bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28

Analysis

max time kernel
99s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Size

119KB
MD5

308db8ccf78842e1c0138471dbc8f420
SHA1

8fe9af4847dcdfd61f320cd66133299e84f7f04f
SHA256

bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28
SHA512

aad374c61ffc0b4fc888a8f1bcf2ec976d5763cb458e69d93722b2da1aeaa0431dbbc89cda483d64cf9762dcfe15580312e7ed84043c41042ae4a39142ec8c4c
SSDEEP

3072:ZOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:ZIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023caa-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4420	ctfmen.exe
4348	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
644	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
4348	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smnss.exe	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File created	C:\Windows\SysWOW64\grcopy.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File created	C:\Windows\SysWOW64\satornas.dll	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3644	4348	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 4420	644	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe	87
PID 644 wrote to memory of 4420	644	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe	87
PID 644 wrote to memory of 4420	644	bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe	87
PID 4420 wrote to memory of 4348	4420	ctfmen.exe	88
PID 4420 wrote to memory of 4348	4420	ctfmen.exe	88
PID 4420 wrote to memory of 4348	4420	ctfmen.exe	88

C:\Users\Admin\AppData\Local\Temp\bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe
"C:\Users\Admin\AppData\Local\Temp\bf1a229251a53ea742dcb19277d949386fad6786e7efaf8a3e4a30a198b8ef28N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1348
      4⤵
      Program crash
      PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4348 -ip 4348
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
e2c66d8b1a33554fd605991533c9d676

SHA1
7d7f1e7a2d66fa8cc263327a392e18e124678f62

SHA256
864fa4cd8a4fc1f28ca13873e291d014f6e1b413f3702aab429d33649f9b7152

SHA512
70aa5837915d2b9d8b71be5161d97fd0efb9ce859d645c35deffe3b4b212113c8649ce8b775ce039dbef8d26e5bcb770748cb91de8ac541ed77f4b6ef17b66a5

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
119KB

MD5
3b743dc2938d6c21890b61573ef6cc45

SHA1
a16c3155141d62e5bc3461266b63049fbbfb2881

SHA256
45f9919394224bf422275c1df3c53718548bc3280486949afce0c53940b7db4a

SHA512
be3be15446a48bd2249920a779fef2229519840e634bc67f933bb03ba0e85d8c0fe92c48550746913499514c1b8cc4cffffe5fb528b10d5e5fae5c0a059b0430

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
5869750a0d4e40642b5dbbd9e7655fb1

SHA1
97103cb7eb5b042f77e3dc2f3e109def3e34a289

SHA256
ac844473fa35f51cc0e9e4ece4c1ebaf6d3a39dc0c98c1499bac24e6e3370ef7

SHA512
f6064ac5a5c7e35c670a1121aacfff9eabfb563f17147a3aa588837dbf47731db1fa9d84d1a77190b4fc12c7947636589b3b9fd67ada42e784dc1066a0ded9ff

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
2509927dcd821e12c92d683991014b8b

SHA1
0dd23124c601c10d002ffaf457b508d4441ab111

SHA256
767801663eb5e5c827b147f9b0cda06c30d67cccfd3c62a1becaa35c148fdc2d

SHA512
964992f32613e8e962276d53454b898059b9f8f5eb4eca3037c9b6bc9a0e5320b7a1cedee3f1c60a86747e8d09e913310af5c11966804bcad16fef7d9d4937b3

Download Submit
memory/644-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/644-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/644-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/644-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4348-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4348-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4348-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4420-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4420-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads