rms | 90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smss.exe
Size

9.4MB
MD5

6fde344165a369c3586a68317279247c
SHA1

e39b5038f44757a7049c4ebabbd6f62deb280796
SHA256

90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4
SHA512

880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a
SSDEEP

196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG

Score

10^/10

rms discovery evasion lateral_movement persistence privilege_escalation rat themida trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

smss.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

cmd.exenet1.exenet.exe

pid process

4432 cmd.exe
816 net1.exe
1084 net.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4848 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	smss.exe

pid	process
4432	cmd.exe
816	net1.exe
1084	net.exe

pid	process
4848	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

RDPWinst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	smss.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winserv.exewinserv.exesmss.exewinserv.exewinserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 6 IoCs

Processes:

winserv.exewinserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exe

pid process

2324 winserv.exe
544 winserv.exe
4804 winserv.exe
1664 RDPWinst.exe
1668 winserv.exe
2788 winserv.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

2492 svchost.exe

pid	process
2492	svchost.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral3/memory/4284-0-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-2-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-3-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-4-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-5-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-6-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-7-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-8-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-9-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-31-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-34-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-55-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida
behavioral3/memory/4284-64-0x00007FF713500000-0x00007FF714533000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

smss.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

flow	ioc
31	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral3/memory/4284-3-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe
behavioral3/memory/4284-4-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe
behavioral3/memory/4284-5-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe
behavioral3/memory/4284-6-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe
behavioral3/memory/4284-7-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe
behavioral3/memory/4284-8-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe
behavioral3/memory/4284-9-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe
behavioral3/memory/4284-31-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe
behavioral3/memory/4284-34-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe
behavioral3/memory/4284-55-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe
behavioral3/memory/4284-64-0x00007FF713500000-0x00007FF714533000-memory.dmp	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

RDPWinst.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll RDPWinst.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

smss.exe

pid process

4284 smss.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	RDPWinst.exe

Drops file in Program Files directory 5 IoCs

Processes:

smss.exeRDPWinst.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files\RDP Wrapper	smss.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	smss.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	\??\c:\program files\rdp wrapper\rdpwrap.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winserv.exewinserv.exewinserv.exewinserv.exeRDPWinst.exewinserv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

872 timeout.exe

pid	process
872	timeout.exe

Modifies registry class 3 IoCs

Processes:

smss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\MIME\Database	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	smss.exe

NTFS ADS 1 IoCs

Processes:

smss.exe

description ioc process

File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4276 schtasks.exe
384 schtasks.exe

description	ioc	process
File opened for modification	C:\ProgramData\Setup\winmgmts:\	smss.exe

pid	process
4276	schtasks.exe
384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

smss.exewinserv.exewinserv.exewinserv.exesvchost.exe

pid	process
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
2324	winserv.exe
2324	winserv.exe
2324	winserv.exe
2324	winserv.exe
2324	winserv.exe
2324	winserv.exe
544	winserv.exe
544	winserv.exe
544	winserv.exe
544	winserv.exe
4804	winserv.exe
4804	winserv.exe
4804	winserv.exe
4804	winserv.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe
4284	smss.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
660

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2324	winserv.exe
Token: SeTakeOwnershipPrivilege	544	winserv.exe
Token: SeTcbPrivilege	544	winserv.exe
Token: SeTcbPrivilege	544	winserv.exe
Token: SeDebugPrivilege	1664	RDPWinst.exe
Token: SeAuditPrivilege	2492	svchost.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

winserv.exewinserv.exewinserv.exewinserv.exewinserv.exe

pid	process
2324	winserv.exe
2324	winserv.exe
2324	winserv.exe
2324	winserv.exe
544	winserv.exe
544	winserv.exe
544	winserv.exe
544	winserv.exe
4804	winserv.exe
4804	winserv.exe
4804	winserv.exe
4804	winserv.exe
1668	winserv.exe
1668	winserv.exe
1668	winserv.exe
1668	winserv.exe
2788	winserv.exe
2788	winserv.exe
2788	winserv.exe
2788	winserv.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

smss.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exeRDPWinst.execmd.exe

description	pid	process	target process
PID 4284 wrote to memory of 4276	4284	smss.exe	schtasks.exe
PID 4284 wrote to memory of 4276	4284	smss.exe	schtasks.exe
PID 4284 wrote to memory of 384	4284	smss.exe	schtasks.exe
PID 4284 wrote to memory of 384	4284	smss.exe	schtasks.exe
PID 4284 wrote to memory of 2324	4284	smss.exe	winserv.exe
PID 4284 wrote to memory of 2324	4284	smss.exe	winserv.exe
PID 4284 wrote to memory of 2324	4284	smss.exe	winserv.exe
PID 4284 wrote to memory of 2596	4284	smss.exe	cmd.exe
PID 4284 wrote to memory of 2596	4284	smss.exe	cmd.exe
PID 2596 wrote to memory of 5004	2596	cmd.exe	net.exe
PID 2596 wrote to memory of 5004	2596	cmd.exe	net.exe
PID 5004 wrote to memory of 3832	5004	net.exe	net1.exe
PID 5004 wrote to memory of 3832	5004	net.exe	net1.exe
PID 4284 wrote to memory of 2444	4284	smss.exe	cmd.exe
PID 4284 wrote to memory of 2444	4284	smss.exe	cmd.exe
PID 2444 wrote to memory of 2624	2444	cmd.exe	net.exe
PID 2444 wrote to memory of 2624	2444	cmd.exe	net.exe
PID 2624 wrote to memory of 984	2624	net.exe	net1.exe
PID 2624 wrote to memory of 984	2624	net.exe	net1.exe
PID 4284 wrote to memory of 5056	4284	smss.exe	cmd.exe
PID 4284 wrote to memory of 5056	4284	smss.exe	cmd.exe
PID 5056 wrote to memory of 1556	5056	cmd.exe	net.exe
PID 5056 wrote to memory of 1556	5056	cmd.exe	net.exe
PID 1556 wrote to memory of 1756	1556	net.exe	net1.exe
PID 1556 wrote to memory of 1756	1556	net.exe	net1.exe
PID 4284 wrote to memory of 3680	4284	smss.exe	cmd.exe
PID 4284 wrote to memory of 3680	4284	smss.exe	cmd.exe
PID 3680 wrote to memory of 972	3680	cmd.exe	backgroundTaskHost.exe
PID 3680 wrote to memory of 972	3680	cmd.exe	backgroundTaskHost.exe
PID 972 wrote to memory of 5116	972	net.exe	net1.exe
PID 972 wrote to memory of 5116	972	net.exe	net1.exe
PID 4284 wrote to memory of 4460	4284	smss.exe	cmd.exe
PID 4284 wrote to memory of 4460	4284	smss.exe	cmd.exe
PID 4460 wrote to memory of 3436	4460	cmd.exe	net.exe
PID 4460 wrote to memory of 3436	4460	cmd.exe	net.exe
PID 3436 wrote to memory of 4544	3436	net.exe	net1.exe
PID 3436 wrote to memory of 4544	3436	net.exe	net1.exe
PID 4284 wrote to memory of 1480	4284	smss.exe	cmd.exe
PID 4284 wrote to memory of 1480	4284	smss.exe	cmd.exe
PID 1480 wrote to memory of 3200	1480	cmd.exe	net.exe
PID 1480 wrote to memory of 3200	1480	cmd.exe	net.exe
PID 3200 wrote to memory of 3080	3200	net.exe	net1.exe
PID 3200 wrote to memory of 3080	3200	net.exe	net1.exe
PID 4284 wrote to memory of 4432	4284	smss.exe	cmd.exe
PID 4284 wrote to memory of 4432	4284	smss.exe	cmd.exe
PID 4432 wrote to memory of 1084	4432	cmd.exe	net.exe
PID 4432 wrote to memory of 1084	4432	cmd.exe	net.exe
PID 1084 wrote to memory of 816	1084	net.exe	net1.exe
PID 1084 wrote to memory of 816	1084	net.exe	net1.exe
PID 4284 wrote to memory of 1664	4284	smss.exe	RDPWinst.exe
PID 4284 wrote to memory of 1664	4284	smss.exe	RDPWinst.exe
PID 4284 wrote to memory of 1664	4284	smss.exe	RDPWinst.exe
PID 1664 wrote to memory of 4848	1664	RDPWinst.exe	netsh.exe
PID 1664 wrote to memory of 4848	1664	RDPWinst.exe	netsh.exe
PID 4284 wrote to memory of 3856	4284	smss.exe	cmd.exe
PID 4284 wrote to memory of 3856	4284	smss.exe	cmd.exe
PID 3856 wrote to memory of 872	3856	cmd.exe	timeout.exe
PID 3856 wrote to memory of 872	3856	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4276
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:384
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2324
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user John 12345 /add
      4⤵
      PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\net.exe
    net localgroup "Администраторы" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Администраторы" John /add
      4⤵
      PID:984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного рабочего стола" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
      4⤵
      PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного управления" john /add" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
      4⤵
      PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\system32\net.exe
    net localgroup "Administrators" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Administrators" John /add
      4⤵
      PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\net.exe
    net localgroup "Administradores" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Administradores" John /add
      4⤵
      PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\system32\net.exe
    net localgroup "Remote Desktop Users" john /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      PID:816
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SYSTEM32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:872

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:972

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1668

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
bc909d39981af556d07dc67178f61472

SHA1
a4e5b1c5bc746435a5baf11b728e83fb8e654da0

SHA256
10cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8

SHA512
acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
10.2MB

MD5
3f4f5a6cb95047fea6102bd7d2226aa9

SHA1
fc09dd898b6e7ff546e4a7517a715928fbafc297

SHA256
99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98

SHA512
de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688

Download Submit
C:\Programdata\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/544-53-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/544-56-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/544-67-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/544-68-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/544-24-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/544-49-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1664-52-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1668-73-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2324-21-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2324-23-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2788-81-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2788-82-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4284-31-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-7-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-1-0x00007FFAC2070000-0x00007FFAC2072000-memory.dmp

Filesize
8KB

Download
memory/4284-0-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-9-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-8-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-55-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-34-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-6-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-64-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-5-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-4-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-3-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4284-2-0x00007FF713500000-0x00007FF714533000-memory.dmp

Filesize
16.2MB

Download
memory/4804-33-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download