Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 15:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
120 seconds
General
-
Target
6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe
-
Size
119KB
-
MD5
1a91c0ffd3c0bd7875ca1e737f51f070
-
SHA1
ff62e4253f64bdad802cdb5a6f16f32f94daab48
-
SHA256
6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836ef
-
SHA512
a38865b3acfa08333026df13e461bf481eea925507183ff09ecf168c0bef8932e45ec8c318c8948a7211fdbada8282399132a343ca4176fb912bb6a29034bf61
-
SSDEEP
3072:+OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:+Is9OKofHfHTXQLzgvnzHPowYbvrjD/E
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000015d7e-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2812 ctfmen.exe 2724 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2704 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe 2704 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe 2704 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe 2812 ctfmen.exe 2812 ctfmen.exe 2724 smnss.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe File created C:\Windows\SysWOW64\shervans.dll 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe File created C:\Windows\SysWOW64\grcopy.dll 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe File created C:\Windows\SysWOW64\satornas.dll 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe File created C:\Windows\SysWOW64\smnss.exe 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\az.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm smnss.exe File opened for modification C:\Program Files\7-Zip\History.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\readme.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1012 2724 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2724 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2812 2704 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe 30 PID 2704 wrote to memory of 2812 2704 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe 30 PID 2704 wrote to memory of 2812 2704 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe 30 PID 2704 wrote to memory of 2812 2704 6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe 30 PID 2812 wrote to memory of 2724 2812 ctfmen.exe 31 PID 2812 wrote to memory of 2724 2812 ctfmen.exe 31 PID 2812 wrote to memory of 2724 2812 ctfmen.exe 31 PID 2812 wrote to memory of 2724 2812 ctfmen.exe 31 PID 2724 wrote to memory of 1012 2724 smnss.exe 32 PID 2724 wrote to memory of 1012 2724 smnss.exe 32 PID 2724 wrote to memory of 1012 2724 smnss.exe 32 PID 2724 wrote to memory of 1012 2724 smnss.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe"C:\Users\Admin\AppData\Local\Temp\6362501b72a737e729442ba94d3039289bb720f67739f797ea9bb252fb5836efN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 8404⤵
- Loads dropped DLL
- Program crash
PID:1012
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD50b2d15cac2abc4fdc7dd543313397fb6
SHA132aac72f3f8c2f9b95e1ae1318ec9c91ee545009
SHA256105e9ade156a1a50d54728221e2d5d8d500dd0466e79c51a8a9c94e82220288b
SHA512503ff5924cfd0a1989696adba693be48ab0b46a2c7d5a63179f1086af141ff9a1df903b6c1a3a85c193ab999d3b7c5f1f9bd34ddf408c2d4934cf1040cbf7753
-
Filesize
4KB
MD5eb51ad626c99b70633bbdee7c8eda865
SHA108a6b6ba657bb9223ddad7b05d8fa8f2d4ca4d2c
SHA2565f2fa43361297c7cc31c073be1bbc15434c676d43cb1e3c7ba6fc1919bcdf005
SHA512f0505c37c07e2e771d4e7bcf6bd951342ac4fb25b2748dbd676c9df18598dd8ab8c858ece40fdf995c508c225a3ae4cfe4a24105312f9737141d6eda9059b9a2
-
Filesize
8KB
MD5797f57580854b8e75501ea47b8ca46bc
SHA16b0f11217cb201a5998df04ec50995d1cc2e1861
SHA2569378d1c2792f31414ef052734487fe5443965ea4b1e74f0973dca991998d861b
SHA5126256725e6c2b3aa5607cf0876186b75e0b906c7f6cd3a40bddcd800c9933763abb0dafe2f38ffc8b6d3c8751dbb0462b3d0b40f24e1bea02b8d6801cefe31a36
-
Filesize
119KB
MD512775126223811b46faeb5892a174253
SHA132bf5c185f4dea6e83bb9c0f82d0a186b5d0be9b
SHA256556d83bb325a73d190fa1913577f75a82b854c39a284dc04e7e8b371fccc93bb
SHA5123a9c0777813b0f75e973897a3777ecf3d46265948f1702ced2fd323df9a74a682e6672eb462ea69a065b1460311322e524f6dd6931ec47031d847d900a4863b2