Analysis
-
max time kernel
119s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe
Resource
win10v2004-20241007-en
General
-
Target
51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe
-
Size
195KB
-
MD5
3b76ea733003ab39d0c2b8762ab11bf0
-
SHA1
d605ba5122feea002f525c13fec78b32e6703d91
-
SHA256
51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea
-
SHA512
445a39910a68a206ad566a0aa04f8193ae155cfbed7b0d33f511453bc38aaf6f15f32503f8c80cd9209438f1563738d675a11021259bbc89b0df68cc06488541
-
SSDEEP
6144:JIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCyOd:wKofHfHTXQLzgvnzHPowYbvrjD/L7QP7
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00070000000193d9-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2904 ctfmen.exe 2884 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 1876 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 1876 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 1876 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 2904 ctfmen.exe 2904 ctfmen.exe 2884 smnss.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\shervans.dll 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File created C:\Windows\SysWOW64\smnss.exe 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File created C:\Windows\SysWOW64\satornas.dll 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File created C:\Windows\SysWOW64\grcopy.dll 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm smnss.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt smnss.exe File opened for modification C:\Program Files\7-Zip\readme.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2872 2884 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2884 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1876 wrote to memory of 2904 1876 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 30 PID 1876 wrote to memory of 2904 1876 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 30 PID 1876 wrote to memory of 2904 1876 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 30 PID 1876 wrote to memory of 2904 1876 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 30 PID 2904 wrote to memory of 2884 2904 ctfmen.exe 31 PID 2904 wrote to memory of 2884 2904 ctfmen.exe 31 PID 2904 wrote to memory of 2884 2904 ctfmen.exe 31 PID 2904 wrote to memory of 2884 2904 ctfmen.exe 31 PID 2884 wrote to memory of 2872 2884 smnss.exe 32 PID 2884 wrote to memory of 2872 2884 smnss.exe 32 PID 2884 wrote to memory of 2872 2884 smnss.exe 32 PID 2884 wrote to memory of 2872 2884 smnss.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe"C:\Users\Admin\AppData\Local\Temp\51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 7964⤵
- Loads dropped DLL
- Program crash
PID:2872
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD57b11620471bf8853d4ed722fe1de3cbf
SHA14b2db6e0dd666e98c3026ef90446df2cc425c72e
SHA2567eac7146cafbdbed05adad84c1b9c2b75fd43b17e37f04395e124351ddeacb95
SHA512644dff32bbb560952b4fe98df5c90e998af80e22f1dd4f2a87353378dab434cccf73c68bf09a25a1843152c8c8c54acfa4ca6cf47f7b970623c40abfd580e9e6
-
Filesize
4KB
MD5fd187149680f9ea8f6f8954626dc29df
SHA1f670da46d779c198ce7f585fa3cacef606c2b905
SHA2569e10268a58eb84d7bbc14157a404a1971088cce2abf67b6bb88e5a41122c5a73
SHA512a663a8222f3a6448efd754f3c37ce0e674be4e06d32898c7bd7128ed135c60d570cadec3bcdb2ac99beb3a01f1d250d7608ac7a343632b70d5f4b78093480b0a
-
Filesize
8KB
MD58f38ecbc549b5b3715611ffd4467efa3
SHA1f975f3fd4476cf44ad32acb5d44f401c05f7910d
SHA256849686cecb6eac45acd5cabd320034d6b09c17031e620ab559d89adf667d5ef9
SHA512f2cebeb24fe0e2569f0e86d19a1d343349e47d77a3e91b5bb98c867c9ba521e1d6a5048da513834d171322e38eae670f206ae27221d77d3633029cdf2d6fa939
-
Filesize
195KB
MD5242b3e51371db461b2812c06b3d90988
SHA1ee6dacaf84dd5ce6cd70581cfd9e56622badcc43
SHA25620c53dc5f672e723080fff553e61797c39018d4745c24e4395adcebdb53d3155
SHA51220e4282a9bdec9e6a6606524b307bc1a664e633006d2c0fe997899d2ea9dfe839dfda309f071522739b0daaa2bc2f9d0dc2517b23680e0e3308ad4a7bf9b704b