Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 18:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe
Resource
win7-20231129-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe
-
Size
118KB
-
MD5
c6c66835d21c0def69d12bd90c649d91
-
SHA1
68d5104e0290c8ca499f42e0c87e841da5585e40
-
SHA256
96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224
-
SHA512
f7a8c97c7f5249b6a4b0319ce3abbb8bb549f3834dc30bd8351d92749fffd3823e3ab9970657dbaba573bb53c1a6976f38316add53673812c46c724d2e9b0d1b
-
SSDEEP
3072:8OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:8Is9OKofHfHTXQLzgvnzHPowYbvrjD/m
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b0000000141a2-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2668 ctfmen.exe 2324 smnss.exe -
Loads dropped DLL 6 IoCs
pid Process 2392 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe 2392 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe 2392 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe 2668 ctfmen.exe 2668 ctfmen.exe 2324 smnss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: smnss.exe File opened (read-only) \??\H: smnss.exe File opened (read-only) \??\Q: smnss.exe File opened (read-only) \??\R: smnss.exe File opened (read-only) \??\J: smnss.exe File opened (read-only) \??\L: smnss.exe File opened (read-only) \??\N: smnss.exe File opened (read-only) \??\P: smnss.exe File opened (read-only) \??\V: smnss.exe File opened (read-only) \??\G: smnss.exe File opened (read-only) \??\I: smnss.exe File opened (read-only) \??\M: smnss.exe File opened (read-only) \??\O: smnss.exe File opened (read-only) \??\S: smnss.exe File opened (read-only) \??\U: smnss.exe File opened (read-only) \??\W: smnss.exe File opened (read-only) \??\K: smnss.exe File opened (read-only) \??\T: smnss.exe File opened (read-only) \??\X: smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_hash_tables.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_parameters.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Reserved_Words.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_2.0.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.Security.dll-Help.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5H83L.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Quoting_Rules.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_transactions.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_While.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Line_Editing.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf4100t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_troubleshooting.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_WS-Management_Cmdlets.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\Microsoft.PowerShell.ConsoleHost.dll-Help.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_output.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSnapins.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_format.ps1xml.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\Amd64\KYW7QUR4.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Variables.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Core_Commands.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kop5650X.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_If.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Core_Commands.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_requirements.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500gt.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Line_Editing.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Parsing.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_do.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Language_Keywords.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_scripts.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\Microsoft.PowerShell.ConsoleHost.dll-Help.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5700t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_properties.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Parsing.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_requires.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3300T.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_data_sections.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_preference_variables.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\kyw7qur8.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt smnss.exe File created C:\Windows\SysWOW64\smnss.exe 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7300t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_requires.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_data_sections.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_transactions.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc8100t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_methods.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_environment_variables.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kop4650X.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_History.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Core_Commands.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000nt.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_operators.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_types.ps1xml.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_try_catch_finally.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scripts.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Switch.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_cmdletbindingattribute.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_objects.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL089.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml smnss.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CA.XML smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL106.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.XML smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL093.XML smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.UK.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL058.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML smnss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-11.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPC3052F.XML smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_trap.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Reserved_Words.help.txt smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d4f8a2f961a0e7e4\settings.html smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Quoting_Rules.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-winre-recoveryagent_31bf3856ad364e35_6.1.7601.17514_none_18f2a35386830449\ReAgent.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_functions_advanced_methods.help.txt smnss.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\LocalizedData.xml smnss.exe File opened for modification C:\Windows\PLA\Reports\Report.System.Network.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_de-de_90c392ae5a3a7d2d\calendar.html smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0accb12490597570\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Switch.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_profiles.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_functions_cmdletbindingattribute.help.txt smnss.exe File opened for modification C:\Windows\PLA\Rules\Rules.System.Network.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_it-it_363407ad8b3bebcb\cpu.html smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd7100t.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnkm003.inf_31bf3856ad364e35_6.1.7600.16385_none_50766fcc42797a9b\Amd64\koc451X.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_providers.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b4334efea73fef8e\Rules.System.Memory.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_functions_advanced.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_transactions.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsrus.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnts002.inf_31bf3856ad364e35_6.1.7600.16385_none_19d5b3fbc067e0bb\Amd64\tsmpu002.xml smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Peacock.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-1.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-14.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_wildcards.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_functions_advanced.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_trap.help.txt smnss.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\NetFx40_IIS_schema_update.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipssrl.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_73e472e09a1a05d1\avtransport.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\System.Management.Automation.dll-Help.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_remote_troubleshooting.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Continue.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_functions_advanced.help.txt smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ae1bce6b81c0916\RSSFeeds.html smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c99bfc6ddd1bf1d2\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-8.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-8.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\base.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Parsing.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a9549b67c137efeb\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-4.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e6af38e8f918bc99\Rules.System.NetTrace.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_WS-Management_Cmdlets.help.txt smnss.exe File opened for modification C:\Windows\PLA\Rules\es-ES\Rules.System.CPU.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_do.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0da37ad525a77709\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hphp915t.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Variables.help.txt smnss.exe File opened for modification C:\Windows\ehome\ja-JP\playReady_eula_oem.txt smnss.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1029\LocalizedData.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_62d8f8a551894c9f\Rules.System.NetDiagFramework.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_05906ea4445b6301\Rules.System.NetDiagFramework.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\IIS_schema.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_trap.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Line_Editing.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_jobs.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_If.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnep002.inf_31bf3856ad364e35_6.1.7600.16385_none_9379fee912f1f625\Amd64\EP0SBT00.XML smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_command_precedence.help.txt smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2324 smnss.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2668 2392 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe 28 PID 2392 wrote to memory of 2668 2392 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe 28 PID 2392 wrote to memory of 2668 2392 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe 28 PID 2392 wrote to memory of 2668 2392 96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe 28 PID 2668 wrote to memory of 2324 2668 ctfmen.exe 29 PID 2668 wrote to memory of 2324 2668 ctfmen.exe 29 PID 2668 wrote to memory of 2324 2668 ctfmen.exe 29 PID 2668 wrote to memory of 2324 2668 ctfmen.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe"C:\Users\Admin\AppData\Local\Temp\96a05ce86593cb66fdbd5c050ebd4172c956e9fce957b451cd7d695b591b5224.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118KB
MD5441d66a6b150b32fd1b8bc5fe61681b5
SHA15adbe13b596a6aa4fc31f3220a1479da8b013888
SHA256778e08da15758b885947aa16a01e81a025951a75e466231969d1ba219165f0ac
SHA512e892f86da52d3318990161c86456b4334d1e6af88eb7cd505b0728bb4d99913f14ded45d361aee43ef6076abdba2a3a2962b436e9511f898d39f1a99edc5aceb
-
Filesize
183B
MD54e3543d92d240db829eacf8b021a05d6
SHA1cd32d2e2e558244fe37b7908fc1ac982f9831780
SHA256cbc0674320f32af2c2c1eafa049222bbe866ed54efe44f438c7b9e08428792da
SHA5129a6bf0d6d8a6733df5811b35f09276cdcbafab03f047080833b49fce6dc695d5b009d0b7eba4329c7413c54a897d1457d0842cb3eeb966a5a07cb399d1005327
-
Filesize
4KB
MD573ed8988851ba6fecb4fca45f2ca01d9
SHA14e726d772644042d4b2ad0ef2acba46a21dd4263
SHA2565f3cc880427c7b4197f2700776c45a55586d33ba73de7b20fe980663ef73395c
SHA512735e976ad9f955a54eeb2c0c55c2487f058448d1b59ad5d02f72d4b8e6f495dd01b3a872d05cdfc64dd983aececce251dcbf3d6d51208b5a06c2629c55b48b45
-
Filesize
8KB
MD56da5feae3edb2886661092307aa83248
SHA1db20af45ade17b224e7a90cfc43af5128bb5652a
SHA2565d348995b619d692d7992028685c0fefd125466494f22ac7d1a6f575f0238c55
SHA512bbf2c3e87d4f07d4ab36f6b66a7ea9934a9024651d978306a87473f05521948dec9e934f2d07dd0614a1baf41900182292f0a5a17576a821e7c0a27ce2dc7984