0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2025, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
Size

127KB
MD5

6679f2c397c691726b1fcf5a3dadfbfd
SHA1

18b83af13938f7ceedaa467745a59a7cbb744e79
SHA256

0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c
SHA512

1b5c7b900764afa2632d82a628d0d2f176e517103a73dc9d98e96171dd99c070e024552d2bfc37fb6dff17a7f148f49cb82eb1b0d116dc8dab666283540a591c
SSDEEP

3072:TOjWuyt0ZHqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPD:TIH9OKofHfHTXQLzgvnzHPowYbvrjD/+

Score

7^/10

discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023b75-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
3172	ctfmen.exe
3936	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
4564	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
3936	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
File created	C:\Windows\SysWOW64\satornas.dll	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
File created	C:\Windows\SysWOW64\grcopy.dll	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
File created	C:\Windows\SysWOW64\smnss.exe	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
552	3936	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmen.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 3172	4564	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe	82
PID 4564 wrote to memory of 3172	4564	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe	82
PID 4564 wrote to memory of 3172	4564	0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe	82
PID 3172 wrote to memory of 3936	3172	ctfmen.exe	83
PID 3172 wrote to memory of 3936	3172	ctfmen.exe	83
PID 3172 wrote to memory of 3936	3172	ctfmen.exe	83

C:\Users\Admin\AppData\Local\Temp\0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe
"C:\Users\Admin\AppData\Local\Temp\0955247110961a5658df453dd4ae0673d6b08b3f137e87c5960bd5367ceea95c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1432
      4⤵
      Program crash
      PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3936 -ip 3936
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
f073d95314fd595c52ab77e54a420561

SHA1
4e5b4698980d7b721b0162424af9858cbcee0f25

SHA256
aed95aa87cd5e9e7c66c07085855da0d9db83fa617d5ebc314079bb254aeb6c4

SHA512
3ae389ead08efe3c5409f684e47cab93ae35a65b9b93120131450cdb4086f205a546a07eac7a0d0706314059cf7ea0b4a25960ac9f7de9a58c08e10543c535ec

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
127KB

MD5
1d46f758458aeb2b3360746094767f52

SHA1
d00be11f0dd9e9befcf515e70dd68b97e444f989

SHA256
270fa5ef113770d2bc99608a9b4578206f1cd2b837504dcd3c3ae93f91255ad9

SHA512
0273bfdb611d809ed11f8bf2e3f80e7d7981bd200ee47f0426315637cbdb18a2b39c61d64a847656ea234abd100d63b7697d5a60cb3a6aec36993d300dc9db3a

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
b80668cb14cbd57a4d2e19e915e9127b

SHA1
dd47eb90813032b3d87b36ea94fc355de9c1ba48

SHA256
ef48c5ac4859dabe0071bc5ce81741ef50af63f738e541218cc2c51143cc65dc

SHA512
b56dae13e14e482c208f8431aa9865b4c7375bcdae339b0c704c311547133aa89c0a530376e28d116b62e2d7f1a903d8af9c62b0d91a5d00ce7117149a08140a

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
cdeaff0be314782741667613c45956d0

SHA1
2c9f346428899a815bca76210c47a3c9b54813d1

SHA256
88b7f62a35300b1a8cb6c332e2f6df55bee3626ddcd36fcd3c8caa0888c8cb94

SHA512
f622a6f9da42b9a5211bbb9674675df5c4c1ef922084f42f73e209823c9f3b6ef1f3a023d8d895e66770b05ab472d410675bf54bc4bd862c3e924ada9471b00a

Download Submit
memory/3172-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3172-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3936-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3936-36-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3936-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3936-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4564-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4564-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4564-22-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4564-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads