ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c

General

Target

ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Size

75KB
MD5

8493064ce37fd991c631d08a8ee5049d
SHA1

6bc1eb2326e0438afc5bcea8a87af350097eccd1
SHA256

ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c
SHA512

9a483b8bb60d6e1a02fef89aa49e75ba5318e9054f2aa909b5f9c0ae6c37e11ef8a8083734a2ad333bdfb5c096c901fbbf468fa12319f1b5f54aa5bb8f40c3b3
SSDEEP

1536:ix1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3E:COjWuyt0ZsqsXOKofHfHTXQLzgvnzHPM

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023ba7-9.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
5104	ctfmen.exe
3660	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
5012	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
3660	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
File created	C:\Windows\SysWOW64\shervans.dll	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
File created	C:\Windows\SysWOW64\smnss.exe	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
File created	C:\Windows\SysWOW64\satornas.dll	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
File created	C:\Windows\SysWOW64\grcopy.dll	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
376	3660	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 5104	5012	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe	90
PID 5012 wrote to memory of 5104	5012	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe	90
PID 5012 wrote to memory of 5104	5012	ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe	90
PID 5104 wrote to memory of 3660	5104	ctfmen.exe	91
PID 5104 wrote to memory of 3660	5104	ctfmen.exe	91
PID 5104 wrote to memory of 3660	5104	ctfmen.exe	91

C:\Users\Admin\AppData\Local\Temp\ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe
"C:\Users\Admin\AppData\Local\Temp\ca12f667816ddeab99ef8c95ad19b37235a2364db1216fe6ffae6d2d3372635c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 1340
      4⤵
      Program crash
      PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3660 -ip 3660
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
b345d6a0bd2365963bba348ecf6c95f9

SHA1
82cce03299b8e126e26ebaae44f6fced64b0ca45

SHA256
932cff14fc48a1b89c2193e85c349355bbe26d025b3b4345d2c43d2d1ec4dfbc

SHA512
a17ac09160a805bbe62aa1cc65f1072e6af085d8464936a9d8eed004c02c9a26f4c1c5472feb4de732f327b10e3fc43387aa9b4cb33d25bbc05eaa2d53bfc071

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
75KB

MD5
36d36ec7f0d4fec05bd4ac5901f37a49

SHA1
0847f213fee6a9ef0ad66b4a9c328d43cbc509d7

SHA256
bdf7d94e11155753a0d7b950cc5ceef15caed70051e63f04777e7d29336e784e

SHA512
0f3fc8c69570df00dbda2cf0586625c02bc205603bc8fb00793e3fe7660984325a12fd54137684df8048a2bc98a6b6f7658aedef09ec4e559b15224eca18739e

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
ecbddabc9fa4b347466b71d558fb44c1

SHA1
e2ce4882a469af47e33fc54e901faaa46682f887

SHA256
4ee6051985da8d6500738448285dc8ed71b9a036c1661603ed147b92d148c52f

SHA512
f4b9c44b965d0fc3be55b8535f2bb491941bc02ac8007e8e75341703a4b3d7b16b5fb9564b50cc479a64c9ec409adb6a4164691b17b935fa544913ec7a2c6709

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
3818bf530b3f454b5e19f9384648ea88

SHA1
6d1b2f37c869c87c9811a85081c2e05949066ca5

SHA256
13b954b7353b1595cad903af2ec4349434aa6179b5431a12a5ea585958af1e87

SHA512
b6f66ac7bf5e0c5f6451bea15ef07e0ead737ed03eeee544d78f06c616544aaeb9510d9d2979726a1516f5d7877badf432671c7fd002da5110019a92ccb231ac

Download Submit
memory/3660-36-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3660-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3660-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5012-11-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5012-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/5012-22-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5104-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5104-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads