Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    129s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 12:09

General

  • Target

    RDPW_installer.exe

  • Size

    2.4MB

  • MD5

    d1e65ecb22859949e55dd791fba5e62f

  • SHA1

    43be70e679bbd34fe82746d6d39fe2511d0c9987

  • SHA256

    923ff70bd31fd27df3c2d91ec555fcf43e93825f695824fdbeb10e4913396e67

  • SHA512

    36e3c3aa1cd103fe9685fa452d0d496e7abf0c2216cd1924d97eee65c1cd724948889b96c9f6c96461cc5ab4db406421a8d0f46316142419448afd096a4a8274

  • SSDEEP

    49152:rQTtgkYU6W9Y3jyI/NLYXDlixRHY+QHl+ItOWpHFB8oQv3YBEpyS5jUR8:rJkfRgjySL2D0xqQyxQvfpykc8

Score
8/10

Malware Config

Signatures

  • Modifies RDP port number used by Windows 1 TTPs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RDPW_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RDPW_installer.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9143.tmp\9144.tmp\9145.bat C:\Users\Admin\AppData\Local\Temp\RDPW_installer.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3516
      • C:\Users\Admin\AppData\Local\Temp\9143.tmp\RDPWInst.exe
        "RDPWInst" -u
        3⤵
        • Executes dropped EXE
        PID:2948
      • C:\Windows\system32\PING.EXE
        ping -n 3 localhost
        3⤵
        • Runs ping.exe
        PID:2896
      • C:\Windows\system32\xcopy.exe
        xcopy "RDP_CnC.exe" "C:\Program Files\RDP Wrapper\" /s /I /y
        3⤵
        • Drops file in Program Files directory
        PID:1832
      • C:\Windows\system32\xcopy.exe
        xcopy "RDPWInst.exe" "C:\Program Files\RDP Wrapper\" /s /I /y
        3⤵
        • Drops file in Program Files directory
        PID:4724
      • C:\Windows\system32\xcopy.exe
        xcopy "update.bat" "C:\Program Files\RDP Wrapper\" /s /I /y
        3⤵
        • Drops file in Program Files directory
        PID:2008
      • C:\Windows\system32\xcopy.exe
        xcopy "RDP_CnC.lnk" "C:\Users\Admin\Desktop\" /s /I /y
        3⤵
          PID:4616
        • C:\Program Files\RDP Wrapper\RDPWInst.exe
          "C:\Program Files\RDP Wrapper\RDPWInst" -i -o
          3⤵
          • Sets DLL path for service in the registry
          • Executes dropped EXE
          • Modifies WinLogon
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Windows\SYSTEM32\netsh.exe
            netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
            4⤵
            • Modifies Windows Firewall
            PID:4084
          • C:\Windows\SYSTEM32\netsh.exe
            netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=udp localport=3389 profile=any action=allow
            4⤵
            • Modifies Windows Firewall
            PID:1616
        • C:\Users\Admin\AppData\Local\Temp\9143.tmp\LGPO.exe
          lgpo /m H264_ON.pol
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:4860
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /CREATE /SC ONSTART /DELAY 0002:00 /TN "RDPWUpdater" /TR "'C:\Program Files\RDP Wrapper\RDPWInst.exe' -w" /RL HIGHEST /RU SYSTEM /NP
          3⤵
          • Creates scheduled task(s)
          PID:4204
        • C:\Windows\system32\cmd.exe
          cmd.exe /C start "" "C:\Program Files\RDP Wrapper\RDP_CnC.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3832
          • C:\Program Files\RDP Wrapper\RDP_CnC.exe
            "C:\Program Files\RDP Wrapper\RDP_CnC.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:540
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -s TermService
      1⤵
        PID:1788
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -s TermService
        1⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2068
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
        1⤵
          PID:3716
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
          1⤵
            PID:1912

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\RDP Wrapper\RDPWInst.exe

            Filesize

            2.2MB

            MD5

            f361483abd4d3746d0483b60d72823cb

            SHA1

            929799530029c2cfdf3f8b0e00cd4af2d794b9f8

            SHA256

            df22c31e009365f5d4f5dd45db3a326d11a67cbb9eb4c8307df1a99f2230f377

            SHA512

            e4d55e54ac626a4e51a77e30d87f1fa5e84b1a706612ad5eea840199fb15507675ff60f823fe6b7b5d959ad3b03a04e0e2b6946134e04ef6c1d222cb6640013a

          • C:\Program Files\RDP Wrapper\RDPWInst.exe

            Filesize

            2.2MB

            MD5

            f361483abd4d3746d0483b60d72823cb

            SHA1

            929799530029c2cfdf3f8b0e00cd4af2d794b9f8

            SHA256

            df22c31e009365f5d4f5dd45db3a326d11a67cbb9eb4c8307df1a99f2230f377

            SHA512

            e4d55e54ac626a4e51a77e30d87f1fa5e84b1a706612ad5eea840199fb15507675ff60f823fe6b7b5d959ad3b03a04e0e2b6946134e04ef6c1d222cb6640013a

          • C:\Program Files\RDP Wrapper\RDPWInst.exe

            Filesize

            2.2MB

            MD5

            f361483abd4d3746d0483b60d72823cb

            SHA1

            929799530029c2cfdf3f8b0e00cd4af2d794b9f8

            SHA256

            df22c31e009365f5d4f5dd45db3a326d11a67cbb9eb4c8307df1a99f2230f377

            SHA512

            e4d55e54ac626a4e51a77e30d87f1fa5e84b1a706612ad5eea840199fb15507675ff60f823fe6b7b5d959ad3b03a04e0e2b6946134e04ef6c1d222cb6640013a

          • C:\Program Files\RDP Wrapper\RDP_CnC.exe

            Filesize

            2.9MB

            MD5

            c744abd4850faf4a1de948bb4ba3a030

            SHA1

            f02806cd11365d9dc2b2abbb1f23305e1dce1de2

            SHA256

            3706351c45b9afca655d72daefc80218b75e696644ccaaa1fdf60792a4c22337

            SHA512

            dfbffd7040caf7dfb91112041e166f3692624636c51c1c61c9e90588d6b369ed741151acde54e7c3d0405f4de0d7736b054f5aa29848372f0b6ca36def8baf7b

          • C:\Program Files\RDP Wrapper\RDP_CnC.exe

            Filesize

            2.9MB

            MD5

            c744abd4850faf4a1de948bb4ba3a030

            SHA1

            f02806cd11365d9dc2b2abbb1f23305e1dce1de2

            SHA256

            3706351c45b9afca655d72daefc80218b75e696644ccaaa1fdf60792a4c22337

            SHA512

            dfbffd7040caf7dfb91112041e166f3692624636c51c1c61c9e90588d6b369ed741151acde54e7c3d0405f4de0d7736b054f5aa29848372f0b6ca36def8baf7b

          • C:\Program Files\RDP Wrapper\rdpwrap.dll

            Filesize

            114KB

            MD5

            0c2180b8e8cf57d168b0e5f388f90650

            SHA1

            dc6ba17b27e6611489c5c52f8956bc5a45001ecd

            SHA256

            75fb4394ef5b8d1e7c74dfc61424101582ecdc406060caa9d66adea2ac8b37f8

            SHA512

            8effc36cd55e0543219afa3df0d42e346ab8a6c67737977c24b4207281f490daf8f628614a745c26e6ef9f033a899c62378c99a8745e16c3e7935863c8f925ae

          • C:\Program Files\RDP Wrapper\update.bat

            Filesize

            322B

            MD5

            8f9a5bf6d5331c46c8d9bc63700077fc

            SHA1

            4fa07a1599d5ae06416ab9004eca85511f534094

            SHA256

            ab0cf42c898e0fcff6332094226312901d6afe2eab5598cf7eaccdaaea6ea3d9

            SHA512

            9c9d66f85c46ae532e58b724deddf01394df68fa7194355b4c8e92d7a6f4652fec38bbaaead669823f0dc2c3bc06fcc35e12e58affa9d306e2076a277064f35e

          • C:\Users\Admin\AppData\Local\Temp\9143.tmp\9144.tmp\9145.bat

            Filesize

            823B

            MD5

            a3feed2ec6aee292085cc4cd9822efd1

            SHA1

            e196c846bd841ecd67d5b1a8362ba8d32819a5ab

            SHA256

            8880c7cc02dcba44e226ee610a2aba07b234e835573c1cf904058e5385a1e139

            SHA512

            9ed3199ee9233f33533f8c7fed55d54231825e5cd8db61eaaab770ff25e015994939e2b841d3516048b498ef25579e3c4d5f92067c687e0e2ebf8b1853f81603

          • C:\Users\Admin\AppData\Local\Temp\9143.tmp\H264_ON.pol

            Filesize

            186B

            MD5

            78952b476aa2e47bf0e27416acf6fe1f

            SHA1

            5543f22fe65fa4193008163107acd4ef8fbb338b

            SHA256

            213da1274863316dbf91aa4c725b86f23e37784912930ed951003608834a0b46

            SHA512

            5d4a1e4f13f01530ecfa399ac7e6db74403d4c1b3eed23f4fb0f068a387fde42d5651fadfbb9aad6a28c5a40345b70fb13c1e9210123157711622d9aab8fc21d

          • C:\Users\Admin\AppData\Local\Temp\9143.tmp\LGPO.exe

            Filesize

            469KB

            MD5

            fdf6c1f114a0fd2a144a6a126206461c

            SHA1

            bacfef8c102b1791ebe3229324cdf75da3171952

            SHA256

            0c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7

            SHA512

            9d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce

          • C:\Users\Admin\AppData\Local\Temp\9143.tmp\LGPO.exe

            Filesize

            469KB

            MD5

            fdf6c1f114a0fd2a144a6a126206461c

            SHA1

            bacfef8c102b1791ebe3229324cdf75da3171952

            SHA256

            0c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7

            SHA512

            9d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce

          • C:\Users\Admin\AppData\Local\Temp\9143.tmp\RDPWInst.exe

            Filesize

            2.2MB

            MD5

            f361483abd4d3746d0483b60d72823cb

            SHA1

            929799530029c2cfdf3f8b0e00cd4af2d794b9f8

            SHA256

            df22c31e009365f5d4f5dd45db3a326d11a67cbb9eb4c8307df1a99f2230f377

            SHA512

            e4d55e54ac626a4e51a77e30d87f1fa5e84b1a706612ad5eea840199fb15507675ff60f823fe6b7b5d959ad3b03a04e0e2b6946134e04ef6c1d222cb6640013a

          • C:\Users\Admin\AppData\Local\Temp\9143.tmp\RDPWInst.exe

            Filesize

            2.2MB

            MD5

            f361483abd4d3746d0483b60d72823cb

            SHA1

            929799530029c2cfdf3f8b0e00cd4af2d794b9f8

            SHA256

            df22c31e009365f5d4f5dd45db3a326d11a67cbb9eb4c8307df1a99f2230f377

            SHA512

            e4d55e54ac626a4e51a77e30d87f1fa5e84b1a706612ad5eea840199fb15507675ff60f823fe6b7b5d959ad3b03a04e0e2b6946134e04ef6c1d222cb6640013a

          • C:\Users\Admin\AppData\Local\Temp\9143.tmp\RDP_CnC.exe

            Filesize

            2.9MB

            MD5

            c744abd4850faf4a1de948bb4ba3a030

            SHA1

            f02806cd11365d9dc2b2abbb1f23305e1dce1de2

            SHA256

            3706351c45b9afca655d72daefc80218b75e696644ccaaa1fdf60792a4c22337

            SHA512

            dfbffd7040caf7dfb91112041e166f3692624636c51c1c61c9e90588d6b369ed741151acde54e7c3d0405f4de0d7736b054f5aa29848372f0b6ca36def8baf7b

          • C:\Users\Admin\AppData\Local\Temp\9143.tmp\RDP_CnC.lnk

            Filesize

            1KB

            MD5

            69a90ef9949cac7cbdeefc6a106168b9

            SHA1

            50e2c6208ed249a17814132b8c38bf4ae996875c

            SHA256

            88a04debda81ba55f72a60fa9dd127a7f4f2a744cd2f252fd4105ac04edb1765

            SHA512

            09576de514662dbb4cc232498b0349acec79b3177c1ae8738341742ba109e563da4879ff12734d91cd24dc7c22bb13bfb223c223686160905aa3e937d7f28294

          • C:\Users\Admin\AppData\Local\Temp\9143.tmp\update.bat

            Filesize

            322B

            MD5

            8f9a5bf6d5331c46c8d9bc63700077fc

            SHA1

            4fa07a1599d5ae06416ab9004eca85511f534094

            SHA256

            ab0cf42c898e0fcff6332094226312901d6afe2eab5598cf7eaccdaaea6ea3d9

            SHA512

            9c9d66f85c46ae532e58b724deddf01394df68fa7194355b4c8e92d7a6f4652fec38bbaaead669823f0dc2c3bc06fcc35e12e58affa9d306e2076a277064f35e

          • C:\Users\Admin\Desktop\RDP_CnC.lnk

            Filesize

            1KB

            MD5

            69a90ef9949cac7cbdeefc6a106168b9

            SHA1

            50e2c6208ed249a17814132b8c38bf4ae996875c

            SHA256

            88a04debda81ba55f72a60fa9dd127a7f4f2a744cd2f252fd4105ac04edb1765

            SHA512

            09576de514662dbb4cc232498b0349acec79b3177c1ae8738341742ba109e563da4879ff12734d91cd24dc7c22bb13bfb223c223686160905aa3e937d7f28294

          • \??\c:\program files\rdp wrapper\rdpwrap.dll

            Filesize

            114KB

            MD5

            0c2180b8e8cf57d168b0e5f388f90650

            SHA1

            dc6ba17b27e6611489c5c52f8956bc5a45001ecd

            SHA256

            75fb4394ef5b8d1e7c74dfc61424101582ecdc406060caa9d66adea2ac8b37f8

            SHA512

            8effc36cd55e0543219afa3df0d42e346ab8a6c67737977c24b4207281f490daf8f628614a745c26e6ef9f033a899c62378c99a8745e16c3e7935863c8f925ae

          • \??\c:\program files\rdp wrapper\rdpwrap.ini

            Filesize

            340KB

            MD5

            302369b32db541ef6603e29813b53b18

            SHA1

            2cfd1c400e98976c3cf3378716dbb30b2a9a3986

            SHA256

            d5458b7ecbc9d6cbc44ac6f076875d00a0af35a4a43ae7f340e00877cdfa371d

            SHA512

            e892a82a08a9b5c38079bf2aa623bfe73aa4a6a0d567282972290d572851a31b1df918e0c116362dcf261245310082a183eb922ccc7e408f2b7e02e737832109

          • memory/540-196-0x0000000000E40000-0x0000000000E41000-memory.dmp

            Filesize

            4KB

          • memory/540-197-0x0000000000400000-0x0000000000708000-memory.dmp

            Filesize

            3.0MB

          • memory/1780-179-0x0000000000400000-0x0000000000647000-memory.dmp

            Filesize

            2.3MB

          • memory/2948-150-0x0000000000400000-0x0000000000647000-memory.dmp

            Filesize

            2.3MB