Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 19:04
Static task
static1
Behavioral task
behavioral1
Sample
8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe
Resource
win10v2004-20241007-en
General
-
Target
8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe
-
Size
2.3MB
-
MD5
5402a46941608bd1e81274bfda3d0a4e
-
SHA1
481fa76b077c03a3cb6c7c9487f54cf2d7d27de4
-
SHA256
8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2
-
SHA512
5d5cf8fd3b6d151e287fa2205941b44e6a2abd0d1653f1a71e5c28f6173532471cba7e0bcba7b1d47152de602e59d7da02f8c2ed9cd311b5375fe45d60c69185
-
SSDEEP
49152:88F4GBYEFMfVrt0HdZyZUKIKp9/bIA3e63wDknToN58zkfwHuVfcu5ZJFKsnfKUv:88F4GBY3dR0HHyZ9p9DIAvADkQ8gfwO7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt smnss.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000016c53-11.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2508 ctfmen.exe 2060 smnss.exe -
Loads dropped DLL 6 IoCs
pid Process 2676 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe 2676 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe 2676 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe 2508 ctfmen.exe 2508 ctfmen.exe 2060 smnss.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: smnss.exe File opened (read-only) \??\T: smnss.exe File opened (read-only) \??\X: smnss.exe File opened (read-only) \??\E: smnss.exe File opened (read-only) \??\G: smnss.exe File opened (read-only) \??\H: smnss.exe File opened (read-only) \??\P: smnss.exe File opened (read-only) \??\S: smnss.exe File opened (read-only) \??\U: smnss.exe File opened (read-only) \??\V: smnss.exe File opened (read-only) \??\I: smnss.exe File opened (read-only) \??\M: smnss.exe File opened (read-only) \??\N: smnss.exe File opened (read-only) \??\O: smnss.exe File opened (read-only) \??\W: smnss.exe File opened (read-only) \??\J: smnss.exe File opened (read-only) \??\K: smnss.exe File opened (read-only) \??\Q: smnss.exe File opened (read-only) \??\R: smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC1RWSL.XML smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5200t.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc8100t.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd6100t.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk8600t.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_parameters.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_prompts.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_While.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpap6.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_job_details.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Throw.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.PowerShell.Commands.Management.dll-Help.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Return.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_History.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\Microsoft.Wsman.Management.dll-Help.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssession_details.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPC3052F.XML smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc6100t.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf2200t.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\kyw7qur2.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Redirection.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_types.ps1xml.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_jobs.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_requirements.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_escape_characters.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_methods.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_hash_tables.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_cmdletbindingattribute.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Comparison_Operators.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_environment_variables.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5H83L.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_ISE.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_execution_policies.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_jobs.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Special_Characters.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Arithmetic_Operators.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.Commands.Management.dll-Help.xml smnss.exe File opened for modification C:\Windows\SysWOW64\NdfEventView.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_requires.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_split.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_types.ps1xml.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WS-Management_Cmdlets.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc350u.xml smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_scripts.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_jobs.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_job_details.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Throw.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_environment_variables.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Parsing.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_While.help.txt smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNBX4PIPELINECONFIG.XML smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5600T.XML smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\kyw7qur8.xml smnss.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\Amd64\KYW7QURY.XML smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_If.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_objects.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Windows_PowerShell_2.0.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_jobs.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_If.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_FAQ.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Redirection.help.txt smnss.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Special_Characters.help.txt smnss.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 2676 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe 2676 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe 2060 smnss.exe 2060 smnss.exe 2060 smnss.exe 2060 smnss.exe 2060 smnss.exe 2060 smnss.exe 2060 smnss.exe 2060 smnss.exe 2060 smnss.exe 2060 smnss.exe 2060 smnss.exe 2060 smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN086.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SLERROR.XML smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.XML smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL089.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml smnss.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml smnss.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml smnss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml smnss.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml smnss.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AR.XML smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML smnss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml smnss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML smnss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.XML smnss.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt smnss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-9.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_objects.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_jobs.help.txt smnss.exe File opened for modification C:\Windows\PLA\Reports\de-DE\Report.System.NetTrace.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnsa002.inf_31bf3856ad364e35_6.1.7600.16385_none_02a32ac8d56280f6\Amd64\smc660u.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Ref.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\Microsoft.PowerShell.Commands.Management.dll-Help.xml smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d93f349420c7d013\settings.html smnss.exe File opened for modification C:\Windows\ehome\it-IT\epgtos.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Arithmetic_Operators.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\System.Management.Automation.dll-Help.xml smnss.exe File opened for modification C:\Windows\PLA\Reports\it-IT\Report.System.Performance.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-8.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-9.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd2500t.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Switch.help.txt smnss.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1046\LocalizedData.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_6.1.7600.16385_none_f72251fe8a04e1e5\NetTrace.PLA.Diagnostics.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_objects.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_methods.help.txt smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8dcb8bb83ef0bc47\settings.html smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ba1cc5c862844f35\Report.System.Wired.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Switch.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4080c452718ce6e7\Report.System.Diagnostics.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-3.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Line_Editing.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd6100t.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_requires.help.txt smnss.exe File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Wired.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_efb864eb1b8d487f\Rules.System.NetDiagFramework.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-7.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_script_internationalization.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_For.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\HPO3100T.XML smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fd3784c9b57cdcbf\picturePuzzle.html smnss.exe File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Configuration.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-1.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11b07c1bb446e787\Rules.System.Memory.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Command_Syntax.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_jobs.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_locations.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dot3svc_31bf3856ad364e35_6.1.7601.17514_none_c99214378a23d63b\Report.System.Wired.xml smnss.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2260a04d0daf0ce1\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_properties.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_6.1.7600.16385_es-es_47ba3aee382d34b3\resource.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_68bfa622c568dbc2\Report.System.Common.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-13.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-powershellprovider_31bf3856ad364e35_6.1.7600.16385_none_f7454d6160c30219\NavigationTypes.namespace.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_For.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_do.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-17.htm smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_prompts.help.txt smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_If.help.txt smnss.exe File opened for modification C:\Windows\diagnostics\index\SearchDiagnostic.xml smnss.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1037\LocalizedData.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-3.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-6.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_providers.help.txt smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_execution_policies.help.txt smnss.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ba2212be09f75c28\gadget.xml smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-2.htm smnss.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_117bd8ffb46dd92c\Rules.System.Performance.xml smnss.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Path_Syntax.help.txt smnss.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smnss.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2060 smnss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2676 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe 2060 smnss.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2508 2676 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe 30 PID 2676 wrote to memory of 2508 2676 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe 30 PID 2676 wrote to memory of 2508 2676 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe 30 PID 2676 wrote to memory of 2508 2676 8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe 30 PID 2508 wrote to memory of 2060 2508 ctfmen.exe 31 PID 2508 wrote to memory of 2060 2508 ctfmen.exe 31 PID 2508 wrote to memory of 2060 2508 ctfmen.exe 31 PID 2508 wrote to memory of 2060 2508 ctfmen.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe"C:\Users\Admin\AppData\Local\Temp\8c513119e0fa9d2bb35d1cd6ca8760158c11a2a4f81d4920f2f9b2da68acf3b2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD55f89c21e45b890066fc03b3639bcbf39
SHA112fb4c6c94123f47b1f223461fcc375400a7e9b1
SHA256d1ec3804c6f437d123236701623b51f3a64bc2570013e6873107c42bb4d4764d
SHA5128aa7c42c9fdca2177ea67f5a24e34d0ff71e2f35b6819f6157eaf3a51a725ad744a6d7a77c8c5266dddb3fd2bdb288e045d6c815a1cb5756b48787554f1e5ee0
-
Filesize
2.3MB
MD570b0707857bc592887ec546357901521
SHA1e8820ae1b93593d0dee8d2941d8c802735f44e26
SHA25611e843c23985126e7306637520c2d9627c7934764be169e8f465aa7ca446da74
SHA51205bf065a4aeb542af389471f3b44468641236f99cefaeeea00e92283c0018f2057b52a34d7e41b722940d95cc1691ded102e6e8b488ff8cf212b518f627a8b87
-
Filesize
4KB
MD5d11a8d5757849fd71e12606f90f57221
SHA1b80059d984a41207c3153288039b81f16c1a8167
SHA2560f20fc7fe2fe90bcb4b8a2e9f3e10b1607b59672eb85a22e024f170e8eedcca9
SHA512435d5d5bfc186b021d6a1f2474290247191501fb13973ca47468235cb6050bf10b203aae73d5a70b54ae96d353203d5464c708d88e72142c6989fbf75d612a9c
-
Filesize
8KB
MD5aebb01942f98ff44b61715c6d2415c63
SHA17df5e80fa84ae68e2393fd4cf996cc03141af85b
SHA256c6b8e4f7da623a844355469d9fbec024405a720ea58da22cb64dcd252d7aec76
SHA5124db0dd40d0edb86a897fc9be8dcda0c2081db190f8371cf35713021ae13167d37d04754d5850d9194185c8fcf58520da433297368be54335fbb1a3bf32efb5cc