334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Size

119KB
MD5

61d1ce1394a03e9888be992eb836f1c8
SHA1

e8a0a43358742522d6ee2e86983c99fc8ff60cc2
SHA256

334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6
SHA512

05cf347c79f56fb9a45e37c01a1c2c7efb644b171412f57b0b86ce14ef8f92cbb26e3327f921d7300483f749dadc398acfa05daba1dc3d78fb31bda6102ac411
SSDEEP

3072:TOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:TIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

UPX dump on OEP (original entry point) 12 IoCs

resource	yara_rule
behavioral2/memory/1976-0-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/files/0x000900000002340e-10.dat	UPX
behavioral2/files/0x0007000000023412-15.dat	UPX
behavioral2/memory/1976-18-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/files/0x000300000001e9b1-19.dat	UPX
behavioral2/memory/1976-22-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/1976-23-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/4024-26-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/4112-28-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/4112-35-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/4112-37-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/4112-39-0x0000000000400000-0x0000000000420000-memory.dmp	UPX

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000900000002340e-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4024	ctfmen.exe
4112	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
4112	smnss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe
File opened (read-only)	\??\W:	smnss.exe
File opened (read-only)	\??\L:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\G:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe
File opened (read-only)	\??\X:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\T:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\ipcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\tcpbidi.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
File created	C:\Windows\SysWOW64\grcopy.dll	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\cmnicfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wbem\xsl-mappings.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wsmanconfig_schema.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	smnss.exe
File created	C:\Windows\SysWOW64\satornas.dll	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\AppxProvisioning.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\potscfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
File created	C:\Windows\SysWOW64\smnss.exe	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\osinfo.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\NdfEventView.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\F12\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\pppcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunchdlg.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\BuildInfo.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\excluded.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinFormsMathQuiz.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML	smnss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\ea-sym.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-assemblylist_extended_xml_b03f5f7f11d50a3a_4.0.15805.0_none_190f33680a2debb9\AssemblyList_4_extended.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_gen.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\pdferror.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\sslnavcancel.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..p.desktop.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_278c03d4cb0b9781\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\r\oobelocalaccount-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_73bddbc9c1fb11b2\r\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..t-browser.appxsetup_31bf3856ad364e35_10.0.19041.1_none_d44e7a35319acbe3\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\hstscerterror.htm	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.Memory.xml	smnss.exe
File opened for modification	C:\Windows\servicing\Sessions\31100111_4058345115.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\PhishSiteEdge.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\servbusy.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-onecoreuap-wlansvc_31bf3856ad364e35_10.0.19041.1266_none_b7a58d8ba78355f3\Rules.System.Wireless.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingDeletes\b4c1984536e5d701139b00001815341f.WebDAV_schema.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftOffice2013Win64.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoShutdownsInclusive.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.1_none_e2e6c013142b9760\tokens_frFR.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..iguration.searchapp_31bf3856ad364e35_10.0.19041.1_none_6a5e909ee80bfce7\BingConfiguration_ja-JP.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_e95531bdadf3df5c\avtransport.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_10.0.19041.746_none_cb918c7159c1f7d9\ThirdPartyNotices.MSHWLatin.txt	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\forbidframingedge.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..urepicker.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_2719bdeef32ae98e\r\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404-8.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..trolpanel.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_d23715c9ea6f2f2c\f\appxmanifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\pdferrorrepurchasecontent.html	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TURKISH.TXT	smnss.exe
File opened for modification	C:\Windows\servicing\Editions\UpgradeMatrix.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\pdferror.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\forbidframingedge.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..sh-helper-extension_31bf3856ad364e35_10.0.19041.746_none_976088a560b9aba7\Report.System.NetTrace.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\20.txt	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bits-client-core_31bf3856ad364e35_10.0.19041.153_none_04304b75e9b1037f\r\315818c03ccc2b10070df2d4ebd09eb6c4c66e58.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoSecurityInclusive.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\appcmd.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipsen.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\LearnMore.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\pdferrormfnotfound.html	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\es-ES\Rules.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_prnms012.inf_31bf3856ad364e35_10.0.19041.1_none_a3feabb281faa7e4\Amd64\MSIPP.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobedevicepairing-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\500-14.htm	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\WindowsMediaPlayerMediaLibrary.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\defaultbrowser.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\PhishSite_Iframe.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-vmchipset_31bf3856ad364e35_10.0.19041.1266_none_4a03a5b741d9b00e\VmChipset Third-Party Notices.txt	smnss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoveryagent_31bf3856ad364e35_10.0.19041.84_none_bcc4656ed261a5b5\ReAgent.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\20.txt	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-frame-template.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\backstack-chrome-breadcrumb-template.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..olsclient.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fe9996dc5d311970\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\http_404.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\413-1.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\main.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_multimedia-generalmididata_31bf3856ad364e35_10.0.19041.1_none_3eae594ef5c099df\gmreadme.txt	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsen.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingDeletes\866c3bd636e5d701256b01001815341f.OEMDefaultAssociations.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\pdferrormfnotfound.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\403-16.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\sslnavcancel.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\http_500.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\501.htm	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 4024	1976	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe	89
PID 1976 wrote to memory of 4024	1976	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe	89
PID 1976 wrote to memory of 4024	1976	334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe	89
PID 4024 wrote to memory of 4112	4024	ctfmen.exe	90
PID 4024 wrote to memory of 4112	4024	ctfmen.exe	90
PID 4024 wrote to memory of 4112	4024	ctfmen.exe	90

C:\Users\Admin\AppData\Local\Temp\334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe
"C:\Users\Admin\AppData\Local\Temp\334250dc8b9eb735a57895dd33e8ed26aff426a39f880062be71cea475dc11c6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
f8bc38374725025097c52078fa1b2bdb

SHA1
284a849e0a0f5cf05d86a5f2e0169a00eeb102b3

SHA256
aa92fe52104ace722d5d5d3653e1c968f268661fdfa977e18705c88ae0bbeb13

SHA512
d733f74053f6913343331a9b90eb82be4b229e4e4e4fb24626c9ef191f9182468dc023e0e3906f729bc3d8bfad628bf0319d41da8c4c8798bc079e3efa096cfc

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
119KB

MD5
7e495108bcd99d8181bff51bb9fc1f1d

SHA1
60a90f1d30631dcc93efe9e0240b66c59aa515ec

SHA256
9fc2afeae1d6ad01d6321fb0a1299d99b07e77b463801eeef2f439729d979ee1

SHA512
11548d381e3129aac701fe4f17c64cbb0bf78a52dcb191e16b47e38f5c97534c6011caadbb19d3b652123799620bba12d26768c6a72d581b0b771a3d14e05207

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
1a54aafc945f2938e98b040a381eb52e

SHA1
1a9e6d5c407bf5f0cd953dcdbfe7c78a73dd57c8

SHA256
c6ddfbc72055a62478b3c03e3374e133740d7751a7e52e5fe5e95e39afd03046

SHA512
a107889fe1c0af9f2b6111602a66c5896d80ae36ed0926ce123bb3defbb21e263c3b8a1794cb824a777ded998cbe776cbfd41fd383af0a875f552ed8ba821ba3

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
f0c97a0431783c2ed581a79cbb08b357

SHA1
b1914f3e5d88d58f71c7e7af33b81d0818e3da7f

SHA256
edee02350fc443df426516b059d28eaf1b4649a85a581aba457ae3a83429d17e

SHA512
57b674cb58a00595d970379d61a4bbecaf95b78b0c6be613e93be991fce0b96eb145ce69c0aa92ab5dcd70469f18e5d5a5c68f959839c0980d4385f4879ed971

Download Submit
memory/1976-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-22-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1976-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4024-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4112-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4112-35-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4112-37-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4112-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads