67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35

Analysis

max time kernel
166s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35.exe
Size

139KB
MD5

d1953176c75554cde4565d5a41650c61
SHA1

982a321d3f4ab6c8ca657719bcd265e6761e1cd3
SHA256

67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35
SHA512

85922ba0f4001f3cebd9f35ee2ad0548c5f5fd0ee2a6d0b07a8420c6adbeed71b5745faf5127232a17c936fea7863046b633477272d74bf8a2e3ec28137248f2
SSDEEP

3072:4KYHzAuzeCeW51ThnftcwaSOfepQo8whnOKexYy6zgF2:hC0CeWTZeMOO8w1OazgF2

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

smncs.exe

pid process

4928 smncs.exe

pid	process
4928	smncs.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35.exesmncs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	smncs.exe

Drops file in Windows directory 2 IoCs

Processes:

67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35.exe

description	ioc	process
File created	C:\Windows\smncs.exe	67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35.exe
File opened for modification	C:\Windows\smncs.exe	67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

smncs.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	smncs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	smncs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	smncs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	smncs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	smncs.exe

C:\Users\Admin\AppData\Local\Temp\67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35.exe
"C:\Users\Admin\AppData\Local\Temp\67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35.exe"
1⤵
- Looks for VMWare Tools registry key
- Drops file in Windows directory
PID:3140

C:\Windows\smncs.exe
"C:\Windows\smncs.exe"
1⤵
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Modifies data under HKEY_USERS
PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\smncs.exe

Filesize
139KB

MD5
d1953176c75554cde4565d5a41650c61

SHA1
982a321d3f4ab6c8ca657719bcd265e6761e1cd3

SHA256
67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35

SHA512
85922ba0f4001f3cebd9f35ee2ad0548c5f5fd0ee2a6d0b07a8420c6adbeed71b5745faf5127232a17c936fea7863046b633477272d74bf8a2e3ec28137248f2

Download Submit
C:\Windows\smncs.exe

Filesize
139KB

MD5
d1953176c75554cde4565d5a41650c61

SHA1
982a321d3f4ab6c8ca657719bcd265e6761e1cd3

SHA256
67f022d2e02a41e685aef6d1ab4abfcb91286fb157c47de85f9dc973d9cf5c35

SHA512
85922ba0f4001f3cebd9f35ee2ad0548c5f5fd0ee2a6d0b07a8420c6adbeed71b5745faf5127232a17c936fea7863046b633477272d74bf8a2e3ec28137248f2

Download Submit
memory/3140-132-0x0000000000400000-0x000000000047F001-memory.dmp

Filesize
508KB

Download
memory/3140-135-0x0000000000400000-0x000000000047F001-memory.dmp

Filesize
508KB

Download
memory/4928-136-0x0000000000400000-0x000000000047F001-memory.dmp

Filesize
508KB

Download