Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe
Resource
win10v2004-20241007-en
General
-
Target
c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe
-
Size
75KB
-
MD5
6ed5cf8d1cd805767d358e6edad16bd1
-
SHA1
a59441161e0b150e0bc8868780dc7ff5a633205c
-
SHA256
c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7
-
SHA512
6baf01c79a45e1289008dff1b9fa56ba9813239eae1b9848c32ac36c0148283afe2ce109109debed1aca5f2083b13ff9f928c36fb497df0041baf8751f7ba197
-
SSDEEP
1536:4x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3E:wOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPM
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023cbe-9.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 3304 ctfmen.exe 1208 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 3192 c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe 1208 smnss.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: smnss.exe File opened (read-only) \??\L: smnss.exe File opened (read-only) \??\R: smnss.exe File opened (read-only) \??\H: smnss.exe File opened (read-only) \??\O: smnss.exe File opened (read-only) \??\P: smnss.exe File opened (read-only) \??\T: smnss.exe File opened (read-only) \??\X: smnss.exe File opened (read-only) \??\G: smnss.exe File opened (read-only) \??\M: smnss.exe File opened (read-only) \??\S: smnss.exe File opened (read-only) \??\U: smnss.exe File opened (read-only) \??\W: smnss.exe File opened (read-only) \??\V: smnss.exe File opened (read-only) \??\E: smnss.exe File opened (read-only) \??\J: smnss.exe File opened (read-only) \??\K: smnss.exe File opened (read-only) \??\N: smnss.exe File opened (read-only) \??\Q: smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES_helena.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\tokens_TTS-it-IT.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\Tokens_SR_ja-JP-N.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\NdfEventView.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt smnss.exe File created C:\Windows\SysWOW64\shervans.dll c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe File created C:\Windows\SysWOW64\smnss.exe c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe File opened for modification C:\Windows\SysWOW64\satornas.dll c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml smnss.exe File created C:\Windows\SysWOW64\grcopy.dll c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe File opened for modification C:\Windows\SysWOW64\shervans.dll c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml smnss.exe File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml smnss.exe File opened for modification C:\Windows\SysWOW64\tcpbidi.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml smnss.exe File created C:\Windows\SysWOW64\satornas.dll c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\HeroAppTile.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml smnss.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml smnss.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Third Party Notices.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml smnss.exe File opened for modification C:\Program Files\Java\jre-1.8\Welcome.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\View3d\3DViewerProductDescription-universal.xml smnss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Report.System.Diagnostics.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Rules.System.Configuration.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-taskscheduler-service_31bf3856ad364e35_10.0.19041.264_none_0ce2bf73f5e3d0ee\D61D61C8-D73A-4EEE-8CDD-F6F9786B7124.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-ngenassemblyexclusionclient_31bf3856ad364e35_4.0.19041.1_none_6e3f71d318a8f11a\clientexclusionlist.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_dual_prnms005.inf_31bf3856ad364e35_10.0.19041.1_none_1eab1be1d38e5678\Amd64\MSxpsXPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\502.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.1266_none_e6ebbe2a02425392\oobeautopilotreboot-main.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..ep-chxapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7d8eee60f8081103\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobesettings-main.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-3.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\needhvsi.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Report.System.Diagnostics.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\pdferrorunknownerror.html smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\servbusy.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\BlockSite.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_de-de_1f727312db940011\oobe_learn_more_activity_history.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\auxpad.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\ko-kr.xml smnss.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1254.TXT smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\ftp_rscaext.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\debugger.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\18.txt smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_10.0.19041.153_none_6ef8a222ac00dbc2\f\20bbcadaff3e0543ef358ba4dd8b74bfe8e747c8.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..ialibrarydiagnostic_31bf3856ad364e35_10.0.19041.1_none_dedee787078f40e3\WindowsMediaPlayerMediaLibrary.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.207_none_8d07de31084775c6\r\14a3f9e824793931d34f7f786a538bbc9ef1f0d6.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2286dfb4f2be688c\Report.System.Wireless.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\UpgradeMatrix.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\401-5.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\404-3.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\BlockSite.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\PhishSiteEdge.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Report.System.Memory.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_dual_ntprint4.inf_31bf3856ad364e35_10.0.19041.1_none_003f1b632195ba8c\Amd64\V3HostingFilter-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-light-contentview-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobelocalngc-main.html smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\dnserror.html smnss.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ebd9ffd49454da2e\Rules.System.Wired.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\500-16.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\pdferrorneedcredentials.html smnss.exe File opened for modification C:\Windows\ImmersiveControlPanel\Settings\AllSystemSettings_{253E530E-387D-4BC2-959D-E6F86122E5F2}.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\fr-FR\Rules.System.Performance.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\pdferrordisabledforregion.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kerplugin.appxsetup_31bf3856ad364e35_10.0.19041.1_none_650e185617d118b6\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\f\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-7.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\pdferror.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\7.txt smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..ectdialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fe2a3fc32038c1d1\f\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\servicing\Sessions\31135900_4011253136.back.xml smnss.exe File opened for modification C:\Windows\servicing\Sessions\31135901_1964944298.back.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\0809\tokens_enGB.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..eexplorer.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_03d7aa1083b7645d\r\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\http_404.htm smnss.exe File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\d3a79d4736e5d70110a200001815341f.ASPNET_schema.xml smnss.exe File opened for modification C:\Windows\diagnostics\index\NetworkDiagnostics_5_Inbound.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobelanguage-main.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\501.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\20.txt smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\common-textinput-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoSetupInclusive.html smnss.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1208 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3192 wrote to memory of 3304 3192 c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe 84 PID 3192 wrote to memory of 3304 3192 c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe 84 PID 3192 wrote to memory of 3304 3192 c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe 84 PID 3304 wrote to memory of 1208 3304 ctfmen.exe 85 PID 3304 wrote to memory of 1208 3304 ctfmen.exe 85 PID 3304 wrote to memory of 1208 3304 ctfmen.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe"C:\Users\Admin\AppData\Local\Temp\c10c2254b611992c169c5ac0d6396ca07249235fd7d0ef2111599d3843ade8c7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5293dfbb7f42232418a1ce0dbc91f0da9
SHA1705675b56025c53dd660d66a2db2f973feda9459
SHA256ac1dbc74c7b581fc2e15e0fd67bee7e1deef399abb90eb6901e71d0b05f12fa7
SHA512527352556b1d760abea8e7fb6ad74fea87505b5be5dc3b3663e4931d0e35b3b746a2aad9aa1c5a369109d0c799ee5da012a02036a8aa9bf32baad6eedbc1ff10
-
Filesize
75KB
MD54ae3bdb4a44783fad05e73e3f7e91e77
SHA161bd8063ac040da93414017e4839e54a9ee35dc2
SHA2561e8abc776220f4c42d26644c359fee7287a9cc77a5c6c020d5bc55e3ce478cc0
SHA512e84927d30d7df7014d64ccffd2455d6365596c38a62d663a1429136c6eb47db4e65502c2590b959a7a54d6de4e460386a2e55975c692c782bfd484dc1a58b74b
-
Filesize
183B
MD526ba6f8354e11d00f7e51e35d794f73a
SHA182cb5e7aa36447dff247e529e951a2dd1bcc1e96
SHA2567db78f120f059eaceeb29455fd15b1a44b9aa1cd435d6068d1ff30bc6ff4d47b
SHA51291ea98db4b794b7d3f7bf0c8dbdaa2984719a9fb0642e660e4ba84f352fc92ddcd56d98aa1cb8c444327637271eb86cb70cf51490ece9fd4ffdb6c93747cc069
-
Filesize
8KB
MD54ddcfc2840b95028ff4045917bd2e333
SHA1749e7ecc4a0fae91656532e68c1240668c9f725c
SHA25669a173d66b46bdb2471ca6bbc7593b16ec2aa171c4294f1e4a99a6112625aefc
SHA5126e4f5ff11440d168dc710544bd18b9a46aa0dbf4312d60a5448e4cd87e59cc9c06b70faeeae76244f8352ac9a4f78c07453982ee21d875e252ad7f9c7ed81c6f