88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
Size

536KB
MD5

b2f6347c24672f87d6f3225de77deb29
SHA1

e83cce179d31aee6228f6fd5ec3f4b35927e527d
SHA256

88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c
SHA512

8af8929576b21792983e45a38fb58a464533de1c5968208b0b05580b103a3d95544721b7b5215e464de95f4049833aa23e85201e600a7bfe8220aa314848b534
SSDEEP

12288:LQab4j0WxHHxvgZ5Debn9XdvVYf8tn5+qqheFgOkx2LIa:svj0oxv2Dezv/tx3yOkx2LF

Score

10^/10

upx vmprotect

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3172 created 604	3172	Explorer.EXE	11

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\AjtsUX.sys	rdpshell.exe
File opened for modification	C:\Windows\system32\drivers\MYgSbRIJT1oXy.sys	rdpshell.exe
File opened for modification	C:\Windows\system32\drivers\erB8EaSMNkADzX.itl	rdpshell.exe
File opened for modification	C:\Windows\system32\drivers\h7bFkprg0Q.tdn	rdpshell.exe
File opened for modification	C:\Windows\system32\drivers\SrWi4Hn8pPUb.sys	rdpshell.exe
File opened for modification	C:\Windows\system32\drivers\NrlKGeCMLcoZ.qmy	rdpshell.exe
File opened for modification	C:\Windows\system32\drivers\Rhhw73tmcAtt4.sys	rdpshell.exe
File opened for modification	C:\Windows\system32\drivers\7mBnWkqgafN0Q.sys	rdpshell.exe
File opened for modification	C:\Windows\system32\drivers\gE5BSxrlp1N.fce	rdpshell.exe

Executes dropped EXE 1 IoCs

pid	Process
412	rdpshell.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1588-0-0x0000000000960000-0x0000000000A62000-memory.dmp	upx
behavioral2/memory/1588-18-0x0000000000960000-0x0000000000A62000-memory.dmp	upx
behavioral2/memory/1588-31-0x0000000000960000-0x0000000000A62000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000b0000000231f8-92.dat	vmprotect
behavioral2/files/0x00190000000231f8-152.dat	vmprotect
behavioral2/files/0x00270000000231f8-208.dat	vmprotect
behavioral2/files/0x00350000000231f8-264.dat	vmprotect

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Ns01mgo39W3.sys	rdpshell.exe
File opened for modification	C:\Windows\system32\oA1jUERHQnvrA.eov	rdpshell.exe
File opened for modification	C:\Windows\system32\opOMbKtzOBGSH.sys	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	rdpshell.exe
File created	C:\Windows\system32\ \Windows\System32\c3FDHM7Zv.sys	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E	rdpshell.exe
File opened for modification	C:\Windows\system32\1JQQPMJxlPtLqK.sys	rdpshell.exe
File opened for modification	C:\Windows\system32\q84bJFCB2j.sys	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	rdpshell.exe
File opened for modification	C:\Windows\system32\LwUcJudAY3dw.uxg	rdpshell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	rdpshell.exe
File opened for modification	C:\Windows\system32\3KrxCsiGte0cHk.llz	rdpshell.exe
File opened for modification	C:\Windows\system32\Z3mP5YXPxVG.uej	rdpshell.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\B0A9sumC9jF.gex	rdpshell.exe
File opened for modification	C:\Program Files\Microsoft Office\39640d08.js	rdpshell.exe
File opened for modification	C:\Program Files\PZfdmQ4KnWJPbz.shh	rdpshell.exe
File opened for modification	C:\Program Files (x86)\WxUadvK3d6sN.sys	rdpshell.exe
File opened for modification	C:\Program Files (x86)\WInVzZPg1vyD.cbo	rdpshell.exe
File opened for modification	C:\Program Files\Internet Explorer\396428a0.js	Explorer.EXE
File opened for modification	C:\Program Files\Internet Explorer\56163cf0.js	Explorer.EXE
File opened for modification	C:\Program Files\l8x1ZPaL1Gif.kdf	rdpshell.exe
File opened for modification	C:\Program Files\GiJn23A3eL.zsy	rdpshell.exe
File opened for modification	C:\Program Files\X2qURH30xKn.sys	rdpshell.exe
File opened for modification	C:\Program Files (x86)\c38PxWZaci.bwn	rdpshell.exe
File opened for modification	C:\Program Files\rdpshell.exe	Explorer.EXE
File opened for modification	C:\Program Files\MjSUYPAeEmbX1e.sys	rdpshell.exe
File opened for modification	C:\Program Files (x86)\6pd8ineqoO.sys	rdpshell.exe
File opened for modification	C:\Program Files\Microsoft Office\47bd104a.html	rdpshell.exe
File opened for modification	C:\Program Files\Microsoft Office\lib\646f16ce.js	rdpshell.exe
File created	C:\Program Files\rdpshell.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\d0B8VA1y70pfIp.sys	rdpshell.exe
File opened for modification	C:\Program Files\Internet Explorer\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files\Internet Explorer\47bd32c8.html	Explorer.EXE
File opened for modification	C:\Program Files\5ONRn271JV.sys	rdpshell.exe
File opened for modification	C:\Program Files\Microsoft Office\manifest.json	rdpshell.exe
File opened for modification	C:\Program Files\Microsoft Office\5616138c.js	rdpshell.exe
File opened for modification	C:\Program Files\Internet Explorer\lib\646f4718.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\m9cGiRIYUtj.iqc	rdpshell.exe
File opened for modification	C:\Program Files\j0DWE1ddG9ifr.sys	rdpshell.exe
File opened for modification	C:\Program Files (x86)\mCME6mwLy2.szd	rdpshell.exe
File opened for modification	C:\Program Files (x86)\u81oPd1uEaNkxK.sys	rdpshell.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\5uWuR4ji6T5.sys	rdpshell.exe
File opened for modification	C:\Windows\BGWjScWu3O1RK0.sys	rdpshell.exe
File opened for modification	C:\Windows\n2s6KlFrKPSV.mdh	rdpshell.exe
File opened for modification	C:\Windows\lVSCVRoha2.faj	rdpshell.exe
File created	C:\Windows\zVHfKU7.sys	rdpshell.exe
File opened for modification	C:\Windows\LFRbt5PlZO7I4.ube	rdpshell.exe
File opened for modification	C:\Windows\m03IKwpwfskmr.sys	rdpshell.exe
File opened for modification	C:\Windows\MezBt6cuGDynuB.lsv	rdpshell.exe
File opened for modification	C:\Windows\ItLacGKgrA.sys	rdpshell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2772	timeout.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rdpshell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rdpshell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rdpshell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rdpshell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rdpshell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	setspn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	setspn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rdpshell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rdpshell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rdpshell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rdpshell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	setspn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
412	rdpshell.exe
412	rdpshell.exe
2544	setspn.exe
2544	setspn.exe
412	rdpshell.exe
412	rdpshell.exe
412	rdpshell.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
3172	Explorer.EXE
412	rdpshell.exe
412	rdpshell.exe
3172	Explorer.EXE
3172	Explorer.EXE
412	rdpshell.exe
412	rdpshell.exe
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
3172	Explorer.EXE
412	rdpshell.exe
412	rdpshell.exe
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
412	rdpshell.exe
3172	Explorer.EXE
412	rdpshell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3172	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
Token: SeTcbPrivilege	1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
Token: SeDebugPrivilege	1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeTcbPrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
Token: SeDebugPrivilege	412	rdpshell.exe
Token: SeDebugPrivilege	412	rdpshell.exe
Token: SeDebugPrivilege	412	rdpshell.exe
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	412	rdpshell.exe
Token: SeBackupPrivilege	412	rdpshell.exe
Token: SeDebugPrivilege	412	rdpshell.exe
Token: SeDebugPrivilege	412	rdpshell.exe
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	412	rdpshell.exe
Token: SeDebugPrivilege	412	rdpshell.exe
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeBackupPrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	64	dwm.exe
Token: SeBackupPrivilege	64	dwm.exe
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	64	dwm.exe
Token: SeCreatePagefilePrivilege	64	dwm.exe
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3172	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 3172	1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	54
PID 1588 wrote to memory of 3172	1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	54
PID 1588 wrote to memory of 3172	1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	54
PID 3172 wrote to memory of 412	3172	Explorer.EXE	83
PID 3172 wrote to memory of 412	3172	Explorer.EXE	83
PID 3172 wrote to memory of 412	3172	Explorer.EXE	83
PID 3172 wrote to memory of 412	3172	Explorer.EXE	83
PID 3172 wrote to memory of 412	3172	Explorer.EXE	83
PID 3172 wrote to memory of 412	3172	Explorer.EXE	83
PID 3172 wrote to memory of 412	3172	Explorer.EXE	83
PID 3172 wrote to memory of 604	3172	Explorer.EXE	11
PID 3172 wrote to memory of 604	3172	Explorer.EXE	11
PID 3172 wrote to memory of 604	3172	Explorer.EXE	11
PID 3172 wrote to memory of 604	3172	Explorer.EXE	11
PID 3172 wrote to memory of 604	3172	Explorer.EXE	11
PID 1588 wrote to memory of 4036	1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	87
PID 1588 wrote to memory of 4036	1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	87
PID 1588 wrote to memory of 4036	1588	88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe	87
PID 4036 wrote to memory of 2772	4036	cmd.exe	90
PID 4036 wrote to memory of 2772	4036	cmd.exe	90
PID 4036 wrote to memory of 2772	4036	cmd.exe	90
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 2544	412	rdpshell.exe	94
PID 412 wrote to memory of 2544	412	rdpshell.exe	94
PID 412 wrote to memory of 2544	412	rdpshell.exe	94
PID 412 wrote to memory of 2544	412	rdpshell.exe	94
PID 412 wrote to memory of 2544	412	rdpshell.exe	94
PID 412 wrote to memory of 2544	412	rdpshell.exe	94
PID 412 wrote to memory of 2544	412	rdpshell.exe	94
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54
PID 412 wrote to memory of 3172	412	rdpshell.exe	54

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604
- C:\Program Files\rdpshell.exe
  "C:\Program Files\rdpshell.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\system32\setspn.exe
    "C:\Windows\system32\setspn.exe"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2544
- - C:\Windows\system32\csrss.exe
    "C:\Windows\system32\csrss.exe"
    3⤵
    PID:2916

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe
  "C:\Users\Admin\AppData\Local\Temp\88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\88235a4995a5cb37ecec39cafdfa1498c69b43f8f9d2d7bf2e683afbe1e6002c.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\rdpshell.exe

Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Program Files\rdpshell.exe

Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Program Files\rdpshell.exe

Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Windows\5uWuR4ji6T5.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
C:\Windows\BGWjScWu3O1RK0.sys

Filesize
447KB

MD5
b53682b25e0381e27ba7285105361dbd

SHA1
f330ca8538663fa106aacb6d47423c4d8ff76dac

SHA256
3779c79575758ccbebec331cfb1fe7e2dd0033d76dee304106ade81338e2e1a4

SHA512
b9dabfcff64ef246731d34dcd89268774fd52028b3536805af9cbb87c01fb232bcf608f9f3ee2bd6581e9008b5902d6106f6162d09516e84479c3087f6a17779

Download Submit
C:\Windows\ItLacGKgrA.sys

Filesize
415KB

MD5
aeb4e3cdf9497cc50d3a6a728900b411

SHA1
cef3674682855dd6d16809585799aef4c18250ab

SHA256
4477b6dad653626604e402dabd7590440702433088ec41b02919f21c19dbcd7b

SHA512
68a91cbc4f94c8210661c94f637d51d0824eccf56a2f4460212ed4d9b9f8eb32793eb52c560b3cf78cfe7c756eac9ef5c642a0c091e26c718fccef77cf609f66

Download Submit
C:\Windows\m03IKwpwfskmr.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
memory/412-57-0x00000248E55F0000-0x00000248E56BB000-memory.dmp

Filesize
812KB

Download
memory/412-80-0x00000248E70A0000-0x00000248E70A1000-memory.dmp

Filesize
4KB

Download
memory/412-14-0x00000248E5340000-0x00000248E5343000-memory.dmp

Filesize
12KB

Download
memory/412-17-0x00000248E55F0000-0x00000248E56BB000-memory.dmp

Filesize
812KB

Download
memory/412-19-0x00007FFCFF2D0000-0x00007FFCFF2E0000-memory.dmp

Filesize
64KB

Download
memory/412-16-0x00000248E55F0000-0x00000248E56BB000-memory.dmp

Filesize
812KB

Download
memory/412-361-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/412-20-0x00000248E55F0000-0x00000248E56BB000-memory.dmp

Filesize
812KB

Download
memory/412-356-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/412-360-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/412-113-0x00000248E8C40000-0x00000248E8CEC000-memory.dmp

Filesize
688KB

Download
memory/412-95-0x00000248E7B30000-0x00000248E7BE7000-memory.dmp

Filesize
732KB

Download
memory/412-54-0x00007FFCFF2D0000-0x00007FFCFF2E0000-memory.dmp

Filesize
64KB

Download
memory/412-355-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/412-56-0x0000021403FB0000-0x0000021403FD8000-memory.dmp

Filesize
160KB

Download
memory/412-358-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/412-58-0x00000248E70A0000-0x00000248E70A1000-memory.dmp

Filesize
4KB

Download
memory/412-59-0x00000248E55F0000-0x00000248E56BB000-memory.dmp

Filesize
812KB

Download
memory/412-359-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/412-61-0x0000021403FB0000-0x0000021403FD8000-memory.dmp

Filesize
160KB

Download
memory/412-63-0x00000248E70A0000-0x00000248E70A1000-memory.dmp

Filesize
4KB

Download
memory/412-62-0x00000248E70A0000-0x00000248E70A1000-memory.dmp

Filesize
4KB

Download
memory/412-64-0x00000248E7B30000-0x00000248E7BE7000-memory.dmp

Filesize
732KB

Download
memory/412-65-0x00000248E70B0000-0x00000248E70BF000-memory.dmp

Filesize
60KB

Download
memory/412-69-0x00000248E8C40000-0x00000248E8CEC000-memory.dmp

Filesize
688KB

Download
memory/412-330-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/412-312-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/412-72-0x00000248E7DC0000-0x00000248E7DEE000-memory.dmp

Filesize
184KB

Download
memory/412-357-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/412-84-0x00000248E9120000-0x00000248E92EA000-memory.dmp

Filesize
1.8MB

Download
memory/412-86-0x00000248E70A0000-0x00000248E70A1000-memory.dmp

Filesize
4KB

Download
memory/604-60-0x0000021403FB0000-0x0000021403FD8000-memory.dmp

Filesize
160KB

Download
memory/604-24-0x0000021403FB0000-0x0000021403FD8000-memory.dmp

Filesize
160KB

Download
memory/1588-0-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/1588-31-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/1588-18-0x0000000000960000-0x0000000000A62000-memory.dmp

Filesize
1.0MB

Download
memory/2544-99-0x0000027D721F0000-0x0000027D72396000-memory.dmp

Filesize
1.6MB

Download
memory/3172-53-0x00000000096E0000-0x00000000097D7000-memory.dmp

Filesize
988KB

Download
memory/3172-116-0x00000248E7DC0000-0x00000248E7DEE000-memory.dmp

Filesize
184KB

Download
memory/3172-309-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/3172-313-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/3172-77-0x00000248E7DC0000-0x00000248E7DEE000-memory.dmp

Filesize
184KB

Download
memory/3172-311-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-315-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-317-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-320-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-322-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-323-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-324-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/3172-326-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-327-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/3172-71-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/3172-332-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/3172-335-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-333-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-337-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-340-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-341-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-343-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-346-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-345-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-349-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3172-354-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/3172-55-0x00000000096E0000-0x00000000097D7000-memory.dmp

Filesize
988KB

Download
memory/3172-22-0x0000000008BC0000-0x0000000008C39000-memory.dmp

Filesize
484KB

Download
memory/3172-7-0x00000000089E0000-0x00000000089E3000-memory.dmp

Filesize
12KB

Download
memory/3172-9-0x00000000096E0000-0x00000000097D7000-memory.dmp

Filesize
988KB

Download
memory/3172-2-0x00000000034F0000-0x00000000034F3000-memory.dmp

Filesize
12KB

Download
memory/3172-3-0x0000000008BC0000-0x0000000008C39000-memory.dmp

Filesize
484KB

Download
memory/3172-4-0x00000000034F0000-0x00000000034F3000-memory.dmp

Filesize
12KB

Download
memory/3172-5-0x0000000008BC0000-0x0000000008C39000-memory.dmp

Filesize
484KB

Download
memory/3172-1-0x00000000034F0000-0x00000000034F3000-memory.dmp

Filesize
12KB

Download