51b446d748bcfc639b05dd75789880bb28eda7c8be4f5b40bb3138e118d2988e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2024, 23:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Size

224KB
MD5

2ebf753c0a60d8bc21de31b1a6ea0c10
SHA1

5baadb15c4a31d714df6e1c4fae9cbaa44f87ce2
SHA256

51b446d748bcfc639b05dd75789880bb28eda7c8be4f5b40bb3138e118d2988e
SHA512

04f4d211db451fa910af964eae463073ef36f90147d9657d8c506604b9b806a1ab959d8f52ab824e1ba52303045bdd609d03776814dbf43152ec3eda10d1d94a
SSDEEP

6144:wIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCtZy:pKofHfHTXQLzgvnzHPowYbvrjD/L7QPo

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023bb9-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4620	ctfmen.exe
1536	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
232	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
1536	smnss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	smnss.exe
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\W:	smnss.exe
File opened (read-only)	\??\X:	smnss.exe
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\T:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\L:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\ipcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\osinfo.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\NdfEventView.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\Tokens_SR_ja-JP-N.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	smnss.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\potscfg.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	smnss.exe
File created	C:\Windows\SysWOW64\satornas.dll	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\pppcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES_helena.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
File created	C:\Windows\SysWOW64\grcopy.dll	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\tokens_TTS-it-IT.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\tcpbidi.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\AppxProvisioning.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\cmnicfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wbem\xsl-mappings.xml	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wsmanconfig_schema.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ProjectedApi.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\BuildInfo.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\Welcome.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\WebviewOffline.html	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\license.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.configci.commands_31bf3856ad364e35_10.0.19041.1081_none_21d54f6a980a590b\DefaultWindows_Audit.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\DisableAboutFlag.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\navcancl.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\500-19.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403-12.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-4.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-11.htm	smnss.exe
File opened for modification	C:\Windows\servicing\Sessions\31101483_1512373272.back.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc_31bf3856ad364e35_10.0.19041.1_none_215d1c4c12e1d275\Rules.System.NetDiagFramework.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\ja-jp.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.19041.1165_none_a82485b8f343811f\ceb497ee0184aaa4681d2fb2ef242a5b8551eea8.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\scoobeoutro-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc_31bf3856ad364e35_10.0.19041.1081_none_e049f4a228a31cca\Report.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\http_gen.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\pdferrorrepurchasecontent.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0809\tokens_enGB.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_es-es_6b77f4dc3a1a5900\Report.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftOffice2013Win64.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_10.0.19041.1_de-de_7c4d9c753a9353b6\resource.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\osinfo.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\needie.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\scoobeoutro-main.html	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\NetworkDiagnostics_1_Web.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\startfresh.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\views\unifiedEnrollmentProgress.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-3.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.processmitigations.commands_31bf3856ad364e35_10.0.19041.1_none_029d77ef50910bdd\Microsoft.ProcessMitigations.Commands.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\cortana.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\500-15.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403-13.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\401-2.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\RenderingControl.xml	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\WindowsMediaPlayerMediaLibrary.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_prnms004.inf_31bf3856ad364e35_10.0.19041.1_none_f59945c05aa85d79\Amd64\unisharev4-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bluetoothdiagnostic_31bf3856ad364e35_10.0.19041.746_none_77afd174abe4f214\BluetoothDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\tokens_enGB.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\http_500.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_en-us_6bac97f839f3675b\Report.System.Diagnostics.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeupdatesettings-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-csp_31bf3856ad364e35_10.0.19041.1202_none_e04a7941c90aaf6f\NGCProDDF_v1.2_final.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\AuditPol_ContainerRealtime.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.Summary.xml	smnss.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\412.htm	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..nrollment.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_3bef52e9f4b5e3b0\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403-16.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipsptg.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..ep-chxapp.appxsetup_31bf3856ad364e35_10.0.19041.1_none_bea84556e2412b76\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\pdferrorunknownerror.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_d34f4fd846c530a1\r\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Diagnostics.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-15.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..uickstart.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_c81408a27d1805ca\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SYMBOL.TXT	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\401-5.htm	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\FrameworkList.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-7.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..iguration.searchapp_31bf3856ad364e35_10.0.19041.1_none_6a5e909ee80bfce7\BingConfiguration_en-US.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\repost.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_87b019d7cebd66d4\rscaext.xml	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CYRILLIC.TXT	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\es-ES\Rules.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\WpcBlockFrame.htm	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4620	232	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe	92
PID 232 wrote to memory of 4620	232	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe	92
PID 232 wrote to memory of 4620	232	2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe	92
PID 4620 wrote to memory of 1536	4620	ctfmen.exe	93
PID 4620 wrote to memory of 1536	4620	ctfmen.exe	93
PID 4620 wrote to memory of 1536	4620	ctfmen.exe	93

C:\Users\Admin\AppData\Local\Temp\2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
ee6884de22cd29604c5c7c1f1a005660

SHA1
b436659d0e209ccf897092165577745ac105c4a2

SHA256
3168fe81e14b3daaf3cfb52a531d6ed2841aa4c4059b949b95be1425bcbc1bd0

SHA512
b669212e047106b3990efba530a34b3e0b440710c4457bfe87e265ad1ec8a3367774a83c09d27989a3d408118808caa25ac7e07d830b89e197228103c3a60321

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
224KB

MD5
f7b12e8474ea8ea1ae046b028ceff9fa

SHA1
90960a473d2170288808e00925554ec2c84eb78b

SHA256
4b92acafcf9f096abf7d814ebf502c2b15a01f05b3b69e5879e710a05cceba25

SHA512
87b487bc1f41c35dba273e9023fdcc4877f42d108dd1142e41b05f862b32b40a81b18d0c390d7df79ed247deb532242739b776aca9388331592decbfce1b498b

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
a5d76b6d24077eb2ef4a53fde8e2fbb0

SHA1
3568699417774ce6c88abc0f0305e6e413b6e281

SHA256
a1f4cb2b473e1504f9da1944dd0f348e31aeb5ffe1ec14a13299c8241a4465f7

SHA512
16a9c55dc024153a3ac786c76c7e7cc8feaa6d3a4400fbb6ab6c86edcb58af18431c30558dbdb76083fc825ff019a78d278fb2ba37a3ddfb4170ca003f4dc9d1

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
4df20e13b999050b1942bd39aee09f48

SHA1
7ab99b11520f4b095498b4a9bd584c2aca72696f

SHA256
29c3ad0d7457dac63e21293829dd4bfd90351a58b6a38d1a8bab7ef95ae316d5

SHA512
3d2a77ae612b9900f699d2ae6b4967e338db14300855c2b9f847c8d1d875c7714f5f883e9d9a5c0a0ee56eecdfc6f1cbf74b61cb8c086ee0fd7ca5e81a175166

Download Submit
memory/232-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/232-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/232-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/232-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1536-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1536-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1536-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4620-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4620-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads