Overview

overview

10

Static

static

7

smss.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    smss.exe

  • Size

    9.2MB

  • Sample

    240426-q6fpyadf4t

  • MD5

    53b92442e012db2fc2ee7dc22ee932a9

  • SHA1

    750d3f0ac227ccaa2c2a86859cffa4a2ac7cb1d1

  • SHA256

    776217117d4b2ecdb07b8a182581e4fd562c0a5785340f86100cf5c1b4eff62e

  • SHA512

    b64301d65f48f76855ad89723a933f6e25478ae3a5bcc35cbef81badd08d6dc565d41b51b46a9ab1ad750f0dfa81bffc3c4e6b3b5708f49fd937c948d674c430

  • SSDEEP

    196608:uDL2f4ARa+Yw//FpKv45ZhxE5ckWxoUPTYC39SGVy32idMfeaq6p:2L2f4ARaat64fhuWxjBE2SMfeaq6p

Score
10/10
rmsevasionpersistenceratthemidatrojan

Malware Config

Targets

    • Target

      smss.exe

    • Size

      9.2MB

    • MD5

      53b92442e012db2fc2ee7dc22ee932a9

    • SHA1

      750d3f0ac227ccaa2c2a86859cffa4a2ac7cb1d1

    • SHA256

      776217117d4b2ecdb07b8a182581e4fd562c0a5785340f86100cf5c1b4eff62e

    • SHA512

      b64301d65f48f76855ad89723a933f6e25478ae3a5bcc35cbef81badd08d6dc565d41b51b46a9ab1ad750f0dfa81bffc3c4e6b3b5708f49fd937c948d674c430

    • SSDEEP

      196608:uDL2f4ARa+Yw//FpKv45ZhxE5ckWxoUPTYC39SGVy32idMfeaq6p:2L2f4ARaat64fhuWxjBE2SMfeaq6p

    Score
    10/10
    rmsevasionpersistenceratthemidatrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Sets DLL path for service in the registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks