Analysis Overview
SHA256
413f85b8ae812c7f3ba08d7ae7c79342e0dfa561d5bb1896f0f5ed1b64b129bb
Threat Level: Known bad
The file 413f85b8ae812c7f3ba08d7ae7c79342e0dfa561d5bb1896f0f5ed1b64b129bb was found to be: Known bad.
Malicious Activity Summary
RMS
Sets DLL path for service in the registry
UPX packed file
Executes dropped EXE
Modifies Windows Firewall
Allows Network login with blank passwords
Loads dropped DLL
Modifies WinLogon
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Runs .reg file with regedit
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-13 14:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-13 14:22
Reported
2022-02-13 14:25
Platform
win7-en-20211208
Max time kernel
150s
Max time network
153s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\DREService.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\DREService.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\sys.exe | N/A |
| N/A | N/A | C:\Windows\RDPWInst.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\DREService.exe | N/A |
| N/A | N/A | C:\Windows\RDPWInst.exe | N/A |
Modifies Windows Firewall
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Allows Network login with blank passwords
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\limitblankpassworduse = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\413f85b8ae812c7f3ba08d7ae7c79342e0dfa561d5bb1896f0f5ed1b64b129bb.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\413f85b8ae812c7f3ba08d7ae7c79342e0dfa561d5bb1896f0f5ed1b64b129bb.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\Windows\RDPWInst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\Windows\RDPWInst.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\Windows\RDPWInst.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\RDPCheck.exe | C:\ProgramData\DRE\sys.exe | N/A |
| File created | C:\Windows\RDPConf.exe | C:\ProgramData\DRE\sys.exe | N/A |
| File created | C:\Windows\RDPSetup.exe | C:\ProgramData\DRE\sys.exe | N/A |
| File created | C:\Windows\RDPWInst.exe | C:\ProgramData\DRE\sys.exe | N/A |
| File created | C:\Windows\run.bat | C:\ProgramData\DRE\sys.exe | N/A |
| File created | C:\Windows\run.exe | C:\ProgramData\DRE\sys.exe | N/A |
Launches sc.exe
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Windows\RDPWInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Windows\RDPWInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Windows\RDPWInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Windows\RDPWInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Windows\RDPWInst.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\DREService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\413f85b8ae812c7f3ba08d7ae7c79342e0dfa561d5bb1896f0f5ed1b64b129bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\413f85b8ae812c7f3ba08d7ae7c79342e0dfa561d5bb1896f0f5ed1b64b129bb.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DRE\DREService.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\RDPWInst.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DRE\sys.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\sys.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DRE\sys.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\sys.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
| N/A | N/A | C:\ProgramData\DRE\Control.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\413f85b8ae812c7f3ba08d7ae7c79342e0dfa561d5bb1896f0f5ed1b64b129bb.exe
"C:\Users\Admin\AppData\Local\Temp\413f85b8ae812c7f3ba08d7ae7c79342e0dfa561d5bb1896f0f5ed1b64b129bb.exe"
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\DRE\regedit.reg"
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\ProgramData\DRE\Control.exe
C:\ProgramData\DRE\Control.exe /silentinstall
C:\ProgramData\DRE\Control.exe
C:\ProgramData\DRE\Control.exe /firewall
C:\ProgramData\DRE\Control.exe
C:\ProgramData\DRE\Control.exe /start
C:\ProgramData\DRE\Control.exe
C:\ProgramData\DRE\Control.exe
C:\ProgramData\DRE\DREService.exe
C:\ProgramData\DRE\DREService.exe
C:\ProgramData\DRE\DREService.exe
C:\ProgramData\DRE\DREService.exe /tray
C:\ProgramData\DRE\sys.exe
C:\ProgramData\DRE\sys.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows/run.bat
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v limitblankpassworduse /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\RDPWInst.exe
"RDPWInst.exe" -i -o
C:\ProgramData\DRE\DREService.exe
C:\ProgramData\DRE\DREService.exe /tray
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\Windows\RDPWInst.exe
"RDPWInst.exe" -w
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\ProgramData\DRE\service.bat
C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions=restart/1000/restart/1000/restart/1000
C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Windows_Defender v6.3"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1672-54-0x0000000075341000-0x0000000075343000-memory.dmp
C:\ProgramData\DRE\regedit.reg
| MD5 | b8638b7d0a13be440817026883f59635 |
| SHA1 | 13b56279828f3b2a1530f137c65d8a0650278cb4 |
| SHA256 | 6be1a07f0654f4fcbd377f389c72f2211c2efba65e817789ccc6f6d5c902e5a4 |
| SHA512 | 51f1e0cf6237e2ffdb3d47a9d8f3af0c5b4f1089102c1330ff947664a94588eda48214c5f45ef48786fb84e050c97416e321c34975246fb321a939797cfd0756 |
\ProgramData\DRE\Control.exe
| MD5 | fa434760e9f49c82c9e2546474e27642 |
| SHA1 | de86d57c09181815a1fb6831536037979aff87fe |
| SHA256 | 8bd26aa4e8a7ff85d4721d9b714b7865620a6f87b99e5744e4db4c955328861f |
| SHA512 | a85d0018b542a671c6cfe9706a7cd6a527eb0ef5bb3ac7b444ae918e65e2f844a88c8812529f09d99c705ac801f5e0b2b03b9276c281e74a7f55017dfd015909 |
C:\ProgramData\DRE\Control.exe
| MD5 | fa434760e9f49c82c9e2546474e27642 |
| SHA1 | de86d57c09181815a1fb6831536037979aff87fe |
| SHA256 | 8bd26aa4e8a7ff85d4721d9b714b7865620a6f87b99e5744e4db4c955328861f |
| SHA512 | a85d0018b542a671c6cfe9706a7cd6a527eb0ef5bb3ac7b444ae918e65e2f844a88c8812529f09d99c705ac801f5e0b2b03b9276c281e74a7f55017dfd015909 |
C:\ProgramData\DRE\Control.exe
| MD5 | fa434760e9f49c82c9e2546474e27642 |
| SHA1 | de86d57c09181815a1fb6831536037979aff87fe |
| SHA256 | 8bd26aa4e8a7ff85d4721d9b714b7865620a6f87b99e5744e4db4c955328861f |
| SHA512 | a85d0018b542a671c6cfe9706a7cd6a527eb0ef5bb3ac7b444ae918e65e2f844a88c8812529f09d99c705ac801f5e0b2b03b9276c281e74a7f55017dfd015909 |
C:\ProgramData\DRE\Control.exe
| MD5 | fa434760e9f49c82c9e2546474e27642 |
| SHA1 | de86d57c09181815a1fb6831536037979aff87fe |
| SHA256 | 8bd26aa4e8a7ff85d4721d9b714b7865620a6f87b99e5744e4db4c955328861f |
| SHA512 | a85d0018b542a671c6cfe9706a7cd6a527eb0ef5bb3ac7b444ae918e65e2f844a88c8812529f09d99c705ac801f5e0b2b03b9276c281e74a7f55017dfd015909 |
C:\ProgramData\DRE\Control.exe
| MD5 | fa434760e9f49c82c9e2546474e27642 |
| SHA1 | de86d57c09181815a1fb6831536037979aff87fe |
| SHA256 | 8bd26aa4e8a7ff85d4721d9b714b7865620a6f87b99e5744e4db4c955328861f |
| SHA512 | a85d0018b542a671c6cfe9706a7cd6a527eb0ef5bb3ac7b444ae918e65e2f844a88c8812529f09d99c705ac801f5e0b2b03b9276c281e74a7f55017dfd015909 |
C:\ProgramData\DRE\Control.exe
| MD5 | fa434760e9f49c82c9e2546474e27642 |
| SHA1 | de86d57c09181815a1fb6831536037979aff87fe |
| SHA256 | 8bd26aa4e8a7ff85d4721d9b714b7865620a6f87b99e5744e4db4c955328861f |
| SHA512 | a85d0018b542a671c6cfe9706a7cd6a527eb0ef5bb3ac7b444ae918e65e2f844a88c8812529f09d99c705ac801f5e0b2b03b9276c281e74a7f55017dfd015909 |
C:\ProgramData\DRE\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\ProgramData\DRE\DREService.exe
| MD5 | 2827c6bb70b00b6aacf245ed64846011 |
| SHA1 | 5dce08b48c287cc871ac5c128035d42c7ed1cc2d |
| SHA256 | c50980ee38e90fe9ed166691e1af1dc652b780bb7033701cd684d81b7f4b91eb |
| SHA512 | 128808b0639fc0b0bd4acaed11d63efa1aea5d921ddef8fd4a12764005155537f39c442a98f023b74dec2461830558af86d7ad1883d87bcbb592269a1bfe1cec |
C:\ProgramData\DRE\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
memory/1492-71-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1868-72-0x0000000000230000-0x0000000000231000-memory.dmp
\ProgramData\DRE\DREService.exe
| MD5 | 2827c6bb70b00b6aacf245ed64846011 |
| SHA1 | 5dce08b48c287cc871ac5c128035d42c7ed1cc2d |
| SHA256 | c50980ee38e90fe9ed166691e1af1dc652b780bb7033701cd684d81b7f4b91eb |
| SHA512 | 128808b0639fc0b0bd4acaed11d63efa1aea5d921ddef8fd4a12764005155537f39c442a98f023b74dec2461830558af86d7ad1883d87bcbb592269a1bfe1cec |
C:\ProgramData\DRE\DREService.exe
| MD5 | 2827c6bb70b00b6aacf245ed64846011 |
| SHA1 | 5dce08b48c287cc871ac5c128035d42c7ed1cc2d |
| SHA256 | c50980ee38e90fe9ed166691e1af1dc652b780bb7033701cd684d81b7f4b91eb |
| SHA512 | 128808b0639fc0b0bd4acaed11d63efa1aea5d921ddef8fd4a12764005155537f39c442a98f023b74dec2461830558af86d7ad1883d87bcbb592269a1bfe1cec |
C:\ProgramData\DRE\DREService.exe
| MD5 | 2827c6bb70b00b6aacf245ed64846011 |
| SHA1 | 5dce08b48c287cc871ac5c128035d42c7ed1cc2d |
| SHA256 | c50980ee38e90fe9ed166691e1af1dc652b780bb7033701cd684d81b7f4b91eb |
| SHA512 | 128808b0639fc0b0bd4acaed11d63efa1aea5d921ddef8fd4a12764005155537f39c442a98f023b74dec2461830558af86d7ad1883d87bcbb592269a1bfe1cec |
\ProgramData\DRE\sys.exe
| MD5 | faf1fc3b0b4e42ab038677f1168fbf17 |
| SHA1 | 5e04f80934853f0552079c27b7d2fd6e62dd1b3c |
| SHA256 | a262cec7448e5db073fc858f5f7e6c871460e8853a12a34f96d3cce95eebf109 |
| SHA512 | 74f2dd08e0f3c1d9b44c104abae62b31d1d49c4e1e7e5a15b11154dd1cae10280adb93e202a62e7772d617d5d3154e1a61bb11a9e929fb2610a6ed8a0a7f80e2 |
C:\ProgramData\DRE\sys.exe
| MD5 | faf1fc3b0b4e42ab038677f1168fbf17 |
| SHA1 | 5e04f80934853f0552079c27b7d2fd6e62dd1b3c |
| SHA256 | a262cec7448e5db073fc858f5f7e6c871460e8853a12a34f96d3cce95eebf109 |
| SHA512 | 74f2dd08e0f3c1d9b44c104abae62b31d1d49c4e1e7e5a15b11154dd1cae10280adb93e202a62e7772d617d5d3154e1a61bb11a9e929fb2610a6ed8a0a7f80e2 |
memory/1592-81-0x0000000000400000-0x00000000009B7003-memory.dmp
memory/1804-85-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1144-86-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1592-83-0x0000000000401000-0x0000000000797000-memory.dmp
memory/1592-88-0x00000000009C0000-0x00000000009C3000-memory.dmp
memory/1592-89-0x00000000002F0000-0x000000000033B000-memory.dmp
memory/1592-90-0x00000000003F0000-0x00000000003F6000-memory.dmp
memory/1592-91-0x000000007EFA0000-0x000000007EFA1000-memory.dmp
C:\Windows\run.bat
| MD5 | 93a098e3701bf40042a0e51d3a125b31 |
| SHA1 | 2dcbf75b8d8bba7830aa363c1e56560e552c726a |
| SHA256 | 8a0c16ab6f2b5af74b62fe041b8bc1ddf8dc03fb713c5bb30beceba307bb1269 |
| SHA512 | 06d97a68fc971bc5c739f5da10a172c2279b9158b994d78b7eb60fff6e484c118b70631df788557a213f26baae00cde9ed7e176b1495c5d2ec74099a7fa3fa12 |
C:\Windows\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\Windows\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\ProgramData\DRE\DREService.exe
| MD5 | 2827c6bb70b00b6aacf245ed64846011 |
| SHA1 | 5dce08b48c287cc871ac5c128035d42c7ed1cc2d |
| SHA256 | c50980ee38e90fe9ed166691e1af1dc652b780bb7033701cd684d81b7f4b91eb |
| SHA512 | 128808b0639fc0b0bd4acaed11d63efa1aea5d921ddef8fd4a12764005155537f39c442a98f023b74dec2461830558af86d7ad1883d87bcbb592269a1bfe1cec |
\Program Files\RDP Wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
memory/972-100-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp
C:\Windows\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\Program Files\RDP Wrapper\rdpwrap.ini
| MD5 | dddd741ab677bdac8dcd4fa0dda05da2 |
| SHA1 | 69d328c70046029a1866fd440c3e4a63563200f9 |
| SHA256 | 7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668 |
| SHA512 | 6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
| MD5 | 833483b12995ab7f203c3bd446515920 |
| SHA1 | b28acaba406a9eacaaa427451e4cc73e675f5a79 |
| SHA256 | 1065e3cef219fe8ea8f9c2d8c9a2b768b927334483d97ad06150e75b75a91679 |
| SHA512 | 304fddea480730d737b61c7f3ce26de200d5225463712ec1eacbec6ac88a99ce946d933f94058dcb66ddc362c470b1c9893837bf5a954e04ffd95b39ce5036f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
| MD5 | 6417cb45e2756b4376d81f67bc10c936 |
| SHA1 | a1ff39991135460b271563027d50a3dddec3a229 |
| SHA256 | 6225eb3c454c3200c8782a1439a26c273dae4c8117ecd999070391e4ae8a5321 |
| SHA512 | b02b2b5510f87cb8a137d507b787fc5abece45df0d69d09a5e915652fd3cdbd1cb59408e3dc393be6fbfa4489c1cdc579abbe3b015a23a81482ce2b9f434d1bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3fdbf0eda05c1229d792bd7c13675ae2 |
| SHA1 | 98a74ecc1edf7f34e1fe54eb3ec8bfdc274f421e |
| SHA256 | 4e06a5dca95e6ffc2677f99c272101a9d021154197629691be181695ac267944 |
| SHA512 | 481675921399215815840db4bbb090f53f0a67899b3861a8233c2fec44b0b3cc64046813d61b95886796904f577e241c7c19b9760f3e2031e3e5baa92d2d8df4 |
C:\ProgramData\DRE\service.bat
| MD5 | d464405315d8b051c5f101a7035eff0c |
| SHA1 | f9fefd04bb0f04d2b7fbac73efac8130a264fc6b |
| SHA256 | e54649f33d7b149073e457e5c4b78767433b05f8220245f8ee2c7ad44685ed10 |
| SHA512 | 6e0daab678a3ace2c437702241daee277d4b2bed86bf953fa33089ce3654402415d2401d15740b6ae2077289c87550f50750c0d33e415999e3df27b5fc40350a |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-13 14:22
Reported
2022-02-13 14:25
Platform
win10v2004-en-20220113
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\413f85b8ae812c7f3ba08d7ae7c79342e0dfa561d5bb1896f0f5ed1b64b129bb.exe
"C:\Users\Admin\AppData\Local\Temp\413f85b8ae812c7f3ba08d7ae7c79342e0dfa561d5bb1896f0f5ed1b64b129bb.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.15:443 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 72.21.91.29:80 | crl4.digicert.com | tcp |
| NL | 88.221.255.169:80 | tcp | |
| NL | 67.26.109.254:80 | tcp |
Files
memory/3572-130-0x0000021736D30000-0x0000021736D40000-memory.dmp
memory/3572-131-0x0000021736D90000-0x0000021736DA0000-memory.dmp
memory/3572-132-0x0000021739A80000-0x0000021739A84000-memory.dmp