General

  • Target

    smss.exe

  • Size

    9.4MB

  • Sample

    240826-wdevtsxbjc

  • MD5

    6fde344165a369c3586a68317279247c

  • SHA1

    e39b5038f44757a7049c4ebabbd6f62deb280796

  • SHA256

    90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4

  • SHA512

    880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a

  • SSDEEP

    196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG

Malware Config

Targets

    • Target

      smss.exe

    • Size

      9.4MB

    • MD5

      6fde344165a369c3586a68317279247c

    • SHA1

      e39b5038f44757a7049c4ebabbd6f62deb280796

    • SHA256

      90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4

    • SHA512

      880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a

    • SSDEEP

      196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    • Modifies Windows Firewall

    • Server Software Component: Terminal Services DLL

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks