bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28

Analysis

max time kernel
17s
max time network
17s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Size

119KB
MD5

308db8ccf78842e1c0138471dbc8f420
SHA1

8fe9af4847dcdfd61f320cd66133299e84f7f04f
SHA256

bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28
SHA512

aad374c61ffc0b4fc888a8f1bcf2ec976d5763cb458e69d93722b2da1aeaa0431dbbc89cda483d64cf9762dcfe15580312e7ed84043c41042ae4a39142ec8c4c
SSDEEP

3072:ZOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:ZIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001938e-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2988	ctfmen.exe
1696	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
1528	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
1528	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
1528	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
2988	ctfmen.exe
2988	ctfmen.exe
1696	smnss.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File created	C:\Windows\SysWOW64\shervans.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File created	C:\Windows\SysWOW64\satornas.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File created	C:\Windows\SysWOW64\smnss.exe	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\grcopy.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	1696	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2988	1528	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe	30
PID 1528 wrote to memory of 2988	1528	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe	30
PID 1528 wrote to memory of 2988	1528	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe	30
PID 1528 wrote to memory of 2988	1528	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe	30
PID 2988 wrote to memory of 1696	2988	ctfmen.exe	31
PID 2988 wrote to memory of 1696	2988	ctfmen.exe	31
PID 2988 wrote to memory of 1696	2988	ctfmen.exe	31
PID 2988 wrote to memory of 1696	2988	ctfmen.exe	31
PID 1696 wrote to memory of 2908	1696	smnss.exe	32
PID 1696 wrote to memory of 2908	1696	smnss.exe	32
PID 1696 wrote to memory of 2908	1696	smnss.exe	32
PID 1696 wrote to memory of 2908	1696	smnss.exe	32

C:\Users\Admin\AppData\Local\Temp\bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
"C:\Users\Admin\AppData\Local\Temp\bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 804
      4⤵
      Loads dropped DLL
      Program crash
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
0bfb4e57086fcad57b0910c79ca9f798

SHA1
5d67ac3cb3a9fab46fa59db10a2261842b0ad982

SHA256
a3ecd04bbf965fb37ab8309e70af4e424c135101de7287cc16fede0286669a16

SHA512
668256e5e69009b58abbfe5cee8f2725ac69d97f07d12ec1149453c1eed81fca1a880530996a9fd9e37e4c2fb390e8d0d25a2eb2011e13edc2f5df2102e78b00

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
afff0204fd8952c38894a4b7c51ee41b

SHA1
a6d0433fa215a098fbcae40e4b9b5a9e2b2c4ef5

SHA256
f3dc2978da980cf8bdfd48f082179cfaadd7fcdf4cea17eea083de981f0806e5

SHA512
e770e79c9646ed09a631721ca17cf4b37a1f1953b834a5b2feeb48ab2fcc45b9d9d2cdbba011a5ce90ae6e6465fa64ca6e4b7ff2dc2e8fdd5e2ede81fc65bd2d

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
4aec818a2f89c7d1e622832fbc2e917b

SHA1
2cf3afdb17350bd0159a4495e1a4c300cb3e7de0

SHA256
8fb7016f16fa07b075ffef3791643f7ec1edc397fbbca135e903de5dca23667e

SHA512
94909b187b6106dab49cb13019236d24167463e0eca660b401ad67e6a4c0e29665b5bcfe139825a7cd9906c097e59b8e82914e633abf1302a6f4e774f45fd5ba

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
119KB

MD5
3daf92a3abc59553581aa9fbbaa47260

SHA1
4011f39b89587b9bab70f24efce77e7acb0ede9e

SHA256
3d681fa93ad5d6f4e4c722e9cb001be07d1779be7469cbb9f08bb57c3b8c6587

SHA512
ed8c6c562a093262f65472afcf1fadf4809f695e27721ccbf0ab3f586213e84c42ae3899a3e172e74fad5b1a53a24f13ae47997c84002f82e5470532ab0aa2fd

Download Submit
memory/1528-18-0x0000000000380000-0x0000000000389000-memory.dmp

Filesize
36KB

Download
memory/1528-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1528-29-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1528-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1528-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1696-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1696-40-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1696-45-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1696-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2988-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads