Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe
Resource
win10v2004-20241007-en
General
-
Target
9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe
-
Size
118KB
-
MD5
451fc8e6b2fc51f4930faaa1b82650e7
-
SHA1
1700c83af85d787a952acfcec2d26879d91d2689
-
SHA256
9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976
-
SHA512
c4eb0442e24a7112e64cd9c0fc31b179133b1328b0d59cc0e612842b96226d358fa67dde6cecf403b05497169fa73ae658186f535bf751c0c4dbee58f93fe055
-
SSDEEP
3072:3OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPn:3Is9OKofHfHTXQLzgvnzHPowYbvrjD/k
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023ca0-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 3992 ctfmen.exe 4516 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 4900 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe 4516 smnss.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: smnss.exe File opened (read-only) \??\O: smnss.exe File opened (read-only) \??\X: smnss.exe File opened (read-only) \??\E: smnss.exe File opened (read-only) \??\J: smnss.exe File opened (read-only) \??\K: smnss.exe File opened (read-only) \??\L: smnss.exe File opened (read-only) \??\U: smnss.exe File opened (read-only) \??\S: smnss.exe File opened (read-only) \??\T: smnss.exe File opened (read-only) \??\H: smnss.exe File opened (read-only) \??\M: smnss.exe File opened (read-only) \??\P: smnss.exe File opened (read-only) \??\Q: smnss.exe File opened (read-only) \??\R: smnss.exe File opened (read-only) \??\G: smnss.exe File opened (read-only) \??\I: smnss.exe File opened (read-only) \??\V: smnss.exe File opened (read-only) \??\W: smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml smnss.exe File created C:\Windows\SysWOW64\grcopy.dll 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\osinfo.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES_helena.xml smnss.exe File created C:\Windows\SysWOW64\shervans.dll 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe File created C:\Windows\SysWOW64\satornas.dll 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE.xml smnss.exe File opened for modification C:\Windows\SysWOW64\NdfEventView.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\Tokens_SR_ja-JP-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSXPS2.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml smnss.exe File opened for modification C:\Windows\SysWOW64\tcpbidi.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\tokens_TTS-it-IT.xml smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe File created C:\Windows\SysWOW64\smnss.exe 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\index.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\excluded.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\Relicensing Statement.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\readme.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\BuildInfo.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\index.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt smnss.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\NOTICE.TXT smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml smnss.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\az-Latn-AZ\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\onenote_whatsnew.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunchdlg.html smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_de-DE.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1266_none_12ea08a0c4f345b0\f\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\retailDemoSecurity.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.264_none_ba5e4a287945a683\ProfessionalSingleLanguageEdition.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.appxsetup_31bf3856ad364e35_10.0.19041.1266_none_1810750b8eb9f2ea\n\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\pdferrorofflineaccessdenied.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.1_none_e2e6c013142b9760\tokens_enGB.xml smnss.exe File opened for modification C:\Windows\servicing\Sessions\31135900_1326658825.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\potscfg.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_8a237828132e61da\about_BeforeEach_AfterEach.help.txt smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.1_none_e2e6c013142b9760\tokens_ptBR.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\pdferrorneedcontentlocally.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fb71c64c36f7dd93\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-csp_31bf3856ad364e35_10.0.19041.1202_none_e04a7941c90aaf6f\f\NGCProDDF_v1.2_final.xml smnss.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..tional-chinese-dayi_31bf3856ad364e35_10.0.19041.1_none_20c1c94bb9595c32\TableTextServiceDaYi.txt smnss.exe File opened for modification C:\Windows\PLA\Rules\Rules.System.Wireless.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\500-19.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\2.txt smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-button-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelanguage-main.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Report.System.Configuration.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_52fbb1b86a870614\r\AppxManifest.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\forbidframingedge.htm smnss.exe File opened for modification C:\Windows\PLA\Reports\Report.System.Disk.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\defaultbrowser.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\DisableAboutFlag.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\502.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..olsclient.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fe9996dc5d311970\f\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\tokens_enUS.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Rules.System.Summary.xml smnss.exe File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.Network.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.processmitigations.commands_31bf3856ad364e35_10.0.19041.662_none_2a8c125210169f86\f\Microsoft.ProcessMitigations.Commands.dll-Help.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_876d2c71ceefefbb\rscaext.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.1_none_e2e6c013142b9760\tokens_jaJP.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.configci.commands_31bf3856ad364e35_10.0.19041.1_none_62e8771482490eb6\AllowMicrosoft.xml smnss.exe File opened for modification C:\Windows\WaaS\services\14a3f9e824793931d34f7f786a538bbc9ef1f0d6.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_zh-CN.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc_31bf3856ad364e35_10.0.19041.1081_none_e049f4a228a31cca\Report.System.Wired.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipstr.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\pdferrorneedcontentlocally.html smnss.exe File opened for modification C:\Windows\servicing\Sessions\31135899_3710158244.back.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-light-footer-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\AuditPol_ContainerCreate.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-4.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-14.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\pdferrorneedcredentials.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Report.System.Configuration.xml smnss.exe File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.Memory.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-pcshell_31bf3856ad364e35_10.0.19041.746_none_f297ff1a159e7f05\f\DefaultLayouts.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsen.xml smnss.exe File opened for modification C:\Windows\PLA\Rules\Rules.System.Performance.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.423_none_15f557c171018574\baseTemplate.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\tokens_esMX.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\common-listview-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-light-frame-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\pdferrorneedcontentlocally.html smnss.exe File opened for modification C:\Windows\diagnostics\index\VideoPlaybackDiagnostic.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..t-browser.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_9335233f4761b170\f\AppxManifest.xml smnss.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeprovisioningentry-main.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\413-1.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\acr_error.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_netfx35linq-framework_assemblylist_31bf3856ad364e35_10.0.19041.1_none_884f0df6e8bb0413\FrameworkList.xml smnss.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4516 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4900 wrote to memory of 3992 4900 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe 84 PID 4900 wrote to memory of 3992 4900 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe 84 PID 4900 wrote to memory of 3992 4900 9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe 84 PID 3992 wrote to memory of 4516 3992 ctfmen.exe 85 PID 3992 wrote to memory of 4516 3992 ctfmen.exe 85 PID 3992 wrote to memory of 4516 3992 ctfmen.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe"C:\Users\Admin\AppData\Local\Temp\9da4549e66084dab15161f65169bc76c9bcf25a40387a6f9b275ee9d9eaf3976.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD50d38270421c9969c2ca02d62bdef1bb5
SHA10cb2d500096cc2a9736a622b4bd1f50b590f0d65
SHA256b4f562a714502b5a649ad3d5bffda9d17de5bcb41da6deb482e273d078c57a60
SHA51271d891d9baf35cbc7e3a30f1bee7a75cbb1e8dff1fa7bc2f3094e1cb77a0675ddd4493a0ffcd5de011f33759bcbf4a6ce319ede4883604fc46c7e3f900f545af
-
Filesize
118KB
MD5916df0173cb2cde9ff93cfa58570c4e6
SHA1f54001317446d7d9568e24d664b763c078ff1d29
SHA25663ab5356be61ccc5186cf06282694d2dfce1de753dcec4565667bd4e3d726baa
SHA512f3db6327a928a41752fcae6381a4d248e35a48f0ef264cb5bd7728b8296ed79b016ab89cf741cd02ab1aa29f4ac040456540d8cbe17fbb0a799403fbff62467e
-
Filesize
183B
MD5bcb31bbdd02911c2929b869e2e6ac15a
SHA15a042c400d3850d6c77f0ab6d22a0e18dfaab82b
SHA256e6ac5cbede18dfffaba220696f8b13c4b62de28887f6ec09ebde159301a3e4ab
SHA51257bb126e6d193f5fbb65bd48b10636f90cf2a63b5b602ea120a94c9aaaec2bb30f3abe46391b1767e040c4b71e9444afa897edfe412749608abd66900b3098c2
-
Filesize
8KB
MD5cd154e2343c95a7e31fd9d0c8ab3fd41
SHA1e86b0252da918426c8a73287665df92248066470
SHA2560a1c584cd3adc8c07117dbbcd2e5fc2c00586ef27a95921496f30fd28be04b96
SHA512f9305691276f413a91a5567b0176f4350a0c0bf3ddea0c4d842bec0e35f25574a4e8bf530497dfdcd54a538625e89a5a5c74c4786a1830864541a55060ddd1c5