Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-10-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe
Resource
win10v2004-20240802-en
General
-
Target
052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe
-
Size
2.3MB
-
MD5
9af6013ad2bd5f35cfe64d63ffa767a0
-
SHA1
7bf99d86719c556fe5422153d90408933ff3beb3
-
SHA256
052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028
-
SHA512
0f1766a593c967c26bc28079e0a7c58d2e4f5d956c5703e1ba96f127eba91db07420e9a17918e18a170ef5d626eb7ddd611ee5ea8e2697c926087745c907e559
-
SSDEEP
49152:gjvk2d9rJpNJ6jUFdXaDoIHmXMupzh72lxakn2YpHdy4ZBgIoooNe:grkI9rSjA5aDo73pzF2bz3p9y4HgIoov
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000016dd0-11.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2960 ctfmen.exe 2640 smnss.exe -
Loads dropped DLL 6 IoCs
pid Process 268 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe 268 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe 268 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe 2960 ctfmen.exe 2960 ctfmen.exe 2640 smnss.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: smnss.exe File opened (read-only) \??\E: smnss.exe File opened (read-only) \??\O: smnss.exe File opened (read-only) \??\R: smnss.exe File opened (read-only) \??\N: smnss.exe File opened (read-only) \??\I: smnss.exe File opened (read-only) \??\K: smnss.exe File opened (read-only) \??\Q: smnss.exe File opened (read-only) \??\U: smnss.exe File opened (read-only) \??\V: smnss.exe File opened (read-only) \??\X: smnss.exe File opened (read-only) \??\H: smnss.exe File opened (read-only) \??\J: smnss.exe File opened (read-only) \??\L: smnss.exe File opened (read-only) \??\M: smnss.exe File opened (read-only) \??\P: smnss.exe File opened (read-only) \??\T: smnss.exe File opened (read-only) \??\W: smnss.exe File opened (read-only) \??\G: smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_methods.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_type_operators.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_wildcards.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_internationalization.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_If.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Return.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_blocks.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPWK850T.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_do.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_output.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_parameters.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_parameters.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4500t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Parsing.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Ref.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Comment_Based_Help.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_objects.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3050F.XML smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW1B83L.XML smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\Amd64\KYW7QURY.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comparison_Operators.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WS-Management_Cmdlets.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5200t.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000at.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Path_Syntax.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_data_sections.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_escape_characters.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_escape_characters.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scripts.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNBX4PIPELINECONFIG.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scripts.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_regular_expressions.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Assignment_Operators.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Quoting_Rules.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\it-IT\erofflps.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_While.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_troubleshooting.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_types.ps1xml.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpd2600t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Switch.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Break.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\System.Management.Automation.dll-Help.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO2700T.XML smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd7100t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\ja-JP\erofflps.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Line_Editing.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_types.ps1xml.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_jobs.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_wildcards.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Path_Syntax.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPMCPDPS.XML smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7600t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pipelines.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_requirements.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.PowerShell.ConsoleHost.dll-Help.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Parsing.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_environment_variables.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_format.ps1xml.help.txt smnss.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 268 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe 268 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe 2640 smnss.exe 2640 smnss.exe 2640 smnss.exe 2640 smnss.exe 2640 smnss.exe 2640 smnss.exe 2640 smnss.exe 2640 smnss.exe 2640 smnss.exe 2640 smnss.exe 2640 smnss.exe 2640 smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\br.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html smnss.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN048.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBREF.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN111.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL048.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML smnss.exe File opened for modification C:\Program Files\7-Zip\License.txt smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.NZ.XML smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml smnss.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml smnss.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN096.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBHD.XML smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PRODIGY.NET.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN026.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml smnss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_escape_characters.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dc373b8a3c1190f9\calendar.html smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\500-13.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_en-us_442c6606061fb492\Report.System.NetTrace.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..erplaydvddiagnostic_31bf3856ad364e35_6.1.7600.16385_none_f7d9878fca745b50\WindowsMediaPlayerPlayDVD.xml smnss.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1025\LocalizedData.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_68bfa622c568dbc2\Report.System.Common.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_CommonParameters.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\Microsoft.PowerShell.Security.dll-Help.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0098688ad232f281\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b4334efea73fef8e\Rules.System.Finale.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Redirection.help.txt smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d6ecf7712bd7f915\settings.html smnss.exe File opened for modification C:\Windows\ehome\it-IT\playReady_eula_oem.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-12.htm smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Core_Commands.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_While.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-12.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b4334efea73fef8e\Report.System.Configuration.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_methods.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_WS-Management_Cmdlets.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp005.inf_31bf3856ad364e35_6.1.7600.16385_none_30e9a6119eda44e5\Amd64\hp8500at.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_pssessions.help.txt smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aeae15a0d7fc043a\gadget.xml smnss.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx40_IIS_schema_update.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8dd8c4f40dc38dd9\erofflps.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b60543bd2d988807\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Orange Circles.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Automatic_Variables.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_script_internationalization.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Comment_Based_Help.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_providers.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-17.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-1.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-4.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_WS-Management_Cmdlets.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp004.inf_31bf3856ad364e35_6.1.7600.16385_none_306093dc85bc087c\Amd64\hpc6300t.xml smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0c889693e4e0f25f\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_functions_cmdletbindingattribute.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_debuggers.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-3.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_If.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnsa002.inf_31bf3856ad364e35_6.1.7600.16385_none_02a32ac8d56280f6\Amd64\smc610u.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_environment_variables.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-9.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b4334efea73fef8e\Rules.System.Diagnostics.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-scavenge-space_31bf3856ad364e35_6.1.7601.17514_none_1b683337cabdc91a\ScavengeSpace.xml smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aeae15a0d7fc043a\clock.html smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_regular_expressions.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_functions_advanced_parameters.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Windows_PowerShell_2.0.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Windows_PowerShell_ISE.help.txt smnss.exe File opened for modification C:\Windows\ehome\fr-FR\playready_eula.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_795ac2ac69664653\Microsoft.IIS.Powershell.Provider.dll-Help.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e5b45457e71d50c\Rules.System.Finale.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Path_Syntax.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_command_precedence.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_functions_advanced_methods.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\System.Management.Automation.dll-Help.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-4.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_WMI_Cmdlets.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp005.inf_31bf3856ad364e35_6.1.7600.16385_none_30e9a6119eda44e5\Amd64\hpc309at.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Return.help.txt smnss.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2640 smnss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 268 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe 2640 smnss.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 268 wrote to memory of 2960 268 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe 31 PID 268 wrote to memory of 2960 268 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe 31 PID 268 wrote to memory of 2960 268 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe 31 PID 268 wrote to memory of 2960 268 052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe 31 PID 2960 wrote to memory of 2640 2960 ctfmen.exe 32 PID 2960 wrote to memory of 2640 2960 ctfmen.exe 32 PID 2960 wrote to memory of 2640 2960 ctfmen.exe 32 PID 2960 wrote to memory of 2640 2960 ctfmen.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe"C:\Users\Admin\AppData\Local\Temp\052a14bcf0ebe3bd56470733658ec947c161e880e08ba0187865893491ffa028N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD5e0e76192519af420cf094c1d90822371
SHA1ab0ec3a6498054d850bf518995f8d8da923067a8
SHA2566e0fa547f29661ce5ab7c941cd4775c5e9db551524f15f4c71a62ecaeff8e3d7
SHA512bdefe02ce6e4b56e323a630b68ed565d92a12c34d6f69a844fe5d41a8d9d1a55782e4b4c34cbc4c83521c76080167d672790b127b4383a39675f74437894b369
-
Filesize
4KB
MD563dfd074227661fb2167cd56bbc9c082
SHA1b8f0dee34c29e46d7fe865d9a1144374063df82a
SHA256c4e47249a6601d19f183b0c59f83ef496028684cec314b3d903bfab996dca368
SHA512d973499a888063cea3dbd12eeea43b1e95896950f309490642af0805c0eaee5519ddd09a5820dea6c29e6c61164c58092ff9feaaaf3f2ea4232e410b25b94588
-
Filesize
8KB
MD5baf82d9a74073f5097600205c1020b6c
SHA112aa6cac8e42d041448625a3cfa7a64796fc51b9
SHA256f03efe66a216c78b562645f9fd24b4abe9992227a7862077a3ef9f9dfaaa5963
SHA5127c5198ce1c012cf5d17d1b2de052c11096ef967155a4e4fa1dfaaecd0e7c1f12b6909eb93428d0c16fa946227abf985bfc0b4ed26688a877103f31ed2134fb84
-
Filesize
2.3MB
MD5728ba5a1fe30790574d43cd3b97364c7
SHA16b078d936c783a730975a92ca95a490113a7a475
SHA256b760c1a8a300f9f0537af4fc1f78502f6aa8bfb3128b9aaca930dc2370205ee3
SHA5125a69169ec81309d0b8149299b94f562a28c6c83335c1673c873a390f01325ba980ecbc579ffe34e5d44a8aca691b0156cabc1151c98fc43087f9910cf8f7567b