5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
Size

118KB
MD5

6140b34f70a0a3112cecb8cd324a64d7
SHA1

878dfbee59810a8d43b9c45196beb7cf0ec24f13
SHA256

5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d
SHA512

603c2b82f2450f63eeb4f5725dbb53c5e111a0860e9a62adbc23ee8867fead9ec3bc14a9128deaeaee47ddd676eea834915328bff3f1abea3d0987a61358a524
SSDEEP

3072:QOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPo:QIs9OKofHfHTXQLzgvnzHPowYbvrjD/h

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000017429-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1080	ctfmen.exe
2708	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2644	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
2644	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
2644	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
1080	ctfmen.exe
1080	ctfmen.exe
2708	smnss.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
File created	C:\Windows\SysWOW64\shervans.dll	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
File created	C:\Windows\SysWOW64\grcopy.dll	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
File created	C:\Windows\SysWOW64\smnss.exe	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
File created	C:\Windows\SysWOW64\satornas.dll	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	2708	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1080	2644	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe	30
PID 2644 wrote to memory of 1080	2644	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe	30
PID 2644 wrote to memory of 1080	2644	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe	30
PID 2644 wrote to memory of 1080	2644	5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe	30
PID 1080 wrote to memory of 2708	1080	ctfmen.exe	31
PID 1080 wrote to memory of 2708	1080	ctfmen.exe	31
PID 1080 wrote to memory of 2708	1080	ctfmen.exe	31
PID 1080 wrote to memory of 2708	1080	ctfmen.exe	31
PID 2708 wrote to memory of 2608	2708	smnss.exe	32
PID 2708 wrote to memory of 2608	2708	smnss.exe	32
PID 2708 wrote to memory of 2608	2708	smnss.exe	32
PID 2708 wrote to memory of 2608	2708	smnss.exe	32

C:\Users\Admin\AppData\Local\Temp\5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe
"C:\Users\Admin\AppData\Local\Temp\5d7222d1cc8d61838885496ab9b86da43acdcd05c67ccdaa7025d2e65ca2781d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 820
      4⤵
      Loads dropped DLL
      Program crash
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
bf976de6e4d9cfe161b2ac0c6c91ec5e

SHA1
289c503f716ad20ff18119ff05b255b60ad34d77

SHA256
bdda81825429a8ac31611d5f6727fc6a963d1224a379a4bcc0032cb6700b5467

SHA512
6005b850bd9451b418ddbd3a5daee3d0cb7c76d43f91787846ca5cdad92ba1847682d2596de41dc89e86db97bdb4bacc9557d2f8fbf4e40a526663ed3c84ecc7

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
82b064cfc89e7d89625e122a7d7460bd

SHA1
2d32f8a8db635e63534d292f01f7bc81afb13ea7

SHA256
03cde8963c8b38655063e1868937ed1f8c5fb2fd3539629629cf424d746665bf

SHA512
db5356f9708ad924f0596fd9194b2a29b29718b6c589c12c2a5942b5fb70765dd8a665e0ce7894f6e4fc349061fb089dc47dac7cefa5908e94b5599e232957cd

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
1b31b1674ba4c5975e23f6cc17cc632f

SHA1
d3dc405b71c223c10cb9f54641fa4d7bc8e55d2b

SHA256
12cd016cb6212e6d39fe61e4d5eefee53e646546a1561647a2c861491d033614

SHA512
b33b4abab97308461460e83a48d3b718cb7675c10483b461d8a81155713052442150beda94968654ce3f840ab053ff4a5f963b0a0b913be77457aedbd1dc5c52

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
118KB

MD5
3d89c0d49d3a6077b49acde3f4701904

SHA1
6f8d93590116c9379a69a6d7823fc1bc19d75a00

SHA256
c7bfb0ab3c8562e7d11b71bbcb1a8759e167f094baf39b6e8921545099a43ed4

SHA512
6230ba74c6a6c6710bbbcfcb42412ee24b9b612b0bf06e8013c85e55050c0e9708ea5d00b2ce4aabe0581297b3f132a1d82cd84bb2912eba708cc8b2550f9ed4

Download Submit
memory/1080-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1080-30-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/2644-28-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2644-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2644-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2644-18-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2644-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2708-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2708-45-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2708-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads