10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
Size

119KB
MD5

9828271777175cea0ef2f6da99e29517
SHA1

4a734bef63f42cbbddbb429bb2f845bf80d3a4a3
SHA256

10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd
SHA512

45bb9d2815510636f1a97fb56ef9231d9250edbce50506e472ab19965a72047431c7448f6621823743ef9be5fa32a81fdd2e73962780dfb9c734fecf6a882c05
SSDEEP

3072:0OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:0Is9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016d68-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2892	ctfmen.exe
484	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2128	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
2128	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
2128	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
2892	ctfmen.exe
2892	ctfmen.exe
484	smnss.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smnss.exe	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
File created	C:\Windows\SysWOW64\satornas.dll	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
File created	C:\Windows\SysWOW64\shervans.dll	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
File created	C:\Windows\SysWOW64\grcopy.dll	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\ConvertUse.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2780	484	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	484	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2892	2128	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe	31
PID 2128 wrote to memory of 2892	2128	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe	31
PID 2128 wrote to memory of 2892	2128	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe	31
PID 2128 wrote to memory of 2892	2128	10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe	31
PID 2892 wrote to memory of 484	2892	ctfmen.exe	32
PID 2892 wrote to memory of 484	2892	ctfmen.exe	32
PID 2892 wrote to memory of 484	2892	ctfmen.exe	32
PID 2892 wrote to memory of 484	2892	ctfmen.exe	32
PID 484 wrote to memory of 2780	484	smnss.exe	33
PID 484 wrote to memory of 2780	484	smnss.exe	33
PID 484 wrote to memory of 2780	484	smnss.exe	33
PID 484 wrote to memory of 2780	484	smnss.exe	33

C:\Users\Admin\AppData\Local\Temp\10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe
"C:\Users\Admin\AppData\Local\Temp\10663ef8ab454757031f4027efc9375f23f9dbf73488c471a16eaa519effddcd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 824
      4⤵
      Loads dropped DLL
      Program crash
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
4ff504962bc2c5ef722f460de359c8b2

SHA1
e3d1aadc4daa496cd2545a591359abfa154e857a

SHA256
9b419522d84a99a35e5bd2b5d3ad4478b5bd92ae6e61f5a03dc3bcbac4b75e0f

SHA512
ab9d9f1d314ceae9ac262a4480c8934fc1b19bf484b577c86abca63317857d3b85bad4ceeb8a71f21042233070a46cdc08772a2a6b6c4ef8484cd6ba993b6915

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
75a635cd1a3a2d3b55a91ed13e30682e

SHA1
4406eaa99d0ef104559ec60b9b270362dd4e2307

SHA256
bed5f046387850f8ba26c99bdd2f2d1aa41d899b546581ac1a0a7e87e1ca4206

SHA512
df8910375a6cca47ff5292fa12a6a1ed81d9d7c4a7485c08c92597f37fbac0869866bb34ffe59f887cdc7233484657020bf46bfb89f198bdc2cbe9456c988540

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
aeac3de013fd46d8dee7f4a5740288a2

SHA1
a34dfb04df35857b5fbfc453b9cf4728fcf3f0be

SHA256
1772d22480fea6099cba67c4eb14b0df5cee6bebdd6f15c15c3927e86e2f7c00

SHA512
6c1e7a7b6949abe013101328a0b4b5dd2ca6a0e735522126d26c3b04a9a0acd27d9a1595581c8318437eabb24921594251c9f1fa0da8dfefa06b0831c820f2ca

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
119KB

MD5
d020ea1f872dc4c51a87170907599fbe

SHA1
1d8ad77068f48e8ae4ef4eefe5397223977285f8

SHA256
59f5a7907accb5b4400778b2d4b0272ccc8253afb817f23a4b205821d1941e5c

SHA512
fef735a3e115e0694a2d62631549c1b589643afdf7af2767fed7d4125683a3bb7765bf0a46a3e26d7990a0096797dfd635d3739fcf7fcf42a172203f7f315d66

Download Submit
memory/484-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/484-45-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/484-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2128-28-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2128-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2128-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2128-18-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/2128-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2892-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2892-31-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads