5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782c

Analysis

max time kernel
69s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
Size

127KB
MD5

5cea0594d8f2182442ce40d6933543c0
SHA1

441d79a32e498c90c6e54296a2311d39a0161299
SHA256

5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782c
SHA512

6c7c0b8dac97f4f0edb03bb33fe35ac917fa69b406251a82705cfdef5e05388f60b30bb69d02d3a23b8e3cabbbcb0d6b98d44e3368e898d1edc223b39241cf62
SSDEEP

3072:9OjWuyt0ZHqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPz:9IH9OKofHfHTXQLzgvnzHPowYbvrjD/e

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000017409-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2680	ctfmen.exe
2776	smnss.exe

Loads dropped DLL 9 IoCs

pid	Process
2224	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
2224	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
2224	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
2680	ctfmen.exe
2680	ctfmen.exe
2776	smnss.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\satornas.dll	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
File created	C:\Windows\SysWOW64\grcopy.dll	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
File created	C:\Windows\SysWOW64\smnss.exe	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	smnss.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	smnss.exe
File opened for modification	C:\Program Files\DismountSuspend.doc	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	smnss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	smnss.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1996	2776	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	smnss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2680	2224	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe	30
PID 2224 wrote to memory of 2680	2224	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe	30
PID 2224 wrote to memory of 2680	2224	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe	30
PID 2224 wrote to memory of 2680	2224	5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe	30
PID 2680 wrote to memory of 2776	2680	ctfmen.exe	31
PID 2680 wrote to memory of 2776	2680	ctfmen.exe	31
PID 2680 wrote to memory of 2776	2680	ctfmen.exe	31
PID 2680 wrote to memory of 2776	2680	ctfmen.exe	31
PID 2776 wrote to memory of 1996	2776	smnss.exe	32
PID 2776 wrote to memory of 1996	2776	smnss.exe	32
PID 2776 wrote to memory of 1996	2776	smnss.exe	32
PID 2776 wrote to memory of 1996	2776	smnss.exe	32

C:\Users\Admin\AppData\Local\Temp\5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe
"C:\Users\Admin\AppData\Local\Temp\5211b9bce9b1f4c5d396ece3d525ea2790b4d2ef2d2f47577d0b36b782af782cN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 828
      4⤵
      Loads dropped DLL
      Program crash
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
c08ae830b6fd8f639ba8e4d09bb632bb

SHA1
e1efdb79f57917ca19880185a3031a4ecc4f1562

SHA256
98c75cf6b408bcb7e7dafe9c63ca913369f478955f1fdf2c312b8e6db20bdf6f

SHA512
6dfd2298a374d90a3260d9eafe0e20e3294534993d4acb574e0c8c7cf9b528eff60985dab4c0c4e1444201fd6e9dfd75188cd0b95386f4cca76fb50a273d5016

Download Submit
C:\Windows\SysWOW64\smnss.exe

Filesize
127KB

MD5
b2dd5f06cd7fd9a3671233fec94a3ce5

SHA1
2988b314635bfb7a5c668891a7cb38225e44e49a

SHA256
96f2a219fecb0dca3a914f4c331e5eb653ce7bb87b4c27479c6baf6f2395495e

SHA512
6750a6226cee7da7a3b546c3e9e516bc0ffc4dd15a29efd9119cb216228f757067c23a610fab0705fd9c0688b5205f699c857fd2cd6147275c5b55072331e15a

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
750a5858c6195bd70585784b00f95f96

SHA1
d1bef85cec02e4a1a00db58f1c3e7df759caf9bf

SHA256
83a8725d167ac4e541d8ca1b15b64f8b77e6174bdb27fd311fca744c0cfee790

SHA512
655c3a69e0d87a3c5e15b5c8f08a0071a759b6963217276e6f69e5afd407deffffdf14d05a969a1f14ef13bdaba59cf34b62722ff666820d8e38d3b57b5472d4

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
753690db961f1e4353d24de16247d1fe

SHA1
c49bcbf272a317ee73c03784240642bb1059c069

SHA256
ba26621874a640bf78e53b3aadee65f34d56a93893c103e879d744336664ef6d

SHA512
c2b99af8e7e93ef3994eb08fe736525aed178a5ee691078b5109a78db60639e589caa3680b0cca3c8e03018c76e6c6884ae130013c2e734576d42138add45abf

Download Submit
memory/2224-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2224-26-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2224-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2224-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2680-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2680-30-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download
memory/2680-33-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download
memory/2776-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2776-41-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2776-46-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2776-47-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads