19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
Size

119KB
MD5

09c9849a09105524828f1802f2370bf4
SHA1

c2bcdce91b0b4e32bdd0b3d9b709520c9dcc1554
SHA256

19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100
SHA512

18c6ca481cc365da0d148c53e0b8db6295ee8bfb8b55287d277bd54d9950ce3bffbd558dc267f0574c0fc8a398818a7575976dde5b3c664a359f02f905b1d8b3
SSDEEP

3072:AOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:AIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016105-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2988	ctfmen.exe
2984	smnss.exe

Loads dropped DLL 6 IoCs

pid	Process
2812	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
2812	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
2812	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
2988	ctfmen.exe
2988	ctfmen.exe
2984	smnss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe
File opened (read-only)	\??\X:	smnss.exe
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\L:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\T:	smnss.exe
File opened (read-only)	\??\W:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1360t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf583u.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_blocks.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Line_Editing.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.Wsman.Management.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf6x5u.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_methods.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_requires.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_try_catch_finally.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_types.ps1xml.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_History.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_internationalization.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Continue.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Commands.Utility.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_jobs.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_command_precedence.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_advanced_methods.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_parameters.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4680t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc350u.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_data_sections.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_format.ps1xml.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WMI_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO1600T.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scripts.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8100T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kop4650X.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Reserved_Words.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_WMI_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_output.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpah470t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_CommonParameters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_prompts.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpf4400t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc770u.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_logical_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3300T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpsd730t.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\tsmxuPipelineConfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Automatic_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_escape_characters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Session_Configurations.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Special_Characters.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4300t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_modules.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Core_Commands.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_properties.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Assignment_Operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO0410T.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_For.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa430t.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_execution_policies.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_profiles.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_script_internationalization.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\RICFG7.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_locations.help.txt	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.XML	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN103.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	smnss.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL103.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN081.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	smnss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_For.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dd612a0790e20961\calendar.html	smnss.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SonicResources\ClickMe.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8734fb86705288a7\flyout.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\405.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_debuggers.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Ref.help.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.Finale.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-7.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_For.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_debuggers.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Green Bubbles.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-editions-client_31bf3856ad364e35_6.1.7600.16385_none_bc037fbe81d7b074\HomePremiumEdition.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_logical_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\servicing\Editions\StarterEdition.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_transactions.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_join.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Continue.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_parameters.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_pssessions.help.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\ja-JP\Report.System.Common.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8734fb86705288a7\gadget.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-14.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-5.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_functions_advanced_parameters.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\System Performance.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8dbf2e4c46ccd2f2\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7601.17514_none_a54b31331066c8e2\resource.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8700586a70797a4c\RSSFeeds.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_117bd8ffb46dd92c\Report.System.Configuration.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e5b45457e71d50c\Report.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Path_Syntax.help.txt	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\AudioPlaybackDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Line_Editing.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipsrom.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd7300t.xml	smnss.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\LocalizedData.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\ja-JP\Report.System.Wired.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ae1bce6b81c0916\gadget.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnrc00c.inf_31bf3856ad364e35_6.1.7600.16385_none_3b11d85d2b1e2536\Amd64\RICFG7.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Comment_Based_Help.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Throw.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dbc7c5d1d33a67b5\clock.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\401-3.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\501.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_type_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_CommonParameters.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-10.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_scopes.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_functions.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-8.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_remote_requirements.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_transactions.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_split.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_job_details.help.txt	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\de-DE\Report.System.NetDiagFramework.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_scripts.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_remote.help.txt	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\NetworkDiagnostics_2_FileShare.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8ef1bf7026e3473f\picturePuzzle.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-2.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_PSSnapins.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fa282a13eee96e21\settings.html	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	smnss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2988	2812	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe	30
PID 2812 wrote to memory of 2988	2812	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe	30
PID 2812 wrote to memory of 2988	2812	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe	30
PID 2812 wrote to memory of 2988	2812	19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe	30
PID 2988 wrote to memory of 2984	2988	ctfmen.exe	31
PID 2988 wrote to memory of 2984	2988	ctfmen.exe	31
PID 2988 wrote to memory of 2984	2988	ctfmen.exe	31
PID 2988 wrote to memory of 2984	2988	ctfmen.exe	31

C:\Users\Admin\AppData\Local\Temp\19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe
"C:\Users\Admin\AppData\Local\Temp\19adcf647fef49febc7c22c5483ac2f22dc818c11eb110b96e92e9076f5ee100.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
97d75b21b9364d6297d0d9128ee72fec

SHA1
f17142a3383a4b7c9acadcd748bd3f31d9cfc669

SHA256
6ae2dfb9e82dc7e3fae6d992cc083a0b7494e9809f9e0a2e67f6d88f11ac5263

SHA512
a9170dab48a245e3157b543de83fc73093a81ce0405a60ed3566129bbe14660e6715294dd98702e59fa7e29fee2cee23ddaeaefb620afe39461f03c1d1c712ee

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
65a9e3c555d481fb7e957f698aafc7f7

SHA1
e3c37494340bfb347bd9892fff6e93c4c4b0b5a4

SHA256
1d8da9549c9220a726c099b744679134892758a67cc75d0dca7dc142bc5ee921

SHA512
ef85c25c6dc3e81bebb7b13c7b3b693f136be392928341fa35d8361b13b5bf159539ba338e27205fc34ef0b15c1c420333ec847f02e1561ec2481b9e99effae3

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
fdf8ffd04d5a0f90a40d39d9daf46bca

SHA1
e79fb921f95ab12ac831eda84075f3c850a2a5fa

SHA256
e53453d7da436a682c6aa835fe9a55e9df15d5445df201255651028b0f712e4a

SHA512
c2eab6a57c088460709703873b3bcc785893d807804bf0efde2bf2ac1f1afb50403f34834923ecd1a3e7a34ad0c785853abc61fc7dd396baa2a7e63e20744a37

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
119KB

MD5
34d7e8864621a92d4276606565d85c8f

SHA1
2da867c51e1f9abb1283af07edfe1fb3e0fb06de

SHA256
fc8c9168dda0b92d1f9d8a5365f60864220fd53d4f96b5b7bc1d947a2aaf9978

SHA512
29bb6a9cc1b61e110c7c7600244b8f7b590a61f8d258c775fffbb161b372d78f9f92c0c8cbd242094771f1d7b1524f51931c1a67349f423c73a55937f60bf537

Download Submit
memory/2812-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2812-27-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2812-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2812-20-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2812-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2984-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2984-41-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2984-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2988-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads