1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Size

120KB
MD5

80d5bd632ae012d76536279fd467d87e
SHA1

d2007ae0a2232adb673ec872546b334018258d8d
SHA256

1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2
SHA512

2a568fc7a6572b24fd8a1af288e3efcac60fffcb6ac6508da1c1eef3b639d0232da7f0e843b9a551154b87be53870907db0b5e7d2d65ff87149fdd7a080c5d02
SSDEEP

3072:WOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:WIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

UPX dump on OEP (original entry point) 12 IoCs

resource	yara_rule
behavioral2/memory/2116-0-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/files/0x000800000002325d-10.dat	UPX
behavioral2/memory/2116-12-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/files/0x000800000002325e-16.dat	UPX
behavioral2/files/0x000800000002325a-20.dat	UPX
behavioral2/memory/2756-21-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/1792-28-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/2756-27-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral2/memory/2116-31-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/2116-30-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/1792-38-0x0000000010000000-0x000000001000D000-memory.dmp	UPX
behavioral2/memory/1792-41-0x0000000000400000-0x0000000000420000-memory.dmp	UPX

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002325d-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2756	ctfmen.exe
1792	smnss.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
1792	smnss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wsmanconfig_schema.xml	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsRaw.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File created	C:\Windows\SysWOW64\satornas.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\potscfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\pppcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\wbem\xsl-mappings.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\AppxProvisioning.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File created	C:\Windows\SysWOW64\smnss.exe	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml	smnss.exe
File created	C:\Windows\SysWOW64\shervans.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File created	C:\Windows\SysWOW64\grcopy.dll	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\ipcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\tcpbidi.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\osinfo.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Recovery\ReAgent.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\cmnicfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\NdfEventView.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\F12\Timeline.cpu.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt	smnss.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\index.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\View3d\3DViewerProductDescription-universal.xml	smnss.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinStickyNotes.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\Welcome.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\MoSetup\ActionList.xml	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\FrameworkList.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\http_gen.htm	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\tokens_frFR.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..rymanager.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_f52dbf51d6536fa6\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..eexplorer.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_03d7aa1083b7645d\r\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\CacheSize.txt	smnss.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_gen.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\pdferrorneedcredentials.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\servbusy.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftLync2013Win32.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..nrollment.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_3bef52e9f4b5e3b0\f\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\ja-JP\Rules.System.NetDiagFramework.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\it-IT\Report.System.Wireless.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\header.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrorneedcontentlocally.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\forbidframingedge.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeprovisioningentry-main.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\14.txt	smnss.exe
File opened for modification	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\PowerDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeFooterHost.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\tokens_zhCN.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\nointernet.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ebd9ffd49454da2e\Report.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\common-toggle-template.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoAdvanced.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\common-button-template.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\OfflineTabs\OfflineTabs.html	smnss.exe
File opened for modification	C:\Windows\WaaS\services\14a3f9e824793931d34f7f786a538bbc9ef1f0d6.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\default.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\retailDemoSetup.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_en-us_bd09b79dd70edace\Rules.System.NetDiagFramework.xml	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CENTEURO.TXT	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.NetTrace.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\es-ES\Rules.System.Summary.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.Performance.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\it-IT\Rules.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\PrintDialog\appxblockmap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobenetworklossaversionv2-main.html	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-compat-appraiser_31bf3856ad364e35_10.0.19041.1266_none_0615c459620affef\Win32CompatibilityAppraiser_DDF.xml	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\NetFx40_IIS_schema_update.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\es-ES\Rules.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_de-DE.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..sslockapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7014825cdc7916b8\f\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeactivitysyncconsent-main.html	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\pdferrormfnotfound.html	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\tlserror.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\autopilotwhiteglovelanding-main.html	smnss.exe
File opened for modification	C:\Windows\WaaS\services\2213703c9c64cc61ba900531652e23c84728d2a2.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftLync2010.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\it-IT\Report.System.NetDiagFramework.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.Common.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\ja-JP\Rules.System.Summary.xml	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\invalidcert.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\sslnavcancel.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\navcancl.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\unknownprotocol.htm	smnss.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeprovisioningstatus-main.html	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\de-DE\Report.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bits-client-core_31bf3856ad364e35_10.0.19041.153_none_04304b75e9b1037f\315818c03ccc2b10070df2d4ebd09eb6c4c66e58.xml	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2756	2116	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe	91
PID 2116 wrote to memory of 2756	2116	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe	91
PID 2116 wrote to memory of 2756	2116	1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe	91
PID 2756 wrote to memory of 1792	2756	ctfmen.exe	92
PID 2756 wrote to memory of 1792	2756	ctfmen.exe	92
PID 2756 wrote to memory of 1792	2756	ctfmen.exe	92

C:\Users\Admin\AppData\Local\Temp\1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe
"C:\Users\Admin\AppData\Local\Temp\1a382aa8c061945d5e33939e85a80df65e815b002e9e4fe60ccbed5a76ba8aa2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
9cfbe2c5be0f4934f0f6879490287c5f

SHA1
0440c40ee24a1b107ec4a2d72335c9b07d4bf34c

SHA256
717908395edf1a3591eb49ddd1eeaf9371c69f3c83e04fd37027f566535b8e92

SHA512
b3509ebbb8175f6902d1624b09cf52c740e4efb180b2e8b5c5c2d42891bae026ef4c51cb7db81bd88971ed09a343b8d8ca8a4c0051a41601da6ebf3cd8222a0b

Download Submit
C:\Windows\SysWOW64\grcopy.dll

Filesize
120KB

MD5
bd4e86bf268f3b5954e8f2c4e2b81589

SHA1
8f278812f8ae7564686794060e835df63de4911e

SHA256
edcedb73fd4d64c90265e00e3fa9288032d6f7ed3cae365c3f79cf8bad7af102

SHA512
7bc5c0b86b0c6d89450406e55c600f9465385976fe01bbd1cd2635e0c5e622987698afe38aa603f2cfde98ccc46792b00ddc64c000c3fed3b21bf4f396b1273a

Download Submit
C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
83fe128e6ef5640497264c4f0c8ca4f1

SHA1
7ef9094c1b9de6028d61bc0445e14da2cc3c51bf

SHA256
611050d620c4871911b375be2c73e586c9f9238f20839a6a55db56b09f5afcce

SHA512
16a117e9407f54548dc453c966c98653107c356e86f3512508f7933c6b4af4082ad05fccb1c5cddda07e488bec815edc27d5144e203075adb494aee3b072d326

Download Submit
C:\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
fc9079609b603a6bda429303ef5fd2ef

SHA1
eeb4044667aec68ed201b009770d4a90e80be591

SHA256
42159ae828d85d22d08f291ea3d05e3e68c5fe14550a0627f8d44bf4859ec5dc

SHA512
adea73a580aaa7c263f0ba5e1f6e781a86be1646a08192f49f23a787f7e7bb5aeea67da5d4a6cda4949bba269f1af9282226052793d6c3292e4fab34abea6bd6

Download Submit
memory/1792-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1792-38-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1792-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2116-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2116-31-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2116-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2116-12-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2756-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads