6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36

General

Target

6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
Size

118KB
MD5

03dbbcfe6e37ed37ddd6842032238980
SHA1

09a9780d93144bf5ad207e3fd31415b9a46feea7
SHA256

6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36
SHA512

086e7ca4a69fee572c178c340d38c3b42119389fc44a0ec807ddf1209c769ad5e7b393b584ba3b2ec43cf2c26905fa382fcc222a3455b26604fe0111dacd4d43
SSDEEP

3072:nOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPb:nIs9OKofHfHTXQLzgvnzHPowYbvrjD/m

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

smnss.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\shervans.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

ctfmen.exesmnss.exe

pid process

628 ctfmen.exe
1528 smnss.exe
Loads dropped DLL 2 IoCs

Processes:

6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exesmnss.exe

pid process

1956 6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
1528 smnss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
628	ctfmen.exe
1528	smnss.exe

pid	process
1956	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
1528	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smnss.exe

description	ioc	process
File opened (read-only)	\??\W:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\L:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\X:	smnss.exe
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe
File opened (read-only)	\??\T:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe
File opened (read-only)	\??\G:	smnss.exe
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smnss.exe6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe

Drops file in System32 directory 64 IoCs

Processes:

6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exesmnss.exe

description	ioc	process
File created	C:\Windows\SysWOW64\smnss.exe	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wbem\xsl-mappings.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\tcpbidi.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\pppcfg.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\cmnicfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\potscfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\ipcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml	smnss.exe
File created	C:\Windows\SysWOW64\satornas.dll	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wsmanconfig_schema.xml	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
File created	C:\Windows\SysWOW64\grcopy.dll	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\AppxProvisioning.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\F12\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\osinfo.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	smnss.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	smnss.exe
File opened for modification	C:\Windows\SysWOW64\NdfEventView.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Drops file in Program Files directory 64 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\index.html	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService\ReadMe.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\README.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML	smnss.exe

Drops file in Windows directory 64 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\tokens_enGB.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404-7.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\405.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\pdferrorneedcontentlocally.html	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CENTEURO.TXT	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\pdferrormfnotfound.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\default-progress-template.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\roamingDisambiguation.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..iveportal.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_ae1950955a82d8ef\r\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.1_none_f830216e59eee182\tokens_esES.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipshi.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..view-host-appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bc2fe801d2277712\f\appxmanifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f733914287b80b36\OOBE_HELP_Opt_in_Details.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_d34f4fd846c530a1\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_91c1d6c40350b1b6\appcmd.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\BlockSite.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_73bddbc9c1fb11b2\r\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\serviceworker.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\navcancl.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\500-18.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\17.txt	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipschs.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipscat.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\dnserror.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\forbidframingedge.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ialoghost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_5716db6edd86234c\f\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoMsaInclusive.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeprovisioningentry-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-devicecenterdiagnostic_31bf3856ad364e35_10.0.19041.1_none_c2a7679e74f61c19\DeviceCenterDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\insert.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\ja-JP\Report.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\WpcBlockFrame.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobesettings-multipage-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..gshellapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_b4c98345579ad387\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\PhishSiteEdge.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.19041.1_none_3fe01118a9018735\MaintenanceDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-ngenassemblyexclusionclient_31bf3856ad364e35_4.0.19041.1_none_6e3f71d318a8f11a\clientexclusionlist.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\es-ES\Rules.System.NetDiagFramework.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Error.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..ervice-winrt-client_31bf3856ad364e35_10.0.19041.1266_none_cf053b35227a090b\EnrollmentStatusTrackingDDF.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\DisableAboutFlag.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\startfresh.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\common-button-template.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\emulation.html	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\uk-UA\Report.System.Wireless.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Report.System.Common.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.19041.153_none_6ef8a222ac00dbc2\r\20bbcadaff3e0543ef358ba4dd8b74bfe8e747c8.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..uickstart.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_c81408a27d1805ca\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_es-es_c82ea5efca98fd7b\oobe_learn_more_activity_history.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\zh-changjei.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\http_403.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..gshellapp.appxsetup_31bf3856ad364e35_10.0.19041.1_none_f5e2da3b41d3edfa\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\tokens_jaJP.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\http_404.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-18.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\404-1.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-ie-timeline_is_31bf3856ad364e35_11.0.19041.1_none_0799f1e21b66ff67\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.Common.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\http_400.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\surfaceHubAccount.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxsetup_31bf3856ad364e35_10.0.19041.1_none_7abe2d33f207c2d5\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\NetworkDiagnostics_6_DA.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\es-ES\Rules.System.Common.xml	smnss.exe

Modifies registry class 6 IoCs

Processes:

6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exesmnss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

smnss.exe

description pid process

Token: SeDebugPrivilege 1528 smnss.exe

description	pid	process
Token: SeDebugPrivilege	1528	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exectfmen.exe

description	pid	process	target process
PID 1956 wrote to memory of 628	1956	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe	ctfmen.exe
PID 1956 wrote to memory of 628	1956	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe	ctfmen.exe
PID 1956 wrote to memory of 628	1956	6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe	ctfmen.exe
PID 628 wrote to memory of 1528	628	ctfmen.exe	smnss.exe
PID 628 wrote to memory of 1528	628	ctfmen.exe	smnss.exe
PID 628 wrote to memory of 1528	628	ctfmen.exe	smnss.exe

C:\Users\Admin\AppData\Local\Temp\6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe
"C:\Users\Admin\AppData\Local\Temp\6b31cab8a40ec2efc81f957d88d01bb3df5e525397b095d09bed96e645ef7b36.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\ctfmen.exe
ctfmen.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\smnss.exe
C:\Windows\system32\smnss.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe
Filesize
4KB

MD5
b5a359c4ef6a27cf995ddb49f184381b

SHA1
2ba299c44396bb321260eae8340faf3936d15f39

SHA256
896a77e382529c4cde9d25550b0df2b15473b93c3cec11f64d8c87aede5da343

SHA512
bcf5e68f8ee96a54ec38f930a0773c10010223626b1c653541f5653bf3cebe065aac1499bd2ad041c48c68881259220e477b52425fab394072d6afc68cce17ff

Download Submit
C:\Windows\SysWOW64\grcopy.dll
Filesize
118KB

MD5
0501adb03a923b41e7204d3f94d26f32

SHA1
4e7e6c48d8a942cefa57104c252981f4c1320751

SHA256
906ab1a3d2ee898ccca9deb63ca4cbb1b812a4f873755265c7857b2f1401d4d3

SHA512
5c1a201185028c7d8b7d9827d3c7820d084af03ce60fcf0d1cf79022a1812e889b17c5fa133df301d7cd4e1a1346aad98930397da08d2a9d453a7bdb760d4e88

Download Submit
C:\Windows\SysWOW64\satornas.dll
Filesize
183B

MD5
a42833053a327743a3babecd712a14e3

SHA1
a7b6112095e2c96f960211770c8cb38c3bd24a77

SHA256
f79934d434a03410622ff94cc1dcc1867c7760a4427d97dcd871a9332a364351

SHA512
f23d166bcb03b43e7d3b41fa463ddcf2cc6e839485bda3cf339a5e5338f3958d1b0a937f29b62c1c4b459241e758e28859fbe255a702ba5406db72e879724fc5

Download Submit
C:\Windows\SysWOW64\shervans.dll
Filesize
8KB

MD5
2b48e81ad66271085547039f2439febb

SHA1
26adff735ad95224719807acd5e434f184c56dd4

SHA256
9996b95b9244a9f2698c23f60d7b1338d9b2a0a0d1672ecccce40691b0d7197e

SHA512
832f7a9b408d08706a0bb736ba30aac5e79569b05f5fdfa051625a3278eaa873e662815dc0ed81ba62cc95a43d59e3279be0f11286e2e0a993f3b4254b3e0409

Download Submit
memory/628-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1528-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-37-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1528-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1956-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-23-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads