rms | 90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smss.exe
Size

9.4MB
MD5

6fde344165a369c3586a68317279247c
SHA1

e39b5038f44757a7049c4ebabbd6f62deb280796
SHA256

90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4
SHA512

880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a
SSDEEP

196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG

Score

10^/10

rms discovery evasion lateral_movement persistence privilege_escalation rat themida trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

smss.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

net1.exenet.execmd.exe

pid process

2252 net1.exe
2416 net.exe
812 cmd.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1588 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	smss.exe

pid	process
2252	net1.exe
2416	net.exe
812	cmd.exe

pid	process
1588	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

RDPWinst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	smss.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winserv.exewinserv.exewinserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 5 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exe

pid process

2952 winserv.exe
2676 winserv.exe
2064 RDPWinst.exe
2860 winserv.exe
2872 winserv.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

896

pid	process
896

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3012-0-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-2-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-3-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-5-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-4-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-6-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-7-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-8-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-9-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-25-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-33-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-53-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-73-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida
behavioral1/memory/3012-86-0x000000013FB80000-0x0000000140BB3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

smss.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

flow	ioc
10	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/3012-3-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-5-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-4-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-6-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-7-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-8-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-9-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-25-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-33-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-53-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-73-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe
behavioral1/memory/3012-86-0x000000013FB80000-0x0000000140BB3000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

smss.exe

pid process

3012 smss.exe

Drops file in Program Files directory 4 IoCs

Processes:

RDPWinst.exesmss.exe

description	ioc	process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	C:\Program Files\RDP Wrapper	smss.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winserv.exewinserv.exewinserv.exeRDPWinst.exewinserv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2140 timeout.exe

pid	process
2140	timeout.exe

Modifies registry class 3 IoCs

Processes:

smss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	smss.exe

NTFS ADS 1 IoCs

Processes:

smss.exe

description ioc process

File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2760 schtasks.exe
2836 schtasks.exe

description	ioc	process
File opened for modification	C:\ProgramData\Setup\winmgmts:\	smss.exe

pid	process
2760	schtasks.exe
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

smss.exewinserv.exewinserv.exewinserv.exewinserv.exe

pid	process
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
2952	winserv.exe
2952	winserv.exe
2952	winserv.exe
2952	winserv.exe
2952	winserv.exe
2676	winserv.exe
2676	winserv.exe
2676	winserv.exe
2676	winserv.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
3012	smss.exe
2860	winserv.exe
2860	winserv.exe
2860	winserv.exe
2860	winserv.exe
2872	winserv.exe
2872	winserv.exe
2872	winserv.exe
2872	winserv.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

896
896
896
896
896

pid	process
896
896
896
896
896

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exe

description	pid	process
Token: SeDebugPrivilege	2952	winserv.exe
Token: SeTakeOwnershipPrivilege	2676	winserv.exe
Token: SeTcbPrivilege	2676	winserv.exe
Token: SeTcbPrivilege	2676	winserv.exe
Token: SeDebugPrivilege	2064	RDPWinst.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

winserv.exewinserv.exewinserv.exewinserv.exe

pid	process
2952	winserv.exe
2952	winserv.exe
2952	winserv.exe
2952	winserv.exe
2676	winserv.exe
2676	winserv.exe
2676	winserv.exe
2676	winserv.exe
2860	winserv.exe
2860	winserv.exe
2860	winserv.exe
2860	winserv.exe
2872	winserv.exe
2872	winserv.exe
2872	winserv.exe
2872	winserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

smss.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.exenet.exe

description	pid	process	target process
PID 3012 wrote to memory of 2760	3012	smss.exe	schtasks.exe
PID 3012 wrote to memory of 2760	3012	smss.exe	schtasks.exe
PID 3012 wrote to memory of 2760	3012	smss.exe	schtasks.exe
PID 3012 wrote to memory of 2836	3012	smss.exe	schtasks.exe
PID 3012 wrote to memory of 2836	3012	smss.exe	schtasks.exe
PID 3012 wrote to memory of 2836	3012	smss.exe	schtasks.exe
PID 3012 wrote to memory of 2952	3012	smss.exe	winserv.exe
PID 3012 wrote to memory of 2952	3012	smss.exe	winserv.exe
PID 3012 wrote to memory of 2952	3012	smss.exe	winserv.exe
PID 3012 wrote to memory of 2952	3012	smss.exe	winserv.exe
PID 3012 wrote to memory of 2896	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 2896	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 2896	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 2480	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 2480	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 2480	3012	smss.exe	cmd.exe
PID 2896 wrote to memory of 2312	2896	cmd.exe	net.exe
PID 2896 wrote to memory of 2312	2896	cmd.exe	net.exe
PID 2896 wrote to memory of 2312	2896	cmd.exe	net.exe
PID 2312 wrote to memory of 616	2312	net.exe	net1.exe
PID 2312 wrote to memory of 616	2312	net.exe	net1.exe
PID 2312 wrote to memory of 616	2312	net.exe	net1.exe
PID 3012 wrote to memory of 1972	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 1972	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 1972	3012	smss.exe	cmd.exe
PID 2480 wrote to memory of 1080	2480	cmd.exe	net.exe
PID 2480 wrote to memory of 1080	2480	cmd.exe	net.exe
PID 2480 wrote to memory of 1080	2480	cmd.exe	net.exe
PID 1080 wrote to memory of 2892	1080	net.exe	net1.exe
PID 1080 wrote to memory of 2892	1080	net.exe	net1.exe
PID 1080 wrote to memory of 2892	1080	net.exe	net1.exe
PID 3012 wrote to memory of 2972	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 2972	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 2972	3012	smss.exe	cmd.exe
PID 1972 wrote to memory of 2900	1972	cmd.exe	net.exe
PID 1972 wrote to memory of 2900	1972	cmd.exe	net.exe
PID 1972 wrote to memory of 2900	1972	cmd.exe	net.exe
PID 2900 wrote to memory of 2600	2900	net.exe	net1.exe
PID 2900 wrote to memory of 2600	2900	net.exe	net1.exe
PID 2900 wrote to memory of 2600	2900	net.exe	net1.exe
PID 2972 wrote to memory of 2968	2972	cmd.exe	net.exe
PID 2972 wrote to memory of 2968	2972	cmd.exe	net.exe
PID 2972 wrote to memory of 2968	2972	cmd.exe	net.exe
PID 2968 wrote to memory of 1976	2968	net.exe	net1.exe
PID 2968 wrote to memory of 1976	2968	net.exe	net1.exe
PID 2968 wrote to memory of 1976	2968	net.exe	net1.exe
PID 3012 wrote to memory of 960	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 960	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 960	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 2996	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 2996	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 2996	3012	smss.exe	cmd.exe
PID 960 wrote to memory of 2708	960	cmd.exe	net.exe
PID 960 wrote to memory of 2708	960	cmd.exe	net.exe
PID 960 wrote to memory of 2708	960	cmd.exe	net.exe
PID 2996 wrote to memory of 1668	2996	cmd.exe	net.exe
PID 2996 wrote to memory of 1668	2996	cmd.exe	net.exe
PID 2996 wrote to memory of 1668	2996	cmd.exe	net.exe
PID 3012 wrote to memory of 812	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 812	3012	smss.exe	cmd.exe
PID 3012 wrote to memory of 812	3012	smss.exe	cmd.exe
PID 1668 wrote to memory of 436	1668	net.exe	net1.exe
PID 1668 wrote to memory of 436	1668	net.exe	net1.exe
PID 1668 wrote to memory of 436	1668	net.exe	net1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2760
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2836
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2952
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user John 12345 /add
      4⤵
      PID:616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\system32\net.exe
    net localgroup "Администраторы" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Администраторы" John /add
      4⤵
      PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного рабочего стола" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
      4⤵
      PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного управления" john /add" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
      4⤵
      PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\system32\net.exe
    net localgroup "Administrators" John /add
    3⤵
    PID:2708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Administrators" John /add
      4⤵
      PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\net.exe
    net localgroup "Administradores" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Administradores" John /add
      4⤵
      PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:812
- - C:\Windows\system32\net.exe
    net localgroup "Remote Desktop Users" john /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      PID:2252
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1588
- C:\Windows\system32\cmd.exe
  cmd /c C:\Programdata\Install\del.bat
  2⤵
  PID:1868
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:2140

C:\Windows\system32\taskeng.exe
taskeng.exe {2C4BE30F-244F-4C59-9A39-5559A8AEC9B3} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
1⤵
PID:2760
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2860
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
bc909d39981af556d07dc67178f61472

SHA1
a4e5b1c5bc746435a5baf11b728e83fb8e654da0

SHA256
10cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8

SHA512
acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
10.2MB

MD5
3f4f5a6cb95047fea6102bd7d2226aa9

SHA1
fc09dd898b6e7ff546e4a7517a715928fbafc297

SHA256
99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98

SHA512
de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6829.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/2064-49-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2676-72-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2676-51-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2676-92-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2676-27-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2860-91-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2860-90-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2872-100-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2952-22-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2952-26-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3012-5-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-0-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-9-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-3-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-33-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-53-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-2-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-4-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-73-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-1-0x0000000076E50000-0x0000000076E52000-memory.dmp

Filesize
8KB

Download
memory/3012-86-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-6-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-7-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-25-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download
memory/3012-8-0x000000013FB80000-0x0000000140BB3000-memory.dmp

Filesize
16.2MB

Download