bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Size

195KB
MD5

28adad392a7893b3353722630c9d3d6d
SHA1

685951f18dc6ac11fa98474585d1cef32d535602
SHA256

bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94
SHA512

48ea8b190dd57100f8282001f2f821093a346c2b354c2fd9144189ed7f3f13af8843b1b4a8cb61c7ea8237af3556a75a39c3eabaf4a58df81d774dd5a34c07cf
SSDEEP

6144:/Is9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCyOW:KKofHfHTXQLzgvnzHPowYbvrjD/L7QPo

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	smnss.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000017462-10.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2352	ctfmen.exe
852	smnss.exe

Loads dropped DLL 6 IoCs

pid	Process
1828	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
1828	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
1828	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
2352	ctfmen.exe
2352	ctfmen.exe
852	smnss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	smnss.exe
File opened (read-only)	\??\M:	smnss.exe
File opened (read-only)	\??\T:	smnss.exe
File opened (read-only)	\??\V:	smnss.exe
File opened (read-only)	\??\X:	smnss.exe
File opened (read-only)	\??\H:	smnss.exe
File opened (read-only)	\??\K:	smnss.exe
File opened (read-only)	\??\R:	smnss.exe
File opened (read-only)	\??\S:	smnss.exe
File opened (read-only)	\??\U:	smnss.exe
File opened (read-only)	\??\E:	smnss.exe
File opened (read-only)	\??\G:	smnss.exe
File opened (read-only)	\??\J:	smnss.exe
File opened (read-only)	\??\N:	smnss.exe
File opened (read-only)	\??\P:	smnss.exe
File opened (read-only)	\??\I:	smnss.exe
File opened (read-only)	\??\O:	smnss.exe
File opened (read-only)	\??\Q:	smnss.exe
File opened (read-only)	\??\W:	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_advanced_parameters.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Foreach.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Break.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_debuggers.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_requirements.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\tsprint-PipelineConfig.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_jobs.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_environment_variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_aliases.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Path_Syntax.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_objects.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.Commands.Utility.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_methods.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_blocks.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\de-DE\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Quoting_Rules.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Line_Editing.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\Microsoft.PowerShell.ConsoleHost.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.PowerShell.Security.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Redirection.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO1600T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3100T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\kyw7qur8.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_format.ps1xml.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Automatic_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Return.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_logical_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\System.Management.Automation.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_join.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Break.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WMI_Cmdlets.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\ipcfg.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comparison_Operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_locations.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Switch.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8400T.XML	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\RICFG7.XML	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_PSSnapins.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.Security.dll-Help.xml	smnss.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Redirection.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\Microsoft.PowerShell.ConsoleHost.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_methods.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Command_Syntax.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scripts.help.txt	smnss.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kop5650X.xml	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_profiles.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Arithmetic_Operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_regular_expressions.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_profiles.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_type_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_arrays.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt	smnss.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt	smnss.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SNET.NET.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml	smnss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL087.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\gadget.xml	smnss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	smnss.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML	smnss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL027.XML	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	smnss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	smnss.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml	smnss.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	smnss.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	smnss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\connectionmanager_dmr.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_try_catch_finally.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Session_Configurations.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_split.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Comparison_Operators.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Automatic_Variables.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_de-de_90c392ae5a3a7d2d\gadget.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\405.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Signing.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\Microsoft.PowerShell.Security.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..gadgetxml.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bf201eb0e6f23766\gadget.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-12.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\Microsoft.PowerShell.Commands.Utility.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Continue.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ea71b0ed2aff4b15\resource.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpj3500t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_CommonParameters.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d48bdce24e57241\gadget.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dc373b8a3c1190f9\calendar.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\settings.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8ef1bf7026e3473f\gadget.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\405.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Session_Configurations.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPO7200T.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2260a04d0daf0ce1\gadget.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e5b45457e71d50c\Report.System.Configuration.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\Microsoft.PowerShell.Security.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_PSSnapins.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\Report.System.CPU.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPO4PG3L.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpc4300t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\main.html	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Redirection.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-1.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Path_Syntax.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_transactions.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpk8600t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_transactions.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Quoting_Rules.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Windows_PowerShell_ISE.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sonic-clickme_31bf3856ad364e35_6.1.7600.16385_none_560dd693a7476c8c\ClickMe.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..svc-extra.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ceb9e50fe1e709ac\Report.System.Wireless.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_de44258d81747ce2\RSSFeeds.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-6.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\Microsoft.PowerShell.Commands.Management.dll-Help.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Return.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\osinfo.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0c889693e4e0f25f\clock.html	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_operators.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Line_Editing.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Break.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Bears.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_command_precedence.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_jobs.help.txt	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPO4300T.XML	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp005.inf_31bf3856ad364e35_6.1.7600.16385_none_30e9a6119eda44e5\Amd64\hpd2600t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_providers.help.txt	smnss.exe
File opened for modification	C:\Windows\diagnostics\index\AeroDiagnostic.xml	smnss.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\Report.System.Disk.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..svc-extra.resources_31bf3856ad364e35_6.1.7600.16385_de-de_25fdb232f2e20c42\Rules.System.Wireless.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpf2200t.xml	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-10.htm	smnss.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml	smnss.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	smnss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 2352	1828	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe	31
PID 1828 wrote to memory of 2352	1828	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe	31
PID 1828 wrote to memory of 2352	1828	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe	31
PID 1828 wrote to memory of 2352	1828	bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe	31
PID 2352 wrote to memory of 852	2352	ctfmen.exe	32
PID 2352 wrote to memory of 852	2352	ctfmen.exe	32
PID 2352 wrote to memory of 852	2352	ctfmen.exe	32
PID 2352 wrote to memory of 852	2352	ctfmen.exe	32

C:\Users\Admin\AppData\Local\Temp\bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe
"C:\Users\Admin\AppData\Local\Temp\bedfeb4444c5deca0ac31d9844f53b79f0894e8277406add8a5da24d04de8a94.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\ctfmen.exe
  ctfmen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\smnss.exe
    C:\Windows\system32\smnss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\satornas.dll

Filesize
183B

MD5
92adf4de95fa4c16191e7d02243bb014

SHA1
5967e0b3e3f28c6432b3aadf56db214cfa1e171c

SHA256
26a6f15ae6078f1a646946b79772d680a73dc0861bb594d84f479ac24585ee98

SHA512
d3c7d3b276c0aa38449c1c1367761432c6e09fc0a152812e7759948bb4a5eb14a11c7df3e3c23edd840e41b015e82f592fd14a16af46717d75a4d0adbbf1f5ee

Download Submit
\Windows\SysWOW64\ctfmen.exe

Filesize
4KB

MD5
971bf6cdeb3daa85bbb0e0a38951066a

SHA1
c0a4e9f7a036c8f06ffaacb23b718e1ae4f6e3fd

SHA256
19e199a6707f7296b17899e98674fcaf1395552597c40d4a6ecef1cfb9233af3

SHA512
0377457710f7480e9e9a189bea33fc837cdb4a3bc6f76aa76ac1cf565e471730ba910b572f185ad6728a673d18dea7647d87bddf4a988cceae00259bda313bfc

Download Submit
\Windows\SysWOW64\shervans.dll

Filesize
8KB

MD5
20f349922e1884e0f66a80dd5ecb0935

SHA1
1bbdbb2e3a87e0771759ccc12d446d8f05e922be

SHA256
1d1ef69ea915143a6e8f90e234f7178181206a4779b38508c4667655a2fb38f8

SHA512
89f68bb1d87d76c970be7a943e19b9de8bcd6f6b5e31825f7735b59643f0284c8aebd727fc4834f24f209daac341e31c613b926b61cc319228e5ffb99be0544d

Download Submit
\Windows\SysWOW64\smnss.exe

Filesize
195KB

MD5
0fce4633a76dc7b86ad8265b9fc451e5

SHA1
ef1c2caddae27de78635d55cfe2f07d5663d2ba7

SHA256
02703704a07b62d5cf8537d2d0381ac3e587d2344f0ab9a2419b246cd300c0df

SHA512
4e68792177a51c19724fe158eb13dae4a7a0ee09de5a88fe3ad8d999ec6aa9a0e4a71690a3170ad47ed83a617cd15d804610c25f63d912c415b72024531de52b

Download Submit
memory/852-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/852-43-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/852-36-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1828-25-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/1828-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1828-26-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1828-27-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/1828-28-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1828-16-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2352-34-0x0000000000320000-0x0000000000359000-memory.dmp

Filesize
228KB

Download
memory/2352-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2352-45-0x0000000000320000-0x0000000000359000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads