db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 03:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
Size

152KB
MD5

7b01314c8e4706e0fa1c2a7e2e70af53
SHA1

a5b9b5fec2da5154ad88e61dc41b1bb9fd4a5de5
SHA256

db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac
SHA512

5d7e030dcffa474625512dfe9b36dff7cd6345d1c26e7dbae3328f31508a962428e4c53fcb5eb74b8fe89978d603b7766188b170e0860f79a4162e8bbaf35b95
SSDEEP

3072:uOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPt:uIs9OKofHfHTXQLzgvnzHPowYbvrjD/6

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023c7f-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
216	ctfmen.exe
4120	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
4740	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
4120	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmen.exe	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
File created	C:\Windows\SysWOW64\shervans.dll	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
File created	C:\Windows\SysWOW64\grcopy.dll	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
File created	C:\Windows\SysWOW64\smnss.exe	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
File created	C:\Windows\SysWOW64\satornas.dll	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4084	4120	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 216	4740	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe	87
PID 4740 wrote to memory of 216	4740	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe	87
PID 4740 wrote to memory of 216	4740	db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe	87
PID 216 wrote to memory of 4120	216	ctfmen.exe	88
PID 216 wrote to memory of 4120	216	ctfmen.exe	88
PID 216 wrote to memory of 4120	216	ctfmen.exe	88

C:\Users\Admin\AppData\Local\Temp\db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe
"C:\Users\Admin\AppData\Local\Temp\db2afe0232f9d31fa7195e009deaecf1d17661ed5132b959e25bc433d70a11ac.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1392
      4⤵
      Program crash
      PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4120 -ip 4120
1⤵
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
5f99edbe676450be51b9a1a518e01728

SHA1
6eb68ba733d643fdc472214ec81ab4adedaf2615

SHA256
d2045ec86fe463c1ec0ec764837625f4dd27c438d251cee594b73e1f99d9838b

SHA512
c6692ae183a15ef9d866dabf49dcd2abbc57325ef283c4944d2c548732b37f6122541071f96c3fcb1379f940cf353acca35e75ed2fd882e2a45b68757b0832c1

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
152KB

MD5
b123467a3bb3e0e4cce1d51672375b2b

SHA1
58cb6610543302cf452eba78bdd64420c11e5305

SHA256
5852a6d87986e42926569e21efb2f513250446d43b1e171cc7938f6638e7b579

SHA512
4627d516dc886e60f37c39e9377a1db3f23a42861c3e62a0cc58887a27fbf831e12646bd20ebc391aa9098cc3144b94f8a467be01e1ae79434324314c89ae6a2

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
94295156e74e5cf1521e1710710078e8

SHA1
0383acefe82ac0a4da0bd880f62b6383238bb2c8

SHA256
8471ce28f78176e688a0653418138ed7b447bc3d78bb15fcb052f7ee5c931dfe

SHA512
63cb83005dbee2253c5903aeb7334993791a414467e1e83b9b563078ab4c0ba085093e046de2e889e3a32a5720745ab9996b8761bc49a867e4d16c1c67ddd704

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
0b95e2f5f0628191d5baa58fec951785

SHA1
555340dc64cf48d81f746bb72ae2389942806a2d

SHA256
064f913817a441461a3ed37716bb585f253fda6ceaf72d84f10ddf9d89497912

SHA512
0946ac87c6d49811583d94dcb2db04279ac039a8c0a999c699a95364c51a237613453ef06f0d76ff2bb4347c70a9ac081096d16da7adf2f97be5871948fe33a6

Download Submit
memory/216-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/216-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4120-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4120-37-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4120-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4120-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4740-13-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4740-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4740-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4740-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads