Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe
Resource
win10v2004-20241007-en
General
-
Target
51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe
-
Size
195KB
-
MD5
3b76ea733003ab39d0c2b8762ab11bf0
-
SHA1
d605ba5122feea002f525c13fec78b32e6703d91
-
SHA256
51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea
-
SHA512
445a39910a68a206ad566a0aa04f8193ae155cfbed7b0d33f511453bc38aaf6f15f32503f8c80cd9209438f1563738d675a11021259bbc89b0df68cc06488541
-
SSDEEP
6144:JIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCyOd:wKofHfHTXQLzgvnzHPowYbvrjD/L7QP7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023cc8-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 3696 ctfmen.exe 4376 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 4216 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 4376 smnss.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: smnss.exe File opened (read-only) \??\N: smnss.exe File opened (read-only) \??\V: smnss.exe File opened (read-only) \??\X: smnss.exe File opened (read-only) \??\M: smnss.exe File opened (read-only) \??\O: smnss.exe File opened (read-only) \??\U: smnss.exe File opened (read-only) \??\Q: smnss.exe File opened (read-only) \??\R: smnss.exe File opened (read-only) \??\E: smnss.exe File opened (read-only) \??\J: smnss.exe File opened (read-only) \??\P: smnss.exe File opened (read-only) \??\L: smnss.exe File opened (read-only) \??\S: smnss.exe File opened (read-only) \??\T: smnss.exe File opened (read-only) \??\W: smnss.exe File opened (read-only) \??\G: smnss.exe File opened (read-only) \??\H: smnss.exe File opened (read-only) \??\I: smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\tokens_TTS-it-IT.xml smnss.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml smnss.exe File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\NdfEventView.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml smnss.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML smnss.exe File created C:\Windows\SysWOW64\grcopy.dll 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt smnss.exe File created C:\Windows\SysWOW64\satornas.dll 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml smnss.exe File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES_helena.xml smnss.exe File opened for modification C:\Windows\SysWOW64\tcpbidi.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\Tokens_SR_ja-JP-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt smnss.exe File created C:\Windows\SysWOW64\shervans.dll 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.html smnss.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Added.txt smnss.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\connectionmanager_dmr.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinClassNotebook.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Excluded.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WebviewOffline.html smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml smnss.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\README.txt smnss.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt smnss.exe File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\View3d\3DViewerProductDescription-universal.xml smnss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404-4.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\401-5.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\repost.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Rules.System.Configuration.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipsar.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\forbidframingedge.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\tokens_frCA.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.264_none_ba5e4a287945a683\f\EditionMatrix.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipsfra.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..tional-chinese-dayi_31bf3856ad364e35_10.0.19041.1_none_166d1ef984f89a37\TableTextServiceDaYi.txt smnss.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoveryagent_31bf3856ad364e35_10.0.19041.964_none_a302f6630325804a\ReAgent.xml smnss.exe File opened for modification C:\Windows\servicing\Sessions\31135899_1842305652.back.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\http_501.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_411a61445fd08261\f\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\401-1.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403-4.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..trolpanel.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_d23715c9ea6f2f2c\f\appxmanifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\x86_netfx35linq-framework_assemblylist_31bf3856ad364e35_10.0.19041.1_none_2c307273305d92dd\FrameworkList.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\views\unifiedEnrollmentDiscovery.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoSetupInclusive.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\ProfessionalEdition.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\http_400.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..settings-searchdata_31bf3856ad364e35_10.0.19041.1266_none_02712bcc4c459e88\r\AllSystemSettings_{253E530E-387D-4BC2-959D-E6F86122E5F2}.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\osinfo.xml smnss.exe File opened for modification C:\Windows\diagnostics\index\PCWDiagnostic.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\500-15.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\403-16.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_es-es_6b77f4dc3a1a5900\Report.System.Common.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..p.desktop.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_278c03d4cb0b9781\r\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxsetup_31bf3856ad364e35_10.0.19041.1_none_38b4bf057e9fa0fb\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\PLA\Reports\en-US\Report.System.Summary.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\HvsiMachinePolicies_ContainerCreate.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\pdferrorneedcredentials.html smnss.exe File opened for modification C:\Windows\servicing\Sessions\31135899_2031453876.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iana-tzdb-timezones_31bf3856ad364e35_10.0.19041.264_none_e1482d65a2a08701\f\timezones.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_73bddbc9c1fb11b2\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_10.0.19041.1_de-de_f8fa23edced4b71d\resource.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\PhishSite_Iframe.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\common-listview-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-pcshell_31bf3856ad364e35_10.0.19041.746_none_f297ff1a159e7f05\f\DefaultLayouts.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\unknownprotocol.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\oobe-retaildemo-dialog-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\401-2.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\http_500.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..nosticsframeworkapi_31bf3856ad364e35_10.0.19041.746_none_08eafb5709ed0f57\NdfEventView.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.Configuration.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\it-IT\Rules.System.Summary.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\pdferrorrepurchasecontent.html smnss.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_9204c42a031e28cf\appcmd.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_de-de_c2bbc1ff4b155b96\Rules.System.Finale.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\cmnicfg.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..ratorschedulertasks_31bf3856ad364e35_10.0.19041.1_none_373f3db2af841e70\5ffea6126f02e78b9099eb4614d2d339f03ca5a8.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\24.txt smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelocalngc-main.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\unknownprotocol.htm smnss.exe File opened for modification C:\Windows\PLA\System\System Diagnostics.xml smnss.exe File opened for modification C:\Windows\servicing\Editions\EnterpriseEdition.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\PhishSiteEdge.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.264_none_ba5e4a287945a683\ProfessionalEducationEdition.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipscat.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\401-1.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\500-14.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\412.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-14.htm smnss.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4376 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4216 wrote to memory of 3696 4216 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 82 PID 4216 wrote to memory of 3696 4216 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 82 PID 4216 wrote to memory of 3696 4216 51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe 82 PID 3696 wrote to memory of 4376 3696 ctfmen.exe 83 PID 3696 wrote to memory of 4376 3696 ctfmen.exe 83 PID 3696 wrote to memory of 4376 3696 ctfmen.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe"C:\Users\Admin\AppData\Local\Temp\51a31cbbdf41d9b29044d07a8f12293ce8a0c9c0b6f2efbfea62c18a321283ea.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a3e87a358da6ffad09c48e560c56acc6
SHA12da4c7cfb1a48cee8b64d39d8a5f6ba8ef6ce327
SHA2569038343cf3317b968e3981b6494f6fd7947c10ad64c51e24034d87f3a2c03557
SHA5124ea57dce514b13c0ee94405f7bd88be7c193650934ec1c6e730eac1a474c39a8c7efe8f4e8725789828e061baecb40d47d3f23e2ca66d57935465e022bd9c618
-
Filesize
195KB
MD5d00aae7543ae2e486b9ad9c13900a55a
SHA1e70eb92f8f751a2b6440bcf45ce0807add058ddb
SHA256aac324bf60ebc22e2967d8adf3016bf82d10f954f5afee7b877516d7b33fcee3
SHA5128d69f40a1c8bdb7954f061869e91858b44fa25ac6b5a1a3259ce0baca5772787270663c89a2f0ec93912269ee18583fc1623c8bdbaf80b09d952afb3396ad9c3
-
Filesize
183B
MD523a2b15488122105ec233ce0c8feec17
SHA16c7830d627556d764be94c216c3f58358896f700
SHA2565940cbee51cceaa30b18c21541e675c490274d8b5083c851b17713a855f9de8c
SHA512f22d21b0fc3daf4a1622fcdec901e219f3d3d71ff2f631d11044a78888af4c1984f8704256b2e6aea97a5c79d46f580ff185bc1c6c0af38db54e87226f75b83a
-
Filesize
8KB
MD5321743919b662035e772c1808c95dcdd
SHA1f0cd6e45bccb298ff0b1d0e6fa5028b59d340705
SHA2566af086bbb14e7163c08e9e0d6b7533713c6cfd82cf6d9412a7828295a4a5d003
SHA512ed499fbf275502ad4dac327dec7bc50085427a476881489cccbdcbb1d0f5abea6330b696ee8212bfa70847d5ee8022441d3f6ed34a746df51db20acececfbc26