smss.exe
- File Path:
C:\Windows\system32\smss.exe - Description: Windows Session Manager
Hashes
| Type | Hash |
|---|---|
| MD5 | 38E6700BAA0E5484D2E00EC980FDD2E0 |
| SHA1 | 5B61A25931437D4210EE3CBC8AE3A337B62F3DF0 |
| SHA256 | B6E357B520478920810317B363AA539595D386BC5EF3D5CF9581F325026BA397 |
| SHA384 | 80CCDF399DCDE005009AAF4F5FD63EF4963A4AD1C67A8079AD3C2966AD92C9DDD71C9B02B4821700D36F57C62D4432BC |
| SHA512 | 780736F49EF9E7435BAF413BE740DFBD5C6056FAE70B3C8B1FC785892F41C9158128019FBCC00C9AD432243109D7A864DB90C47AFC9BCA72CE5083A021E1190E |
| SSDEEP | 3072:hFDGXDoqgsEKeBLbwZcfTEs20a26E8FjQp0Bf3:LDGU6ElIGapLFjQpm |
| IMP | BC32B6662261DE8469D6EB034C62A6A5 |
| PESHA1 | 6BA4AA9F3CA9C60F4E388358407B0CF02482E1F5 |
| PE256 | 3D8174FB4AEEF8D671711BBDE18A299500CDE763688739AB82EAA4D4D0B025F7 |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: smss.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/70
- VirusTotal Link: https://www.virustotal.com/gui/file/b6e357b520478920810317b363aa539595d386bc5ef3d5cf9581f325026ba397/detection/
Possible Misuse
The following table contains possible examples of smss.exe being misused. While smss.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_creation_system_file.yml | - '\smss.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\smss.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_use_of_sqltoolsps_bin.yml | ParentImage\|endswith: '\smss.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_use_of_sqltoolsps_bin.yml | - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\smss.exe' |
DRL 1.0 |
| malware-ioc | nukesped_lazarus | .smss.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| signature-base | generic_anomalies.yar | description = “Detects uncommon file size of smss.exe” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | and filename == “smss.exe” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.