195688fdc5454fb7f6ba8188015e395bfe86876a9c0e28b818944ee264f0e77c

Resubmissions

21-08-2024 19:30

240821-x76q3sweqg 10

21-08-2024 17:42

240821-v92h2avgpj 10

12-06-2024 16:01

240612-tgps4a1bqh 10

Analysis

max time kernel
60s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
12-06-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Size

41KB
MD5

3e67d212278e1af5be913d236399fcf6
SHA1

f993125ed4af1de6a551a6e0843a6d124cd46f27
SHA256

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464
SHA512

f7e6394c9f9fdd6a03c72aaece5b4911cb821680a632f94b622b12d94cff9873d93b2c6604016524bdab4dd6e4b70b532c440f6b296138677be19e078ad23ec7
SSDEEP

768:/eMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09sy:/q5VwWDjDkdTRqHFOn8tIbbeYiuZIFSl

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\shervans.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

ctfmen.exesmnss.exe

pid process

3824 ctfmen.exe
3744 smnss.exe
Loads dropped DLL 2 IoCs

Processes:

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exesmnss.exe

pid process

852 3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
3744 smnss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3824	ctfmen.exe
3744	smnss.exe

pid	process
852	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
3744	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

smnss.exe3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smnss.exe3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

Drops file in System32 directory 12 IoCs

Processes:

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exesmnss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File created	C:\Windows\SysWOW64\shervans.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File created	C:\Windows\SysWOW64\grcopy.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File created	C:\Windows\SysWOW64\smnss.exe	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File created	C:\Windows\SysWOW64\satornas.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

Drops file in Program Files directory 64 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\VoiceCommands.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_2.33.33351.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\telemetryrules\hxoutlook.exe_Rules.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\connectionmanager_dmr.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.2012.21.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\MLModels\autofill_labeling_features_email.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_2020.901.1724.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML	smnss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.561.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxManifest.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jvisualvm.txt	smnss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	smnss.exe

Drops file in Windows directory 64 IoCs

Processes:

smnss.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_el-gr_0d3fe5a0b0a66eee\f\OOBE_HELP_Opt_in_Details.htm	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\en-US\Report.System.Configuration.xml	smnss.exe
File opened for modification	C:\Windows\servicing\Editions\EnterpriseEdition.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_sr-..-rs_9b1934646c39ba0a\f\OOBE_HELP_Opt_in_Details.htm	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.22000.120_none_3da444c93fbedacf\f\tokens_ptBR.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft.configci.commands_31bf3856ad364e35_10.0.22000.348_none_a84f00b3682204eb\f\DefaultWindows_Enforced.xml	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList\Client.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\en-US\Report.System.Network.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Network.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.22000.71_none_5465725c68e2919e\f\oobeautopilotactivation-main.html	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_ko-kr_dfd4b2f26025d89b\f\OOBE_HELP_Opt_in_Details.htm	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.22000.120_none_285ae36df9fb90ad\f\tokens_zhCN.xml	smnss.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.22000.469_none_8c502cfed26c810b\f\20bbcadaff3e0543ef358ba4dd8b74bfe8e747c8.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft.configci.commands_31bf3856ad364e35_10.0.22000.348_none_a84f00b3682204eb\f\AllowMicrosoft.xml	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1257.TXT	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..p.desktop.appxsetup_31bf3856ad364e35_10.0.22000.51_none_94f3d13331b8c560\f\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.493_none_a9fee4e32efd000a\f\116da488502c96511736970b304a7e240fc0ba8b.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-onecoreuap-wlansvc_31bf3856ad364e35_10.0.22000.282_none_3e060dd677ae570d\f\Rules.System.Wireless.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\serviceworker.html	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.22000.71_none_5465725c68e2919e\f\autopilotwhiteglovelanding-main.html	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_lv-lv_846d4d7751cbe528\f\oobe_learn_more_activity_history.htm	smnss.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\appxmanifest.xml	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.493_none_a9fee4e32efd000a\f\6d65bf9137df33347cdef410755b511433f94ee6.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_10e4c14208d6d2d3\f\RenderingControl.xml	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1251.TXT	smnss.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml	smnss.exe
File opened for modification	C:\Windows\servicing\Editions\ProfessionalEdition.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_lt-lt_839fdef3524da438\f\OOBE_HELP_Opt_in_Details.htm	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.22000.120_none_3da444c93fbedacf\f\tokens_enCA.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.493_none_a9fee4e32efd000a\f\dfd9063b031c70d0c87310b16c4132522b447dda.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.22000.71_none_5465725c68e2919e\f\oobeautopilotupdate-main.html	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.22000.71_none_5465725c68e2919e\f\oobeautopilotreboot-main.html	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.22000.71_none_5465725c68e2919e\f\oobeprovisioningprogress-main.html	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..diagnostics-package_31bf3856ad364e35_10.0.22000.37_none_9fb69ca862f02d04\f\NetworkDiagnostics_4_NetworkAdapter.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_ja-jp_3c6ad63d6db51185\f\oobe_learn_more_activity_history.htm	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.22000.120_none_3da444c93fbedacf\f\tokens_esMX.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..iencehost.appxsetup_31bf3856ad364e35_10.0.22000.37_none_ae414b4ec6ae5d98\f\AppxBlockMap.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\emulation.html	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.493_none_a9fee4e32efd000a\f\74461450967a334ea27548db66c8db015e4c4b86.xml	smnss.exe
File opened for modification	C:\Windows\Logs\MoSetup\ActionList.xml	smnss.exe
File opened for modification	C:\Windows\Panther\diagwrn.xml	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\CameraGetHelpDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_en-us_0d9a8e06b06f1225\f\OOBE_HELP_Opt_in_Details.htm	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\DefaultSettings.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Common.xml	smnss.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\GREEK.TXT	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\AllowAll.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.22000.71_none_5465725c68e2919e\f\oobeenterpriseprovisioning-main.html	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.22000.71_none_5465725c68e2919e\f\troubleshootingdiagnostics-lite-main.html	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\avtransport.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-powerdiagnostic_31bf3856ad364e35_10.0.22000.37_none_1c5e9e8769a71107\f\PowerDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList\FrameworkList.xml	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ThirdPartyNotices.txt	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.493_none_a9fee4e32efd000a\f\9a00328f787b0683a05c2e7a16ef7858adfa8068.xml	smnss.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..ickerhost.appxsetup_31bf3856ad364e35_10.0.22000.65_none_9c821b4e9ca33b74\f\AppxManifest.xml	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_fr-ca_a893ab33a8408052\f\oobe_learn_more_activity_history.htm	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_hu-hu_f78de13187c7e948\f\OOBE_HELP_Opt_in_Details.htm	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.22000.184_pl-pl_0ce2d9e71e997be0\f\OOBE_HELP_Opt_in_Details.htm	smnss.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..platform-media-base_31bf3856ad364e35_10.0.22000.376_none_d0bc762eaa58a5f0\f\reagent.xml	smnss.exe

Modifies registry class 6 IoCs

Processes:

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

smnss.exe

description pid process

Token: SeDebugPrivilege 3744 smnss.exe

description	pid	process
Token: SeDebugPrivilege	3744	smnss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exectfmen.exe

description	pid	process	target process
PID 852 wrote to memory of 3824	852	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe	ctfmen.exe
PID 852 wrote to memory of 3824	852	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe	ctfmen.exe
PID 852 wrote to memory of 3824	852	3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe	ctfmen.exe
PID 3824 wrote to memory of 3744	3824	ctfmen.exe	smnss.exe
PID 3824 wrote to memory of 3744	3824	ctfmen.exe	smnss.exe
PID 3824 wrote to memory of 3744	3824	ctfmen.exe	smnss.exe

C:\Users\Admin\AppData\Local\Temp\3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
"C:\Users\Admin\AppData\Local\Temp\3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\ctfmen.exe
ctfmen.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\smnss.exe
C:\Windows\system32\smnss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe
Filesize
4KB

MD5
f9bc518045e22ee820b15b0c7304a4d6

SHA1
3c7d1d344a2086bc23501dd4ff7a2630316bef0b

SHA256
f82777304f473e97c2472c9454c983323b70c3c85554484e13cbf5db8b18f52e

SHA512
13d1e5407048f77fd29f06d192ad203a1aef4f80be667e142316d5eb9be30d9574d25978ee6cc91dee41949d86a9f6e949b1916f404f81ab8dd3c83479b03700

Download Submit
C:\Windows\SysWOW64\grcopy.dll
Filesize
41KB

MD5
21c7dfdca200b6a519bfea6fccf9b674

SHA1
55890720373c05dc9448ac4a3588ec3612d3c941

SHA256
bd66649ecde179e5525ba6f2b09174eedec9a655e538436f79db02783868604a

SHA512
8511216f725e22f39b50a69e64e60b675056c092e33b0c886bb03746c76c5e82035b3b75ef6c523ac589c19f5dd5d6b1c9a99d1dfcccf34b4c182514e73689f3

Download Submit
C:\Windows\SysWOW64\satornas.dll
Filesize
183B

MD5
62ba788034ae870ca1638b3ab2872c71

SHA1
ad72d64903526c72d697cf54ed760d75cc491527

SHA256
19aeb8e23eebf7fb9e4bddf4660a9bfe34228d1ffb28988f23cb27538f4964ac

SHA512
a574833009c76358537c0cd08eb431da25dad9baf3eab0a6f21c8d1ad26a4d7c75be76a55bf86e93d2ea84d6ca131e2b7bb6467c1e02564b0df3dbde67cd3385

Download Submit
C:\Windows\SysWOW64\shervans.dll
Filesize
8KB

MD5
cc3008a9d74f349c414cbaaa62f41fce

SHA1
eebadff7ae0f57f7070915ebebe3de48f5c83844

SHA256
c6dffaf3e66faae8ecf64839f39f2299fcfbbc388e6b967a2e9cbb86cfbb1f21

SHA512
b341fa39cdafbbf570482e499f28c480bb8bef804164331c7f0d4792df8a7bf90acef7aa0b279e32a8688924d603a93c37d630ce48ed82871f35c481e9e6e3c5

Download Submit
memory/852-18-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/852-24-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/852-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/852-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3744-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3744-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3744-39-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3744-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3744-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3744-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3744-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3824-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3824-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download