Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 22:57
Static task
static1
Behavioral task
behavioral1
Sample
855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe
Resource
win10v2004-20240226-en
General
-
Target
855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe
-
Size
75KB
-
MD5
82384dba305026b64af4209ef1bd439d
-
SHA1
81ff94b87a3a45788b89d41cd031867599606fd4
-
SHA256
855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb
-
SHA512
157a94699dcbf1644cd0dee7c64e6502c22660282d4f49c417157b0ed655c1df91206d9c513ff84aa4f7cae98d0a61ad930cd02a8b6503a80f4deafed8674659
-
SSDEEP
1536:lx1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3s:vOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPE
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\shervans.dll UPX behavioral2/memory/2664-11-0x0000000010000000-0x000000001000D000-memory.dmp UPX C:\Windows\SysWOW64\ctfmen.exe UPX behavioral2/memory/2664-25-0x0000000010000000-0x000000001000D000-memory.dmp UPX behavioral2/memory/3448-22-0x0000000000400000-0x0000000000409000-memory.dmp UPX behavioral2/memory/1720-34-0x0000000010000000-0x000000001000D000-memory.dmp UPX -
Drops file in Drivers directory 1 IoCs
Processes:
smnss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\shervans.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
ctfmen.exesmnss.exepid process 3448 ctfmen.exe 1720 smnss.exe -
Loads dropped DLL 2 IoCs
Processes:
855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exesmnss.exepid process 2664 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe 1720 smnss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exesmnss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
smnss.exe855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe -
Drops file in System32 directory 64 IoCs
Processes:
smnss.exe855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exedescription ioc process File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt smnss.exe File created C:\Windows\SysWOW64\smnss.exe 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\NdfEventView.xml smnss.exe File created C:\Windows\SysWOW64\satornas.dll 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml smnss.exe File created C:\Windows\SysWOW64\shervans.dll 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe File created C:\Windows\SysWOW64\grcopy.dll 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML smnss.exe File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml smnss.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml smnss.exe File opened for modification C:\Windows\SysWOW64\tcpbidi.xml smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml smnss.exe -
Drops file in Program Files directory 64 IoCs
Processes:
smnss.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt smnss.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\NOTICE.TXT smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinStickyNotes.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\pages\winrthost.htm smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.XML smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_Resources\index.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe -
Drops file in Windows directory 64 IoCs
Processes:
smnss.exedescription ioc process File opened for modification C:\Windows\diagnostics\index\PowerDiagnostic.xml smnss.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1254.TXT smnss.exe File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.Disk.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-textinput-template.html smnss.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ThirdPartyNotices.txt smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\pdferrormfnotfound.html smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoSetupInclusive.html smnss.exe File opened for modification C:\Windows\WaaS\tasks\17499b8d805e9480903b0df0326a3d231841049e.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftOffice2013BackupWin32.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-light-progress-template.html smnss.exe File opened for modification C:\Windows\IdentityCRL\production\wlidsvcconfig.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Diagnostics.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\uk-UA\Rules.System.Wired.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_410.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..view-host-appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bc2fe801d2277712\appxmanifest.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\AppxManifest.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-chrome-contentview-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..sslockapp.appxsetup_31bf3856ad364e35_10.0.19041.1_none_b12dd952c6b2312b\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-button-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\tokens_enUS.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeoemregistration-main.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_de-de_1418e1a4e830cf09\Rules.System.NetDiagFramework.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..tscontrol.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bcf0807cccfa0873\r\AppxManifest.xml smnss.exe File opened for modification C:\Windows\PLA\Reports\it-IT\Report.System.Disk.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Configuration.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\proxyerror.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\WpcBlockFrame.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\views\unifiedEnrollmentFinished.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_dual_tsprint.inf_31bf3856ad364e35_10.0.19041.153_none_356ebfa943b1edf9\tsprint-PipelineConfig.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftInternetExplorer2013Backup.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeactivitysyncconsent-main.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..urepicker.appxsetup_31bf3856ad364e35_10.0.19041.1_none_683314e4dd640401\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-deliveryoptimization_31bf3856ad364e35_10.0.19041.207_none_a87fa27025b2eaac\r\2213703c9c64cc61ba900531652e23c84728d2a2.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ebd9ffd49454da2e\Report.System.NetDiagFramework.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..iser-inboxdatafiles_31bf3856ad364e35_10.0.19041.1202_none_e636843d96260ccd\Appraiser_TelemetryRunList.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\en-US\Rules.System.Network.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Summary.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\pdferrorrepurchasecontent.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-footer-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\HvsiUserPolicies_ContainerRealtime.xml smnss.exe File opened for modification C:\Windows\diagnostics\index\PrinterDiagnostic.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\tlserror.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\pdferrorunknownerror.html smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\DisableAboutFlag.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..esolverux.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_30675b33c3afc2a2\r\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\close-chrome-breadcrumb-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5f8c8a80ca07e2d5\Report.System.Wired.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\hololensWorkAccount.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobehello-main.html smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\forbidframingedge.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\appxmanifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..ep-chxapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7d8eee60f8081103\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..gshellapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_b4c98345579ad387\r\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_en-US.xml smnss.exe File opened for modification C:\Windows\diagnostics\index\AppsDiagnostic.xml smnss.exe File opened for modification C:\Windows\diagnostics\index\SearchDiagnostic.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\it-IT\Rules.System.Network.xml smnss.exe File opened for modification C:\Windows\servicing\Editions\EditionMatrix.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_403.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoShutdownsInclusive.html smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobenetworklossaversionv2-main.html smnss.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\AuditPol_ContainerRealtime.xml smnss.exe File opened for modification C:\Windows\diagnostics\index\DeviceDiagnostic.xml smnss.exe -
Modifies registry class 6 IoCs
Processes:
855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exesmnss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
smnss.exedescription pid process Token: SeDebugPrivilege 1720 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exectfmen.exedescription pid process target process PID 2664 wrote to memory of 3448 2664 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe ctfmen.exe PID 2664 wrote to memory of 3448 2664 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe ctfmen.exe PID 2664 wrote to memory of 3448 2664 855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe ctfmen.exe PID 3448 wrote to memory of 1720 3448 ctfmen.exe smnss.exe PID 3448 wrote to memory of 1720 3448 ctfmen.exe smnss.exe PID 3448 wrote to memory of 1720 3448 ctfmen.exe smnss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe"C:\Users\Admin\AppData\Local\Temp\855f362a587183016e67bbc04e9994ed3fd1ce2221b409a3bd4c4e8ec2e3debb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=3084,i,11997299123381683778,5904351605020331957,262144 --variations-seed-version /prefetch:81⤵PID:3692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD50af9f9c6293b9714c101db35f45ad191
SHA1bf40d0538003825f62cd7fec3a1f858295492c38
SHA25697cba2f1b17f488f869feacfdf2977bc8515fa2ad9e7660e117b14a2a0354806
SHA512a45e8f749d78e092e4fd7fc341a9277abb01d4255355943b36a61d139f539b2c6abaa4566f7049cdb0bee3ae17e43cf468b85049ecb459705ca6d92ce39db7f7
-
Filesize
75KB
MD523a148713e3ba1e0b5eb7b43d514677d
SHA145e37de9c5f978a6832858129c42b51536910fb4
SHA256a9e1eeaaede86c3a707d90fa12743c7d0dab093409caf27f0c17efb8db6e028c
SHA5124263f86f0ac2db2db58c98b65bcbf79217c383f6c64cf35ba7fe2235b7900ed3851dfe54df4a5eaa0a61109dca37e49d9d46b15c11a72bbd73d5a883553b9eef
-
Filesize
183B
MD5ddffca50ea4268f116e0286a20330a6f
SHA1e4de30f39cc54ec42bec9d662d27740ade2b6d98
SHA25694cc938cfe0736564d65307f3478c2e91fe22113550460dcdb6045ceceff7d5e
SHA512d958e88b3ba503aabee217720e14a06aca1b132013353ba01d79b33c5953d86bc3bd751e205555fb89ca6d10454dd03e4e186939b5de9846e290bb0f26adef70
-
Filesize
8KB
MD5c3b9b2d7196fd340d38f3a91d5f4022f
SHA11200040b97c75e67780fdf706d8a37805de164a0
SHA2569940327aff3f75a654174a985e8049168cdd5c00433aad43ef07a877572d8e61
SHA51241ee9dff94a022dba78e6f05319751faed26da27af34bea28cad3959b59756d9c09255032361e86327dd4d189124b2e7910e2b7d70559de5201452a74a5e7767