Analysis
-
max time kernel
84s -
max time network
25s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe
Resource
win10v2004-20241007-en
General
-
Target
e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe
-
Size
2.3MB
-
MD5
084256eccff7dda8cc984a65842bfc1f
-
SHA1
c0413ff79f3c605491881def2747104a73173ed3
-
SHA256
e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d
-
SHA512
87cbf6b57803c4ab11750578debfdd0f41615c4036492eb7e0c5b4386b849261d7f2bd28562f750c5e6965f19a623d9d566e10e10570fcc6b36173f2e6762596
-
SSDEEP
49152:Sjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNev:SrkI9rSjA5aDo73pzF2bz3p9y4HgIooX
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0007000000019266-11.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2824 ctfmen.exe 2580 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2084 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe 2084 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe 2084 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe 2824 ctfmen.exe 2824 ctfmen.exe 2580 smnss.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\grcopy.dll e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe File created C:\Windows\SysWOW64\smnss.exe e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe File created C:\Windows\SysWOW64\satornas.dll e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe File created C:\Windows\SysWOW64\shervans.dll e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe File created C:\Windows\SysWOW64\grcopy.dll e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe File opened for modification C:\Windows\SysWOW64\shervans.dll e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe File opened for modification C:\Windows\SysWOW64\satornas.dll e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2084 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe 2084 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe 2580 smnss.exe 2580 smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\az.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\License.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\readme.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2168 2580 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2580 smnss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2084 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe 2580 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2824 2084 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe 31 PID 2084 wrote to memory of 2824 2084 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe 31 PID 2084 wrote to memory of 2824 2084 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe 31 PID 2084 wrote to memory of 2824 2084 e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe 31 PID 2824 wrote to memory of 2580 2824 ctfmen.exe 32 PID 2824 wrote to memory of 2580 2824 ctfmen.exe 32 PID 2824 wrote to memory of 2580 2824 ctfmen.exe 32 PID 2824 wrote to memory of 2580 2824 ctfmen.exe 32 PID 2580 wrote to memory of 2168 2580 smnss.exe 33 PID 2580 wrote to memory of 2168 2580 smnss.exe 33 PID 2580 wrote to memory of 2168 2580 smnss.exe 33 PID 2580 wrote to memory of 2168 2580 smnss.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe"C:\Users\Admin\AppData\Local\Temp\e5c50a22f1d888e3a9bbcbca6ccab908ef1490652912a283d6e9dd427deb902d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 9004⤵
- Loads dropped DLL
- Program crash
PID:2168
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD5ab53fcffaf2f0383921549050d5a1efa
SHA19ccdf3c440e5fd7d9007d67cbc477703ab31b273
SHA256c92222c15720210ac94c60a5e208d205f5d089a03bdc1d4321452ff683c1776a
SHA512dcd7476422b832cf818fbf4f9a112958c05800189c5b557c33e69821fb9d923ad87dbd1dea35d6c1574c496241209ee2afeab2539d14dfac75b81da2ca99c71a
-
Filesize
4KB
MD57ca41d1b59b5d9e3a687b7327ff6f910
SHA152dc595f32447867f16966bfb4d41d397a274d38
SHA256c9420938a49ddbc1d854c45ede73befdbacf28d291831f715a44ff19dc9b0ca2
SHA512cb9660015e10e105293e80006d51a7501825e458c5779bcd594a255fba5aa7f3736cf98fb3f0478cc7328d2f37066a72994078d666ecc9edd100f7f85ea08a8c
-
Filesize
8KB
MD51f658daafefa15a33910ee33bd5e89a5
SHA189a05b8b90d301ab7970dfb667be4679c138fce7
SHA25620d26bc9dc98d91fc501e0fa9b281c3a3e3439fcc8bf444942131047bb12c2a0
SHA51283aee922532627a8899469db40a885fcb6cadada520a644e99e771b9ceab57bc9f95858864761a0bc1e4eca977a73e8eab0b5c31094590024113bb8df7eb0215
-
Filesize
2.3MB
MD5661dc7d04f0c5ac68fe4ced2600f79fe
SHA108196a8ff04d17741877a409c5c2216f8da02d9c
SHA256294e8d5a85176aa655024cc512df830b837c03fbd6d83aee1d6e7410bb81aa3f
SHA512ef73d681b5a210ff9cf86258383fd144336695a5caa596832b757a15fd8a6a9d210369d82174657ce4279a01a89a9b6e409f9d41032f3ace22a6e660005cc179