6728579691845cd78ae57de1680e291fc58a46d88cfc40563755b92562b154b3

Analysis

max time kernel
97s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ed170485ca598ccc31781416a315710N.exe
Size

143KB
MD5

6ed170485ca598ccc31781416a315710
SHA1

30a23edde75f13b2ed791631ff52d6e2d2bdcf5a
SHA256

6728579691845cd78ae57de1680e291fc58a46d88cfc40563755b92562b154b3
SHA512

aa06fe153905a90784b1bf07c1eb19bf0f9360bbeaa19309b81a663769dedeff83590a93bd6003520d90d9fe8cb61e07d92712e7a4f37b62a3716e5188ce510c
SSDEEP

3072:3LVoDvPd+A4WhkhXDl+i1lApwH08TdTIIIIIIIIIIIIIIIIIIfIIIIyIIIITIIIe:ZopGGgbiwU8JC

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSScl.exe"	SMSScl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSScl.exe"	SMSScl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SMSScl.exe"	6ed170485ca598ccc31781416a315710N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6ed170485ca598ccc31781416a315710N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSScl.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6ed170485ca598ccc31781416a315710N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSScl.exe

Executes dropped EXE 2 IoCs

pid	Process
2852	SMSScl.exe
2976	SMSScl.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSScl.exe"	6ed170485ca598ccc31781416a315710N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Fancy.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Simple.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ENGIDX.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OCRVC.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\LOOKUP.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OUTLFLTR.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Newsprint.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Thatch.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLEX.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Formal.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\JFONT.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OSPP.HTM	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Default.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Manuscript.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Distinctive.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Modern.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Perspective.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Classic.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Elegant.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\OUTFORM.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLV.DOC	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OCRHC.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Traditional.dotx	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHKEY.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\AccessWeb\CLNTWRAP.HTM	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLTS.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHPHN.DAT	SMSScl.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHSRN.DAT	SMSScl.exe

Drops file in Windows directory 62 IoCs

description	ioc	Process
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Crack.exe	SMSScl.exe
File created	C:\Windows\svchost.exe	6ed170485ca598ccc31781416a315710N.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\	6ed170485ca598ccc31781416a315710N.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Crack.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Keygen.exe	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Keygen.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Nero Burning ROM v6.0.0.19 Ultra Edition Crack.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplateRTL.html	SMSScl.exe
File created	C:\Windows\SMSScl.exe	SMSScl.exe
File opened for modification	C:\Windows\svchost.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Crack.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Keygen.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 Crack.exe	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Sophos AntiVirus v3.74 Keygen.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplateRTL.html	SMSScl.exe
File opened for modification	C:\Windows\SMSScl.exe	6ed170485ca598ccc31781416a315710N.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton Antispam 2004 Crack.exe	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Norton AntiVirus 2004 Keygen.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsDoNotTrust.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplateRTL.html	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html	SMSScl.exe
File created	C:\Windows\SMSScl.exe	6ed170485ca598ccc31781416a315710N.exe
File created	C:\Windows\message.dat	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Studio MX 2004 AllApps Crack.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html	SMSScl.exe
File created	C:\Windows\message.htm	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\	SMSScl.exe
File opened for modification	C:\Windows\svchost.exe	SMSScl.exe
File created	C:\Windows\SMSScl.exe	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\OSPP.HTM	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\CLNTWRAP.HTM	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetObjects Fusion v7.5 Crack.exe	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Nero Burning ROM v6.0.0.19 Ultra Edition Crack.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Sophos AntiVirus v3.74 Keygen.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 beta patch2 Crack.exe	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Half Life 2 beta patch2 Crack.exe	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Dragon NaturallySpeaking 8 ISO Multilanguage Crack.exe	SMSScl.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html	SMSScl.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html	SMSScl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ed170485ca598ccc31781416a315710N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSScl.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SMSScl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No"	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No"	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No"	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No"	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No"	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No"	SMSScl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared\OfficeUILanguage = "1033"	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SMSScl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1"	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No"	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared	SMSScl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted"	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem	SMSScl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000	SMSScl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\UILanguage = "1033"	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No"	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No"	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No"	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On"	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	SMSScl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0551ebb12e7da01	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources	SMSScl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No"	SMSScl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No"	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SMSScl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0	SMSScl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000	SMSScl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033"	SMSScl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033"	SMSScl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033"	SMSScl.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S"	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	6ed170485ca598ccc31781416a315710N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2976	SMSScl.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2852	2784	6ed170485ca598ccc31781416a315710N.exe	30
PID 2784 wrote to memory of 2852	2784	6ed170485ca598ccc31781416a315710N.exe	30
PID 2784 wrote to memory of 2852	2784	6ed170485ca598ccc31781416a315710N.exe	30
PID 2784 wrote to memory of 2852	2784	6ed170485ca598ccc31781416a315710N.exe	30

C:\Users\Admin\AppData\Local\Temp\6ed170485ca598ccc31781416a315710N.exe
"C:\Users\Admin\AppData\Local\Temp\6ed170485ca598ccc31781416a315710N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SMSScl.exe
  "C:\Windows\SMSScl.exe" -xInstallOurNiceServicesYes
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2852

C:\Windows\SMSScl.exe
C:\Windows\SMSScl.exe -xStartOurNiceServicesYes
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SMSScl.exe

Filesize
143KB

MD5
6ed170485ca598ccc31781416a315710

SHA1
30a23edde75f13b2ed791631ff52d6e2d2bdcf5a

SHA256
6728579691845cd78ae57de1680e291fc58a46d88cfc40563755b92562b154b3

SHA512
aa06fe153905a90784b1bf07c1eb19bf0f9360bbeaa19309b81a663769dedeff83590a93bd6003520d90d9fe8cb61e07d92712e7a4f37b62a3716e5188ce510c

Download Submit
C:\Windows\Temp\evmYIVPs.FqP\message.htm

Filesize
197KB

MD5
4ff73f8120f8e5d78cc5a075d6a55ad1

SHA1
8f4f173fcad198bba5870c1bb98a0a81e89a8c39

SHA256
ee17c1d219fe30aca4d310ef38560210670c3dae4591a9780fb5e5cffc91cbb0

SHA512
993b6d75a34c82baba7ee06b6fa97e43f28f2a6d80945dcfd9df5410ef7fa8ca948cf587f15396226e31eb0f74b88cad3a9c19975acd295d03f4988e21215e69

Download Submit
C:\Windows\message.dat

Filesize
196KB

MD5
2d474bca2fc964de26736039d1cca15b

SHA1
73f7f9eb1a05e9a3fd01a4cf176eee780ca7b179

SHA256
8cea1ec7b5fe2c875b74f7088ae59079db2781cd14e4822842825e16b29547e0

SHA512
fe3e0987edd55d68b0203c9f11d7b0a2e5ef3ecd1ddacdc0bce186e287fc21ff75c5404c0a71083b87fe92bf6de97d8c957f4792d35105d8490fcdf6fc3b8ff3

Download Submit