Overview

overview

8

Static

static

3

RDPW_installer.exe

windows7-x64

8

RDPW_installer.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2023 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RDPW_installer.exe

  • Size

    2.4MB

  • MD5

    d1e65ecb22859949e55dd791fba5e62f

  • SHA1

    43be70e679bbd34fe82746d6d39fe2511d0c9987

  • SHA256

    923ff70bd31fd27df3c2d91ec555fcf43e93825f695824fdbeb10e4913396e67

  • SHA512

    36e3c3aa1cd103fe9685fa452d0d496e7abf0c2216cd1924d97eee65c1cd724948889b96c9f6c96461cc5ab4db406421a8d0f46316142419448afd096a4a8274

  • SSDEEP

    49152:rQTtgkYU6W9Y3jyI/NLYXDlixRHY+QHl+ItOWpHFB8oQv3YBEpyS5jUR8:rJkfRgjySL2D0xqQyxQvfpykc8

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Modifies RDP port number used by Windows 1 TTPs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RDPW_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RDPW_installer.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D00B.tmp\D00C.tmp\D00D.bat C:\Users\Admin\AppData\Local\Temp\RDPW_installer.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\RDPWInst.exe
        "RDPWInst" -u
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2800
      • C:\Windows\system32\PING.EXE
        ping -n 3 localhost
        3⤵
        • Runs ping.exe
        PID:884
      • C:\Windows\system32\xcopy.exe
        xcopy "RDP_CnC.exe" "C:\Program Files\RDP Wrapper\" /s /I /y
        3⤵
        • Drops file in Program Files directory
        PID:2200
      • C:\Windows\system32\xcopy.exe
        xcopy "RDPWInst.exe" "C:\Program Files\RDP Wrapper\" /s /I /y
        3⤵
        • Drops file in Program Files directory
        PID:2240
      • C:\Windows\system32\xcopy.exe
        xcopy "update.bat" "C:\Program Files\RDP Wrapper\" /s /I /y
        3⤵
        • Drops file in Program Files directory
        PID:2352
      • C:\Windows\system32\xcopy.exe
        xcopy "RDP_CnC.lnk" "C:\Users\Admin\Desktop\" /s /I /y
        3⤵
          PID:2456
        • C:\Program Files\RDP Wrapper\RDPWInst.exe
          "C:\Program Files\RDP Wrapper\RDPWInst" -i -o
          3⤵
          • Sets DLL path for service in the registry
          • Executes dropped EXE
          • Modifies WinLogon
          • Drops file in Program Files directory
          • Modifies system certificate store
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2296
          • C:\Windows\system32\netsh.exe
            netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
            4⤵
            • Modifies Windows Firewall
            PID:2024
          • C:\Windows\system32\netsh.exe
            netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=udp localport=3389 profile=any action=allow
            4⤵
            • Modifies Windows Firewall
            PID:1132
        • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\LGPO.exe
          lgpo /m H264_ON.pol
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:1860
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /CREATE /SC ONSTART /DELAY 0002:00 /TN "RDPWUpdater" /TR "'C:\Program Files\RDP Wrapper\RDPWInst.exe' -w" /RL HIGHEST /RU SYSTEM /NP
          3⤵
          • Creates scheduled task(s)
          PID:1800
        • C:\Windows\system32\cmd.exe
          cmd.exe /C start "" "C:\Program Files\RDP Wrapper\RDP_CnC.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2972
          • C:\Program Files\RDP Wrapper\RDP_CnC.exe
            "C:\Program Files\RDP Wrapper\RDP_CnC.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of SetWindowsHookEx
            PID:2976

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\RDP Wrapper\RDPWInst.exe
      Filesize

      2.2MB

      MD5

      f361483abd4d3746d0483b60d72823cb

      SHA1

      929799530029c2cfdf3f8b0e00cd4af2d794b9f8

      SHA256

      df22c31e009365f5d4f5dd45db3a326d11a67cbb9eb4c8307df1a99f2230f377

      SHA512

      e4d55e54ac626a4e51a77e30d87f1fa5e84b1a706612ad5eea840199fb15507675ff60f823fe6b7b5d959ad3b03a04e0e2b6946134e04ef6c1d222cb6640013a

      Download Submit

    • C:\Program Files\RDP Wrapper\RDPWInst.exe
      Filesize

      2.2MB

      MD5

      f361483abd4d3746d0483b60d72823cb

      SHA1

      929799530029c2cfdf3f8b0e00cd4af2d794b9f8

      SHA256

      df22c31e009365f5d4f5dd45db3a326d11a67cbb9eb4c8307df1a99f2230f377

      SHA512

      e4d55e54ac626a4e51a77e30d87f1fa5e84b1a706612ad5eea840199fb15507675ff60f823fe6b7b5d959ad3b03a04e0e2b6946134e04ef6c1d222cb6640013a

      Download Submit

    • C:\Program Files\RDP Wrapper\RDPWInst.exe
      Filesize

      2.2MB

      MD5

      f361483abd4d3746d0483b60d72823cb

      SHA1

      929799530029c2cfdf3f8b0e00cd4af2d794b9f8

      SHA256

      df22c31e009365f5d4f5dd45db3a326d11a67cbb9eb4c8307df1a99f2230f377

      SHA512

      e4d55e54ac626a4e51a77e30d87f1fa5e84b1a706612ad5eea840199fb15507675ff60f823fe6b7b5d959ad3b03a04e0e2b6946134e04ef6c1d222cb6640013a

      Download Submit

    • C:\Program Files\RDP Wrapper\RDP_CnC.exe
      Filesize

      2.9MB

      MD5

      c744abd4850faf4a1de948bb4ba3a030

      SHA1

      f02806cd11365d9dc2b2abbb1f23305e1dce1de2

      SHA256

      3706351c45b9afca655d72daefc80218b75e696644ccaaa1fdf60792a4c22337

      SHA512

      dfbffd7040caf7dfb91112041e166f3692624636c51c1c61c9e90588d6b369ed741151acde54e7c3d0405f4de0d7736b054f5aa29848372f0b6ca36def8baf7b

      Download Submit

    • C:\Program Files\RDP Wrapper\RDP_CnC.exe
      Filesize

      2.9MB

      MD5

      c744abd4850faf4a1de948bb4ba3a030

      SHA1

      f02806cd11365d9dc2b2abbb1f23305e1dce1de2

      SHA256

      3706351c45b9afca655d72daefc80218b75e696644ccaaa1fdf60792a4c22337

      SHA512

      dfbffd7040caf7dfb91112041e166f3692624636c51c1c61c9e90588d6b369ed741151acde54e7c3d0405f4de0d7736b054f5aa29848372f0b6ca36def8baf7b

      Download Submit

    • C:\Program Files\RDP Wrapper\rdpwrap.dll
      Filesize

      114KB

      MD5

      0c2180b8e8cf57d168b0e5f388f90650

      SHA1

      dc6ba17b27e6611489c5c52f8956bc5a45001ecd

      SHA256

      75fb4394ef5b8d1e7c74dfc61424101582ecdc406060caa9d66adea2ac8b37f8

      SHA512

      8effc36cd55e0543219afa3df0d42e346ab8a6c67737977c24b4207281f490daf8f628614a745c26e6ef9f033a899c62378c99a8745e16c3e7935863c8f925ae

      Download Submit

    • C:\Program Files\RDP Wrapper\rdpwrap.ini
      Filesize

      340KB

      MD5

      302369b32db541ef6603e29813b53b18

      SHA1

      2cfd1c400e98976c3cf3378716dbb30b2a9a3986

      SHA256

      d5458b7ecbc9d6cbc44ac6f076875d00a0af35a4a43ae7f340e00877cdfa371d

      SHA512

      e892a82a08a9b5c38079bf2aa623bfe73aa4a6a0d567282972290d572851a31b1df918e0c116362dcf261245310082a183eb922ccc7e408f2b7e02e737832109

      Download Submit

    • C:\Program Files\RDP Wrapper\update.bat
      Filesize

      322B

      MD5

      8f9a5bf6d5331c46c8d9bc63700077fc

      SHA1

      4fa07a1599d5ae06416ab9004eca85511f534094

      SHA256

      ab0cf42c898e0fcff6332094226312901d6afe2eab5598cf7eaccdaaea6ea3d9

      SHA512

      9c9d66f85c46ae532e58b724deddf01394df68fa7194355b4c8e92d7a6f4652fec38bbaaead669823f0dc2c3bc06fcc35e12e58affa9d306e2076a277064f35e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\D00C.tmp\D00D.bat
      Filesize

      823B

      MD5

      a3feed2ec6aee292085cc4cd9822efd1

      SHA1

      e196c846bd841ecd67d5b1a8362ba8d32819a5ab

      SHA256

      8880c7cc02dcba44e226ee610a2aba07b234e835573c1cf904058e5385a1e139

      SHA512

      9ed3199ee9233f33533f8c7fed55d54231825e5cd8db61eaaab770ff25e015994939e2b841d3516048b498ef25579e3c4d5f92067c687e0e2ebf8b1853f81603

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\H264_ON.pol
      Filesize

      186B

      MD5

      78952b476aa2e47bf0e27416acf6fe1f

      SHA1

      5543f22fe65fa4193008163107acd4ef8fbb338b

      SHA256

      213da1274863316dbf91aa4c725b86f23e37784912930ed951003608834a0b46

      SHA512

      5d4a1e4f13f01530ecfa399ac7e6db74403d4c1b3eed23f4fb0f068a387fde42d5651fadfbb9aad6a28c5a40345b70fb13c1e9210123157711622d9aab8fc21d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\LGPO.exe
      Filesize

      469KB

      MD5

      fdf6c1f114a0fd2a144a6a126206461c

      SHA1

      bacfef8c102b1791ebe3229324cdf75da3171952

      SHA256

      0c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7

      SHA512

      9d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\LGPO.exe
      Filesize

      469KB

      MD5

      fdf6c1f114a0fd2a144a6a126206461c

      SHA1

      bacfef8c102b1791ebe3229324cdf75da3171952

      SHA256

      0c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7

      SHA512

      9d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\RDPWInst.exe
      Filesize

      2.2MB

      MD5

      f361483abd4d3746d0483b60d72823cb

      SHA1

      929799530029c2cfdf3f8b0e00cd4af2d794b9f8

      SHA256

      df22c31e009365f5d4f5dd45db3a326d11a67cbb9eb4c8307df1a99f2230f377

      SHA512

      e4d55e54ac626a4e51a77e30d87f1fa5e84b1a706612ad5eea840199fb15507675ff60f823fe6b7b5d959ad3b03a04e0e2b6946134e04ef6c1d222cb6640013a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\RDPWInst.exe
      Filesize

      2.2MB

      MD5

      f361483abd4d3746d0483b60d72823cb

      SHA1

      929799530029c2cfdf3f8b0e00cd4af2d794b9f8

      SHA256

      df22c31e009365f5d4f5dd45db3a326d11a67cbb9eb4c8307df1a99f2230f377

      SHA512

      e4d55e54ac626a4e51a77e30d87f1fa5e84b1a706612ad5eea840199fb15507675ff60f823fe6b7b5d959ad3b03a04e0e2b6946134e04ef6c1d222cb6640013a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\RDP_CnC.exe
      Filesize

      2.9MB

      MD5

      c744abd4850faf4a1de948bb4ba3a030

      SHA1

      f02806cd11365d9dc2b2abbb1f23305e1dce1de2

      SHA256

      3706351c45b9afca655d72daefc80218b75e696644ccaaa1fdf60792a4c22337

      SHA512

      dfbffd7040caf7dfb91112041e166f3692624636c51c1c61c9e90588d6b369ed741151acde54e7c3d0405f4de0d7736b054f5aa29848372f0b6ca36def8baf7b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\RDP_CnC.lnk
      Filesize

      1KB

      MD5

      69a90ef9949cac7cbdeefc6a106168b9

      SHA1

      50e2c6208ed249a17814132b8c38bf4ae996875c

      SHA256

      88a04debda81ba55f72a60fa9dd127a7f4f2a744cd2f252fd4105ac04edb1765

      SHA512

      09576de514662dbb4cc232498b0349acec79b3177c1ae8738341742ba109e563da4879ff12734d91cd24dc7c22bb13bfb223c223686160905aa3e937d7f28294

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D00B.tmp\update.bat
      Filesize

      322B

      MD5

      8f9a5bf6d5331c46c8d9bc63700077fc

      SHA1

      4fa07a1599d5ae06416ab9004eca85511f534094

      SHA256

      ab0cf42c898e0fcff6332094226312901d6afe2eab5598cf7eaccdaaea6ea3d9

      SHA512

      9c9d66f85c46ae532e58b724deddf01394df68fa7194355b4c8e92d7a6f4652fec38bbaaead669823f0dc2c3bc06fcc35e12e58affa9d306e2076a277064f35e

      Download Submit

    • C:\Users\Admin\Desktop\RDP_CnC.lnk
      Filesize

      1KB

      MD5

      69a90ef9949cac7cbdeefc6a106168b9

      SHA1

      50e2c6208ed249a17814132b8c38bf4ae996875c

      SHA256

      88a04debda81ba55f72a60fa9dd127a7f4f2a744cd2f252fd4105ac04edb1765

      SHA512

      09576de514662dbb4cc232498b0349acec79b3177c1ae8738341742ba109e563da4879ff12734d91cd24dc7c22bb13bfb223c223686160905aa3e937d7f28294

      Download Submit

    • \Program Files\RDP Wrapper\rdpwrap.dll
      Filesize

      114KB

      MD5

      0c2180b8e8cf57d168b0e5f388f90650

      SHA1

      dc6ba17b27e6611489c5c52f8956bc5a45001ecd

      SHA256

      75fb4394ef5b8d1e7c74dfc61424101582ecdc406060caa9d66adea2ac8b37f8

      SHA512

      8effc36cd55e0543219afa3df0d42e346ab8a6c67737977c24b4207281f490daf8f628614a745c26e6ef9f033a899c62378c99a8745e16c3e7935863c8f925ae

      Download Submit

    • memory/2296-102-0x0000000000400000-0x0000000000647000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2800-70-0x0000000000400000-0x0000000000647000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2976-118-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2976-121-0x0000000000400000-0x0000000000708000-memory.dmp

      Filesize

      3.0MB

      Download