Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-08-2024 17:39
Behavioral task
behavioral1
Sample
smss.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
smss.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
smss.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
smss.exe
Resource
win11-20240802-en
General
-
Target
smss.exe
-
Size
9.4MB
-
MD5
6fde344165a369c3586a68317279247c
-
SHA1
e39b5038f44757a7049c4ebabbd6f62deb280796
-
SHA256
90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4
-
SHA512
880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a
-
SSDEEP
196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
smss.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe -
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
Processes:
cmd.exenet1.exenet.exepid process 2036 cmd.exe 1264 net1.exe 2284 net.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1564 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
RDPWinst.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWinst.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
smss.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smss.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winserv.exewinserv.exewinserv.exewinserv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation winserv.exe -
Executes dropped EXE 6 IoCs
Processes:
winserv.exewinserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exepid process 2672 winserv.exe 840 winserv.exe 1768 winserv.exe 1248 RDPWinst.exe 2348 winserv.exe 1776 winserv.exe -
Loads dropped DLL 1 IoCs
Processes:
pid process 1816 -
Processes:
resource yara_rule behavioral1/memory/708-0-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-4-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-2-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-5-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-3-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-6-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-8-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-9-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-7-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-23-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-37-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-56-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-76-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida behavioral1/memory/708-89-0x000000013F6C0000-0x00000001406F3000-memory.dmp themida -
Processes:
smss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
RDPWinst.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWinst.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/708-4-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-5-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-3-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-6-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-8-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-9-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-7-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-23-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-37-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-56-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-76-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe behavioral1/memory/708-89-0x000000013F6C0000-0x00000001406F3000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
smss.exepid process 708 smss.exe -
Drops file in Program Files directory 4 IoCs
Processes:
smss.exeRDPWinst.exedescription ioc process File opened for modification C:\Program Files\RDP Wrapper smss.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini smss.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWinst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWinst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RDPWinst.exewinserv.exewinserv.exewinserv.exewinserv.exewinserv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWinst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
smss.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString smss.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2752 timeout.exe -
Modifies registry class 3 IoCs
Processes:
smss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage smss.exe -
NTFS ADS 1 IoCs
Processes:
smss.exedescription ioc process File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2844 schtasks.exe 2796 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
smss.exewinserv.exewinserv.exewinserv.exewinserv.exewinserv.exepid process 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 2672 winserv.exe 2672 winserv.exe 2672 winserv.exe 2672 winserv.exe 2672 winserv.exe 840 winserv.exe 840 winserv.exe 840 winserv.exe 840 winserv.exe 1768 winserv.exe 1768 winserv.exe 1768 winserv.exe 1768 winserv.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 708 smss.exe 2348 winserv.exe 2348 winserv.exe 2348 winserv.exe 2348 winserv.exe 1776 winserv.exe 1776 winserv.exe 1776 winserv.exe 1776 winserv.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 1816 1816 1816 1816 1816 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
winserv.exewinserv.exeRDPWinst.exedescription pid process Token: SeDebugPrivilege 2672 winserv.exe Token: SeTakeOwnershipPrivilege 840 winserv.exe Token: SeTcbPrivilege 840 winserv.exe Token: SeTcbPrivilege 840 winserv.exe Token: SeDebugPrivilege 1248 RDPWinst.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
winserv.exewinserv.exewinserv.exewinserv.exewinserv.exepid process 2672 winserv.exe 2672 winserv.exe 2672 winserv.exe 2672 winserv.exe 840 winserv.exe 840 winserv.exe 840 winserv.exe 840 winserv.exe 1768 winserv.exe 1768 winserv.exe 1768 winserv.exe 1768 winserv.exe 2348 winserv.exe 2348 winserv.exe 2348 winserv.exe 2348 winserv.exe 1776 winserv.exe 1776 winserv.exe 1776 winserv.exe 1776 winserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
smss.exetaskeng.execmd.execmd.exenet.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 708 wrote to memory of 2844 708 smss.exe schtasks.exe PID 708 wrote to memory of 2844 708 smss.exe schtasks.exe PID 708 wrote to memory of 2844 708 smss.exe schtasks.exe PID 708 wrote to memory of 2796 708 smss.exe schtasks.exe PID 708 wrote to memory of 2796 708 smss.exe schtasks.exe PID 708 wrote to memory of 2796 708 smss.exe schtasks.exe PID 708 wrote to memory of 2672 708 smss.exe winserv.exe PID 708 wrote to memory of 2672 708 smss.exe winserv.exe PID 708 wrote to memory of 2672 708 smss.exe winserv.exe PID 708 wrote to memory of 2672 708 smss.exe winserv.exe PID 2188 wrote to memory of 1768 2188 taskeng.exe winserv.exe PID 2188 wrote to memory of 1768 2188 taskeng.exe winserv.exe PID 2188 wrote to memory of 1768 2188 taskeng.exe winserv.exe PID 2188 wrote to memory of 1768 2188 taskeng.exe winserv.exe PID 708 wrote to memory of 1636 708 smss.exe cmd.exe PID 708 wrote to memory of 1636 708 smss.exe cmd.exe PID 708 wrote to memory of 1636 708 smss.exe cmd.exe PID 708 wrote to memory of 2968 708 smss.exe cmd.exe PID 708 wrote to memory of 2968 708 smss.exe cmd.exe PID 708 wrote to memory of 2968 708 smss.exe cmd.exe PID 2968 wrote to memory of 2608 2968 cmd.exe net.exe PID 2968 wrote to memory of 2608 2968 cmd.exe net.exe PID 2968 wrote to memory of 2608 2968 cmd.exe net.exe PID 1636 wrote to memory of 2712 1636 cmd.exe net.exe PID 1636 wrote to memory of 2712 1636 cmd.exe net.exe PID 1636 wrote to memory of 2712 1636 cmd.exe net.exe PID 708 wrote to memory of 2916 708 smss.exe cmd.exe PID 708 wrote to memory of 2916 708 smss.exe cmd.exe PID 708 wrote to memory of 2916 708 smss.exe cmd.exe PID 2712 wrote to memory of 2820 2712 net.exe net1.exe PID 2712 wrote to memory of 2820 2712 net.exe net1.exe PID 2712 wrote to memory of 2820 2712 net.exe net1.exe PID 2608 wrote to memory of 2876 2608 net.exe net1.exe PID 2608 wrote to memory of 2876 2608 net.exe net1.exe PID 2608 wrote to memory of 2876 2608 net.exe net1.exe PID 2916 wrote to memory of 2304 2916 cmd.exe net.exe PID 2916 wrote to memory of 2304 2916 cmd.exe net.exe PID 2916 wrote to memory of 2304 2916 cmd.exe net.exe PID 708 wrote to memory of 1196 708 smss.exe cmd.exe PID 708 wrote to memory of 1196 708 smss.exe cmd.exe PID 708 wrote to memory of 1196 708 smss.exe cmd.exe PID 2304 wrote to memory of 1348 2304 net.exe net1.exe PID 2304 wrote to memory of 1348 2304 net.exe net1.exe PID 2304 wrote to memory of 1348 2304 net.exe net1.exe PID 1196 wrote to memory of 1996 1196 cmd.exe net.exe PID 1196 wrote to memory of 1996 1196 cmd.exe net.exe PID 1196 wrote to memory of 1996 1196 cmd.exe net.exe PID 1996 wrote to memory of 1712 1996 net.exe net1.exe PID 1996 wrote to memory of 1712 1996 net.exe net1.exe PID 1996 wrote to memory of 1712 1996 net.exe net1.exe PID 708 wrote to memory of 2508 708 smss.exe cmd.exe PID 708 wrote to memory of 2508 708 smss.exe cmd.exe PID 708 wrote to memory of 2508 708 smss.exe cmd.exe PID 708 wrote to memory of 2012 708 smss.exe cmd.exe PID 708 wrote to memory of 2012 708 smss.exe cmd.exe PID 708 wrote to memory of 2012 708 smss.exe cmd.exe PID 2508 wrote to memory of 2004 2508 cmd.exe net.exe PID 2508 wrote to memory of 2004 2508 cmd.exe net.exe PID 2508 wrote to memory of 2004 2508 cmd.exe net.exe PID 2004 wrote to memory of 944 2004 net.exe net1.exe PID 2004 wrote to memory of 944 2004 net.exe net1.exe PID 2004 wrote to memory of 944 2004 net.exe net1.exe PID 708 wrote to memory of 2036 708 smss.exe cmd.exe PID 708 wrote to memory of 2036 708 smss.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2844
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2796
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2672 -
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add2⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\net.exenet user John 12345 /add3⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add4⤵PID:2820
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add4⤵PID:2876
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add4⤵PID:1348
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add4⤵PID:1712
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\net.exenet localgroup "Administrators" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add4⤵PID:944
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add2⤵PID:2012
-
C:\Windows\system32\net.exenet localgroup "Administradores" John /add3⤵PID:2192
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add4⤵PID:2440
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add2⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2036 -
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add3⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2284 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add4⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:1264
-
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1564
-
-
-
C:\Windows\system32\cmd.execmd /c C:\Programdata\Install\del.bat2⤵PID:2852
-
C:\Windows\system32\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:2752
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {65D5B62C-D9BD-4E58-909E-1E8AF010788E} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1768
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1776
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
315B
MD5155557517f00f2afc5400ba9dc25308e
SHA177a53a8ae146cf1ade1c9d55bbd862cbeb6db940
SHA256f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e
SHA51240baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
2KB
MD5bc909d39981af556d07dc67178f61472
SHA1a4e5b1c5bc746435a5baf11b728e83fb8e654da0
SHA25610cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8
SHA512acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a
-
Filesize
10.2MB
MD53f4f5a6cb95047fea6102bd7d2226aa9
SHA1fc09dd898b6e7ff546e4a7517a715928fbafc297
SHA25699fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
SHA512de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26