923ff70bd31fd27df3c2d91ec555fcf43e93825f695824fdbeb10e4913396e67 | Triage

Sharing

General

Target

RDPW_installer.exe
Size

2.4MB
Sample

230719-pbfk1sec63
MD5

d1e65ecb22859949e55dd791fba5e62f
SHA1

43be70e679bbd34fe82746d6d39fe2511d0c9987
SHA256

923ff70bd31fd27df3c2d91ec555fcf43e93825f695824fdbeb10e4913396e67
SHA512

36e3c3aa1cd103fe9685fa452d0d496e7abf0c2216cd1924d97eee65c1cd724948889b96c9f6c96461cc5ab4db406421a8d0f46316142419448afd096a4a8274
SSDEEP

49152:rQTtgkYU6W9Y3jyI/NLYXDlixRHY+QHl+ItOWpHFB8oQv3YBEpyS5jUR8:rJkfRgjySL2D0xqQyxQvfpykc8

Score

8^/10

evasion persistence

Malware Config

Targets

- Target
  
  RDPW_installer.exe
- Size
  
  2.4MB
- MD5
  
  d1e65ecb22859949e55dd791fba5e62f
- SHA1
  
  43be70e679bbd34fe82746d6d39fe2511d0c9987
- SHA256
  
  923ff70bd31fd27df3c2d91ec555fcf43e93825f695824fdbeb10e4913396e67
- SHA512
  
  36e3c3aa1cd103fe9685fa452d0d496e7abf0c2216cd1924d97eee65c1cd724948889b96c9f6c96461cc5ab4db406421a8d0f46316142419448afd096a4a8274
- SSDEEP
  
  49152:rQTtgkYU6W9Y3jyI/NLYXDlixRHY+QHl+ItOWpHFB8oQv3YBEpyS5jUR8:rJkfRgjySL2D0xqQyxQvfpykc8
Score

8^/10

evasion persistence
- Modifies RDP port number used by Windows
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

Remote System Discovery

Lateral Movement

Remote Desktop Protocol

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

evasionpersistence