737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
13/11/2023, 02:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.322f9a41f7883e8292b9187684826c40.exe
Size

141KB
MD5

322f9a41f7883e8292b9187684826c40
SHA1

a361f382992dd745159ab60e4b94ba5c3f86ca80
SHA256

737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48
SHA512

5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c
SSDEEP

3072:ELlglTEH6xklGwA/qkwsjvxzzjNjljIxjfjA8bnIIIId:aqAHCntRlg/5

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSgx.exe"	NEAS.322f9a41f7883e8292b9187684826c40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSgx.exe"	SMSSgx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSSgx.exe"	SMSSgx.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	SMSSgx.exe
2584	SMSSgx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSSgx.exe"	NEAS.322f9a41f7883e8292b9187684826c40.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SMSSgx.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Classic.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ENGDIC.DAT	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ENGIDX.DAT	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Manuscript.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLN.DOC	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OSPP.HTM	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Fancy.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Formal.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OCRHC.DAT	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Distinctive.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Traditional.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Elegant.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Newsprint.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHKEY.DAT	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLTS.DAT	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Modern.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Thatch.dotx	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OCRVC.DAT	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OUTLFLTR.DAT	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\AccessWeb\CLNTWRAP.HTM	SMSSgx.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\LOOKUP.DAT	SMSSgx.exe

Drops file in Windows directory 62 IoCs

description	ioc	Process
File created	C:\Windows\mstorvil\NetObjects Fusion v7.5 Keygen.exe	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsViewFrame.html	SMSSgx.exe
File created	C:\Windows\mstorvil\McAfee VirusScan Home Edition 2004 Crack.exe	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\iMesh 4.2 Ad Remover Crack.exe	SMSSgx.exe
File created	C:\Windows\SMSSgx.exe	SMSSgx.exe
File created	C:\Windows\message.dat	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsVersion1Warning.htm	SMSSgx.exe
File created	C:\Windows\mstorvil\iMesh 4.2 Ad Remover Crack.exe	SMSSgx.exe
File opened for modification	C:\Windows\SMSSgx.exe	NEAS.322f9a41f7883e8292b9187684826c40.exe
File created	C:\Windows\mstorvil\FormsColorChart.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\Nero Burning ROM v6.0.0.19 Ultra Edition Crack.exe	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsViewFrame.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsColorChart.html	SMSSgx.exe
File created	C:\Windows\mstorvil\Norton Antispam 2004 Keygen.exe	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsFormTemplate.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsImageTemplate.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\Macromedia Contribute 2 Crack.exe	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\	SMSSgx.exe
File created	C:\Windows\mstorvil\CLNTWRAP.HTM	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsPreviewTemplate.html	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsMacroTemplate.html	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsImageTemplate.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsHomePage.html	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsPrintTemplateRTL.html	SMSSgx.exe
File created	C:\Windows\mstorvil\OSPP.HTM	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\McAfee VirusScan Home Edition 2004 Crack.exe	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\NetObjects Fusion v7.5 Keygen.exe	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsBlankPage.html	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsBrowserUpgrade.html	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsDoNotTrust.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsPreviewTemplate.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsPrintTemplate.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsMacroTemplate.html	SMSSgx.exe
File created	C:\Windows\message.htm	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsHomePage.html	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsPrintTemplate.html	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsVersion1Warning.htm	SMSSgx.exe
File created	C:\Windows\mstorvil\NetObjects Fusion v7.5 Crack.exe	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsViewTemplate.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\Halo FLT Crack.exe	SMSSgx.exe
File created	C:\Windows\mstorvil\Macromedia Contribute 2 Crack.exe	SMSSgx.exe
File created	C:\Windows\mstorvil\Nero Burning ROM v6.0.0.19 Ultra Edition Keygen.exe	SMSSgx.exe
File created	C:\Windows\SMSSgx.exe	SMSSgx.exe
File opened for modification	C:\Windows\svchost.exe	SMSSgx.exe
File created	C:\Windows\mstorvil\Borland C++ BuilderX 1.0 Enterprise Edition Crack.exe	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsFormTemplateRTL.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\Norton Antispam 2004 Keygen.exe	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsFormTemplate.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\NetObjects Fusion v7.5 Crack.exe	SMSSgx.exe
File created	C:\Windows\mstorvil\Halo FLT Crack.exe	SMSSgx.exe
File created	C:\Windows\SMSSgx.exe	NEAS.322f9a41f7883e8292b9187684826c40.exe
File opened for modification	C:\Windows\mstorvil\	NEAS.322f9a41f7883e8292b9187684826c40.exe
File opened for modification	C:\Windows\mstorvil\	SMSSgx.exe
File created	C:\Windows\mstorvil\Nero Burning ROM v6.0.0.19 Ultra Edition Crack.exe	SMSSgx.exe
File created	C:\Windows\svchost.exe	NEAS.322f9a41f7883e8292b9187684826c40.exe
File opened for modification	C:\Windows\mstorvil\Borland C++ BuilderX 1.0 Enterprise Edition Crack.exe	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsViewTemplate.html	SMSSgx.exe
File created	C:\Windows\mstorvil\FormsPreviewTemplateRTL.html	SMSSgx.exe
File opened for modification	C:\Windows\svchost.exe	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsBlankPage.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\FormsBrowserUpgrade.html	SMSSgx.exe
File opened for modification	C:\Windows\mstorvil\Nero Burning ROM v6.0.0.19 Ultra Edition Keygen.exe	SMSSgx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
456	2584	WerFault.exe	31

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common	SMSSgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No"	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No"	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No"	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SMSSgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000	SMSSgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UILanguage = "1033"	SMSSgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033"	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SMSSgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SMSSgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office	SMSSgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033"	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No"	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No"	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On"	SMSSgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared\OfficeUILanguage = "1033"	SMSSgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SMSSgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 010000000000000000a0f5fcd515da01	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted"	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources	SMSSgx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000	SMSSgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033"	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No"	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No"	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	SMSSgx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SMSSgx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1"	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No"	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No"	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No"	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No"	SMSSgx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No"	SMSSgx.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2584	SMSSgx.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2964	2236	NEAS.322f9a41f7883e8292b9187684826c40.exe	29
PID 2236 wrote to memory of 2964	2236	NEAS.322f9a41f7883e8292b9187684826c40.exe	29
PID 2236 wrote to memory of 2964	2236	NEAS.322f9a41f7883e8292b9187684826c40.exe	29
PID 2236 wrote to memory of 2964	2236	NEAS.322f9a41f7883e8292b9187684826c40.exe	29
PID 2584 wrote to memory of 456	2584	SMSSgx.exe	34
PID 2584 wrote to memory of 456	2584	SMSSgx.exe	34
PID 2584 wrote to memory of 456	2584	SMSSgx.exe	34
PID 2584 wrote to memory of 456	2584	SMSSgx.exe	34

C:\Users\Admin\AppData\Local\Temp\NEAS.322f9a41f7883e8292b9187684826c40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.322f9a41f7883e8292b9187684826c40.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SMSSgx.exe
  "C:\Windows\SMSSgx.exe" -i
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2964

C:\Windows\SMSSgx.exe
C:\Windows\SMSSgx.exe -s
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 988
  2⤵
  - Program crash
  PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SMSSgx.exe

Filesize
141KB

MD5
322f9a41f7883e8292b9187684826c40

SHA1
a361f382992dd745159ab60e4b94ba5c3f86ca80

SHA256
737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

SHA512
5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c

Download Submit
C:\Windows\SMSSgx.exe

Filesize
141KB

MD5
322f9a41f7883e8292b9187684826c40

SHA1
a361f382992dd745159ab60e4b94ba5c3f86ca80

SHA256
737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

SHA512
5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c

Download Submit
C:\Windows\SMSSgx.exe

Filesize
141KB

MD5
322f9a41f7883e8292b9187684826c40

SHA1
a361f382992dd745159ab60e4b94ba5c3f86ca80

SHA256
737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

SHA512
5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c

Download Submit
C:\Windows\SMSSgx.exe

Filesize
141KB

MD5
322f9a41f7883e8292b9187684826c40

SHA1
a361f382992dd745159ab60e4b94ba5c3f86ca80

SHA256
737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

SHA512
5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c

Download Submit
C:\Windows\mstorvil\CLNTWRAP.HTM

Filesize
194KB

MD5
38b0b9e2e62b9a5955e839af0f29bd02

SHA1
54fa689027924df766d342709eb21787b700ae17

SHA256
2a61676325874384666d21121b7419f8e2b7b546e890be3dfe5d70509ee46928

SHA512
cdbc21f63683843f845f41fdb6bfc96b212938fb98af902c56da98edb7a93a74388e81e89703c6a372f9a4c47983f86988eb1c27298b01a0e762dc5554c1a243

Download Submit
C:\Windows\svchost.exe

Filesize
141KB

MD5
f23c704390444bbdd1650ac3a6a1a7f2

SHA1
e328a4556cd8b1a56c82d41a8a5be6ab8c130c63

SHA256
a0f9f7e1ede1a82bfeed2e253be6835ac5cbeb5a20f4415fbbba3392bc71e027

SHA512
01f9f2a20722561feed435489aab54d8f90d992db943119b5a58fa022c8d63d06059c24da7dd30c338d0bbaeb00985390efcd457e0ce5b944716a71338b67551

Download Submit
C:\Windows\svchost.exe

Filesize
141KB

MD5
322f9a41f7883e8292b9187684826c40

SHA1
a361f382992dd745159ab60e4b94ba5c3f86ca80

SHA256
737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

SHA512
5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c

Download Submit
C:\torvil.log

Filesize
3KB

MD5
00950c920b60cab26b8f11b68890ad22

SHA1
b37ce911cc75e4253ffb4968f946d783659e5ee0

SHA256
95e0dc70ac804ab3f31ef0b43ea2fe16d25d55248038223ae2d576c6537a33a5

SHA512
a5d015a692eeef03abfdf1b254a9d2a8728e6ab57182a4b49e7a3e21a94625038f0ff3fa8c5a188813b4c04e083e90540503d650c841103ee2021a4cde89188a

Download Submit
C:\torvil.log

Filesize
4KB

MD5
ba115aabd5ae45964d7fe859e2e29af4

SHA1
28da27954a83c627c5b84388175123f41996d684

SHA256
3d11cc064bd8282c9d19867256aabd3c619ac781512b881698796e963b2c060d

SHA512
3b45864dfec408308cae80dbdd1cd2d4a99008f18ebd28657f2fd0b63cb632ad089a4db9e6d339b05d7848d33491ec1040059a608fcc77b242ae04c74d2c5a6b

Download Submit
C:\torvil.log

Filesize
774B

MD5
5a6564755772a396db4e9e1dd91ac477

SHA1
91e2eec64b96ef3777015a82b792f92a507e5975

SHA256
6f8819c9a5ae1f2f04a31a911c42a4f088eb2665fb5e56546bcc871de4b4410e

SHA512
40f996afd0b5aecda8d639328a188fd2cf7f343f075e1dd8255ab63577303272c8efb8d2f3b50e1dec8262efab872ac83548bf0c1e63b43ef17ad0afb33af4cb

Download Submit
C:\torvil.log

Filesize
1KB

MD5
4232be4d3c1071891ecf69540b09ba84

SHA1
80079b37403bfc788e616985fb93a44dd848611e

SHA256
78e137f90d481b68b9e7703f6e69974cad4055490bf1949d33584b6a3f352d75

SHA512
1fe289928012d2e673866e96eb8f6e1946e18db6018e08014bbdeebdce99b795b38474e32c9429db6edf7e8e0d4ccfb6df7cd261c03ed758d6357aa0fac1d712

Download Submit