
-
MD5
74153712f95974ac55e19073f1707190
-
SHA1
62c0a4b762bff17eda8785c7502e7d5a622b900e
-
SHA256
199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467d
-
SHA512
b5cdf5fa9fc9ae8419e1d110538d5f37cdba8bf8a4d61a5fd9737cdf44c57ad00215c69a474ca1061681fe6ffe5e85145c14037b2f17a86c76982ab057454d5a
-
SSDEEP
3072:yOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:yIs9OKofHfHTXQLzgvnzHPowYbvrjD/E
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000016dd0-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2772 ctfmen.exe 2680 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2336 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe 2336 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe 2336 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe 2772 ctfmen.exe 2772 ctfmen.exe 2680 smnss.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\grcopy.dll 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe File created C:\Windows\SysWOW64\shervans.dll 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe File created C:\Windows\SysWOW64\smnss.exe 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe File created C:\Windows\SysWOW64\satornas.dll 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe File created C:\Windows\SysWOW64\ctfmen.exe 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm smnss.exe File opened for modification C:\Program Files\HideNew.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\7-Zip\History.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2648 2680 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2772 2336 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe 31 PID 2336 wrote to memory of 2772 2336 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe 31 PID 2336 wrote to memory of 2772 2336 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe 31 PID 2336 wrote to memory of 2772 2336 199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe 31 PID 2772 wrote to memory of 2680 2772 ctfmen.exe 32 PID 2772 wrote to memory of 2680 2772 ctfmen.exe 32 PID 2772 wrote to memory of 2680 2772 ctfmen.exe 32 PID 2772 wrote to memory of 2680 2772 ctfmen.exe 32 PID 2680 wrote to memory of 2648 2680 smnss.exe 33 PID 2680 wrote to memory of 2648 2680 smnss.exe 33 PID 2680 wrote to memory of 2648 2680 smnss.exe 33 PID 2680 wrote to memory of 2648 2680 smnss.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe"C:\Users\Admin\AppData\Local\Temp\199af6fabe177c520bc0426eecd9dff4d4d5b8a4b8b53bbacc0aee6b6f31467dN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 8244⤵
- Loads dropped DLL
- Program crash
PID:2648
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD591d0f2f261608d802a14aa557927a403
SHA18c512e7e3b29e6d4fc68d7a32ed84f5e659999e7
SHA25625174740805e9f208970a20e63dd89ab306f75be98c403ebf7a5683cd0e28bed
SHA5124057990d281e50bf6cfbe06f3769f759c52744feec5b886e572f8738e3b5d8d741b4d4102578d6e95ab1ca773e040b796bb77d423733990bc93420c3c56a7726
-
Filesize
4KB
MD5d0586a2866ed09a8b46b59dbdec56178
SHA11abee9e8c6e769dc436d0ad73988e7774529979b
SHA2564d6331d21e4660d7484c0c6b5fec4cdcfa0f82a91c438fe746714a9a4e7ccabd
SHA5128aa26c3d4205ce45f33616f92454992e15bd06cf7efebcb97639e7179d116260ebd72a51c2b1a72e07326b72f097f033e715b6626932103fd5c6cac3b854eef6
-
Filesize
8KB
MD5ab8f26e32b01a04941ca0c61ce757eec
SHA145923dd620a24eee55eea3d8ee0bf55e7d8c5593
SHA2569f5adbe76410a994ba0dac709d94aacc39acc8facf68bc01863965bc69e102a6
SHA51235fdc61d66997628fe261cfda41ad87d90d0b5fcad882df9104959f13a30f2d576496c9e1527af4d902325fb64d0b9a1396d733d5e65e81c8dae7d182b13d052
-
Filesize
119KB
MD5873ccd4e772165e0ad8b7d02c587e286
SHA161b2ca8648b11904741688cee21678c6551649a8
SHA2561dd5a1ce04de4a0959c829f6d26721a25bed1f08bc70e6e3fc8adf6bcf6960a4
SHA51253c3f58b465a8165ffbcbbf89c3e89c885ac93311f02994784b434d525f870861cad106ea2c265f2d14aa09baf11b6998458f761de8d48f8480476d81dcb6055