smss.exe
- File Path:
C:\WINDOWS\system32\smss.exe - Description: Windows Session Manager
Hashes
| Type | Hash |
|---|---|
| MD5 | 923CD61E4956B830B3BF48A4AFEF04F9 |
| SHA1 | 608B85299AE70DB8227DC50F9A481BE466A0609F |
| SHA256 | BE09B15C760CD37CCAB1E227CF0CE829E8EFB1C88840E14ED9E48CFCEA1817AB |
| SHA384 | BA819E016D19A76B6D5F064BBDB3AF6668D5E0D3BA0E7E0E1540887C48782B96FC6AF7C13BC50712A8BD7435B1486D11 |
| SHA512 | FEC8925F26772FF4E5FABA6508EF25BAD48F5307B50B20E88A2C759094E84D1682B0061048068C5E895CD27A2F30BFA3A51522DF1AC7522DEB833C9D67571082 |
| SSDEEP | 3072:ywY6BNeNWHHnEQeT+5+7S93MLISWn2+4uc:ywneNWnnEQeN7S93Mzv |
| IMP | AAFAD421A667D68FFDF602EABF485E02 |
| PESHA1 | 9AC6A49E617260C2A5EFE883E79356D707438ED6 |
| PE256 | 92AAC82BB0B4274E89C20AF7A78268077203B69CCFCB086F638D0C31F27D6B59 |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: smss.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/be09b15c760cd37ccab1e227cf0ce829e8efb1c88840e14ed9e48cfcea1817ab/detection
Possible Misuse
The following table contains possible examples of smss.exe being misused. While smss.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_creation_system_file.yml | - '\smss.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\smss.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_use_of_sqltoolsps_bin.yml | ParentImage\|endswith: '\smss.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_use_of_sqltoolsps_bin.yml | - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\smss.exe' |
DRL 1.0 |
| malware-ioc | nukesped_lazarus | .smss.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| signature-base | generic_anomalies.yar | description = “Detects uncommon file size of smss.exe” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | and filename == “smss.exe” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.