Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 12:17
Static task
static1
Behavioral task
behavioral1
Sample
5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe
Resource
win10v2004-20241007-en
General
-
Target
5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe
-
Size
119KB
-
MD5
cf74a2aa66d93710cbc26863bc562ee0
-
SHA1
01c5ca3e14178e4a5e7eacb6c942a6dfb5f992af
-
SHA256
5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42
-
SHA512
08fbc97c276d2d14106e0a5014b8b496da7a15728d75044b3b61617e50205573402e9aeae0559121dd24492b482b4ec8c699f2dc32321e3fd02253cc60df2f46
-
SSDEEP
3072:6OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:6Is9OKofHfHTXQLzgvnzHPowYbvrjD/E
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a000000023b73-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 3652 ctfmen.exe 4136 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 4720 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe 4136 smnss.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: smnss.exe File opened (read-only) \??\Q: smnss.exe File opened (read-only) \??\S: smnss.exe File opened (read-only) \??\U: smnss.exe File opened (read-only) \??\H: smnss.exe File opened (read-only) \??\I: smnss.exe File opened (read-only) \??\M: smnss.exe File opened (read-only) \??\W: smnss.exe File opened (read-only) \??\X: smnss.exe File opened (read-only) \??\G: smnss.exe File opened (read-only) \??\N: smnss.exe File opened (read-only) \??\O: smnss.exe File opened (read-only) \??\R: smnss.exe File opened (read-only) \??\T: smnss.exe File opened (read-only) \??\E: smnss.exe File opened (read-only) \??\J: smnss.exe File opened (read-only) \??\K: smnss.exe File opened (read-only) \??\P: smnss.exe File opened (read-only) \??\V: smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\cmnicfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\potscfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPCL6-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\MXDW-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\Tokens_SR_fr-FR-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe File opened for modification C:\Windows\SysWOW64\F12\Timeline.cpu.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml smnss.exe File created C:\Windows\SysWOW64\smnss.exe 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\NdfEventView.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR_hortense.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\Tokens_SR_ja-JP-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\wsmanconfig_schema.xml smnss.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\pppcfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\tcpbidi.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\Amd64\unishare3d-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\tokens_TTS-it-IT.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_6066bc96a5f28b44\tsprint-PipelineConfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\tokens_TTS_de-DE_hedda.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\it-IT\Tokens_SR_it-IT-N.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPWGR.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\fr-FR\tokens_TTS_fr-FR.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\ja-JP\tokens_TTS_ja-JP.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_9e410195c3b236c9\Amd64\MSECP-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt smnss.exe File created C:\Windows\SysWOW64\shervans.dll 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File opened for modification C:\Windows\SysWOW64\AppxProvisioning.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\SysWOW64\icsxml\ipcfg.xml smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\tokens_TTS_es-ES_helena.xml smnss.exe File created C:\Windows\SysWOW64\satornas.dll 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-pipelineconfig.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-PDC.xml smnss.exe File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc smnss.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\es-ES\Tokens_SR_es-ES-N.xml smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt smnss.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt smnss.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinAddCustomTags.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt smnss.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features_email.txt smnss.exe File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\3DViewerProductDescription-universal.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxManifest.xml smnss.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceTigrinya.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt smnss.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml smnss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml smnss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\VoiceCommands.xml smnss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\PLA\Rules\fr-FR\Rules.System.CPU.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\forbidframingedge.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\backstack-chrome-breadcrumb-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\retailDemoMsa.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-13.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-5.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\16.txt smnss.exe File opened for modification C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-5.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktop.appxmain.root_31bf3856ad364e35_10.0.19041.264_none_a71c9f7fdcd899c5\DefaultSettings.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..zer-de-de-n-onecore_31bf3856ad364e35_10.0.19041.1_none_985a6cbe8d598a00\Tokens_SR_de-DE-N.xml smnss.exe File opened for modification C:\Windows\servicing\Sessions\31135901_2089333787.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..tscontrol.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_bcf0807cccfa0873\r\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ialoghost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_5716db6edd86234c\r\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeactivitysyncconsent-main.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-csp_31bf3856ad364e35_10.0.19041.1202_none_e04a7941c90aaf6f\f\NGCProDDF_v1.2_final.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winre-recoveryagent_31bf3856ad364e35_10.0.19041.964_none_98ae4c10cec4be4f\ReAgent.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\navcancl.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\speech\0416\tokens_ptBR.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\EditionMatrix.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..iguration.searchapp_31bf3856ad364e35_10.0.19041.1_none_6a5e909ee80bfce7\BingConfiguration_common.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kerplugin.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_23f4c1602d97fe43\f\AppxManifest.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeoutro-main.html smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\29.txt smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..esolverux.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_30675b33c3afc2a2\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bits-client-core_31bf3856ad364e35_10.0.19041.1266_none_9b0ab05d400833e1\f\315818c03ccc2b10070df2d4ebd09eb6c4c66e58.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-button-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.1_none_e2e6c013142b9760\tokens_itIT.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_de-de_c2bbc1ff4b155b96\Rules.System.Diagnostics.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\Rules.System.Disk.xml smnss.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_247add106824ed63\default.help.txt smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\common-header-template.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\http_400.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-srh_31bf3856ad364e35_10.0.19041.1266_none_1e3229580ff745d0\NarratorControlTemplates.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Windows\PLA\Reports\es-ES\Report.System.Memory.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoSecurityInclusive.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\404-1.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6ae61beebd6b13dd\oobe_learn_more_activity_history.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_es-es_6b77f4dc3a1a5900\Report.System.Network.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a7ce02ef73966bb\Rules.System.CPU.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nkrecognition.ja-jp_31bf3856ad364e35_10.0.19041.1_none_7c0cc5368758e843\ThirdPartyNotices.ja-jp.txt smnss.exe File opened for modification C:\Windows\PLA\Rules\uk-UA\Rules.System.Wireless.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\pdferror.html smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\acr_error.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ervice-winrt-client_31bf3856ad364e35_10.0.19041.1266_none_cf053b35227a090b\EnrollmentStatusTrackingDDF.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\dom.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\needie.html smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ncsiuwpapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_757b1fb62148c452\f\AppxManifest.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_it-it_550e1235949cf95b\OOBE_HELP_Opt_in_Details.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-o..ectionflow.appxmain_31bf3856ad364e35_10.0.19041.423_none_0b0196a3d38fda4e\tokens_enCA.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.1_none_f59d207965b1bbc3\ipsfra.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\proxyerror.htm smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\AppxManifest.xml smnss.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0407\tokens_deDE.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..eexplorer.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_03d7aa1083b7645d\r\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\502.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\431.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\501.htm smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..olsclient.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fe9996dc5d311970\AppxBlockMap.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-speechdiagnostic_31bf3856ad364e35_10.0.19041.1_none_bf34d9e8ad779122\SpeechDiagnostic.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_dual_prnms007.inf_31bf3856ad364e35_10.0.19041.1_none_70cec824c55a4876\Amd64\MSPWGR.xml smnss.exe File opened for modification C:\Windows\WinSxS\amd64_dual_prnms014.inf_31bf3856ad364e35_10.0.19041.1_none_f62257f573c699e2\Amd64\MSMPS.xml smnss.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4136 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4720 wrote to memory of 3652 4720 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe 84 PID 4720 wrote to memory of 3652 4720 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe 84 PID 4720 wrote to memory of 3652 4720 5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe 84 PID 3652 wrote to memory of 4136 3652 ctfmen.exe 85 PID 3652 wrote to memory of 4136 3652 ctfmen.exe 85 PID 3652 wrote to memory of 4136 3652 ctfmen.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe"C:\Users\Admin\AppData\Local\Temp\5f81ec170d15e9941ee1c047592fd9e938d26b043b566bc38a733ffaa4887c42N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD52046a082a2ad3694d30ff642f4579519
SHA15323d6bea184082a0600043e28e98ea942f6d6da
SHA2566aa1edbfc87023c05c0c41d83c834ccd1af52a06026173a1c116db8538700bbe
SHA5122bfc80b7a78dbd0c1e2108efd5fbb4ac03bf0dcdfa0fe676e49f25226735f4ecc578033b75a980c2452d9740dc6a2af7b6d79ea6faaccbafdd4746e3017237c1
-
Filesize
119KB
MD512319e50e0f0a2167aaec490f11c8018
SHA105c9f1a55c68f5bdae44dbdc1512ef870f57cee4
SHA25690a34bb4e51acd7de34fd1e9eaf3443a5c868f22ba44706b572f4eae6cd3d01a
SHA512520d1e1f901669a53916f226c657823a0d34868092cbddcaac9150d14616fa05245fa7aa7397fd564fdfcff45834edcb4fffe4b37d963fbdea9db6ca19808b01
-
Filesize
183B
MD58d9af7c45b0e474443d169e388620deb
SHA1f58e564cfb122553943e3cbf23eae23df3d0f056
SHA256c6c36e3ab33460a4f27ee692dc8173d08f75c93c0116b388d4bc7abe16006fdf
SHA51296e279cd9be4524fd311f49676e2cc2c52453bd1236b362fb058e11ac35cb274f447fd87cc882272b28272a3f4473e2598833259eaa7589a9934576dac53bac6
-
Filesize
8KB
MD57b0d794ce17184009b7cf18016d2f0f8
SHA149849e4ecc3694a5fda2d803812c348602ff2d6b
SHA256434e0afec071bb55809afb7d0ca8e71f04649f2f2563813b0e3732ba1e79920e
SHA51253d4731dcefa9a4f7d00ed69efcaae67f6b9791939473235a5f2bd4805d49c8488e1b6bb4737bf28db500b593c2ed7bf8c8e97a56c6071bce4c27b9e6d7dff9f