rms | 4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50

Analysis

max time kernel
166s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c92c59fa1503d65d1d67a578928e3c55.exe
Size

6.2MB
MD5

c92c59fa1503d65d1d67a578928e3c55
SHA1

0cb1106bde45dd5be118bb7b9ebb2be3e41b7203
SHA256

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50
SHA512

1f8c714bfc23bd642ec6f4e5539ac1585e0cd8a54ba2b72ff06d7b4f0dd94589a8e6ab41b689f11f51425067784e071eeffc7e803470d55793492d38f6d11241
SSDEEP

196608:CIgAn6JaxBEvXUJyXEJDNfZJoExr77dZWoNMUyr:SA6YxBYXY+sJokFZWdUy

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Processes:

netsh.exe

pid	Process
2724	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c92c59fa1503d65d1d67a578928e3c55.exewinserv.exewinserv.exewinserv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	c92c59fa1503d65d1d67a578928e3c55.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 5 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exe

pid	Process
2964	winserv.exe
3148	winserv.exe
1072	RDPWinst.exe
1948	winserv.exe
3312	winserv.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid	Process
4792	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
88	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

Drops file in System32 directory 1 IoCs

Processes:

RDPWinst.exe

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWinst.exe

Drops file in Program Files directory 5 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exeRDPWinst.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	c92c59fa1503d65d1d67a578928e3c55.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	\??\c:\program files\rdp wrapper\rdpwrap.txt	svchost.exe
File opened for modification	C:\Program Files\RDP Wrapper	c92c59fa1503d65d1d67a578928e3c55.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c92c59fa1503d65d1d67a578928e3c55.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c92c59fa1503d65d1d67a578928e3c55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c92c59fa1503d65d1d67a578928e3c55.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
4424	schtasks.exe
2628	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
4908	timeout.exe

Modifies registry class 3 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\MIME\Database	c92c59fa1503d65d1d67a578928e3c55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	c92c59fa1503d65d1d67a578928e3c55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	c92c59fa1503d65d1d67a578928e3c55.exe

NTFS ADS 3 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exewinserv.exewinserv.exewinserv.exesvchost.exe

pid	Process
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2964	winserv.exe
2964	winserv.exe
2964	winserv.exe
2964	winserv.exe
2964	winserv.exe
2964	winserv.exe
3148	winserv.exe
3148	winserv.exe
3148	winserv.exe
3148	winserv.exe
1948	winserv.exe
1948	winserv.exe
1948	winserv.exe
1948	winserv.exe
4792	svchost.exe
4792	svchost.exe
4792	svchost.exe
4792	svchost.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe
2556	c92c59fa1503d65d1d67a578928e3c55.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
668
668

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2964	winserv.exe
Token: SeTakeOwnershipPrivilege	3148	winserv.exe
Token: SeTcbPrivilege	3148	winserv.exe
Token: SeTcbPrivilege	3148	winserv.exe
Token: SeDebugPrivilege	1072	RDPWinst.exe
Token: SeAuditPrivilege	4792	svchost.exe
Token: SeAuditPrivilege	4792	svchost.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

winserv.exewinserv.exewinserv.exewinserv.exe

pid	Process
2964	winserv.exe
2964	winserv.exe
2964	winserv.exe
2964	winserv.exe
3148	winserv.exe
3148	winserv.exe
3148	winserv.exe
3148	winserv.exe
1948	winserv.exe
1948	winserv.exe
1948	winserv.exe
1948	winserv.exe
3312	winserv.exe
3312	winserv.exe
3312	winserv.exe
3312	winserv.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.execmd.exenet.execmd.exenet.execmd.exesvchost.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exeRDPWinst.execmd.exe

description	pid	Process	procid_target
PID 2556 wrote to memory of 4424	2556	c92c59fa1503d65d1d67a578928e3c55.exe	96
PID 2556 wrote to memory of 4424	2556	c92c59fa1503d65d1d67a578928e3c55.exe	96
PID 2556 wrote to memory of 2628	2556	c92c59fa1503d65d1d67a578928e3c55.exe	98
PID 2556 wrote to memory of 2628	2556	c92c59fa1503d65d1d67a578928e3c55.exe	98
PID 2556 wrote to memory of 2964	2556	c92c59fa1503d65d1d67a578928e3c55.exe	101
PID 2556 wrote to memory of 2964	2556	c92c59fa1503d65d1d67a578928e3c55.exe	101
PID 2556 wrote to memory of 2964	2556	c92c59fa1503d65d1d67a578928e3c55.exe	101
PID 2556 wrote to memory of 4524	2556	c92c59fa1503d65d1d67a578928e3c55.exe	107
PID 2556 wrote to memory of 4524	2556	c92c59fa1503d65d1d67a578928e3c55.exe	107
PID 2556 wrote to memory of 1588	2556	c92c59fa1503d65d1d67a578928e3c55.exe	133
PID 2556 wrote to memory of 1588	2556	c92c59fa1503d65d1d67a578928e3c55.exe	133
PID 4524 wrote to memory of 3972	4524	cmd.exe	108
PID 4524 wrote to memory of 3972	4524	cmd.exe	108
PID 3972 wrote to memory of 5052	3972	net.exe	109
PID 3972 wrote to memory of 5052	3972	net.exe	109
PID 2556 wrote to memory of 4540	2556	c92c59fa1503d65d1d67a578928e3c55.exe	131
PID 2556 wrote to memory of 4540	2556	c92c59fa1503d65d1d67a578928e3c55.exe	131
PID 1588 wrote to memory of 1776	1588	cmd.exe	114
PID 1588 wrote to memory of 1776	1588	cmd.exe	114
PID 1776 wrote to memory of 3172	1776	net.exe	111
PID 1776 wrote to memory of 3172	1776	net.exe	111
PID 4540 wrote to memory of 3760	4540	cmd.exe	137
PID 4540 wrote to memory of 3760	4540	cmd.exe	137
PID 3760 wrote to memory of 1016	3760	svchost.exe	112
PID 3760 wrote to memory of 1016	3760	svchost.exe	112
PID 2556 wrote to memory of 4188	2556	c92c59fa1503d65d1d67a578928e3c55.exe	130
PID 2556 wrote to memory of 4188	2556	c92c59fa1503d65d1d67a578928e3c55.exe	130
PID 4188 wrote to memory of 1540	4188	cmd.exe	116
PID 4188 wrote to memory of 1540	4188	cmd.exe	116
PID 1540 wrote to memory of 3888	1540	net.exe	115
PID 1540 wrote to memory of 3888	1540	net.exe	115
PID 2556 wrote to memory of 3160	2556	c92c59fa1503d65d1d67a578928e3c55.exe	128
PID 2556 wrote to memory of 3160	2556	c92c59fa1503d65d1d67a578928e3c55.exe	128
PID 3160 wrote to memory of 3560	3160	cmd.exe	126
PID 3160 wrote to memory of 3560	3160	cmd.exe	126
PID 3560 wrote to memory of 4280	3560	net.exe	117
PID 3560 wrote to memory of 4280	3560	net.exe	117
PID 2556 wrote to memory of 3020	2556	c92c59fa1503d65d1d67a578928e3c55.exe	125
PID 2556 wrote to memory of 3020	2556	c92c59fa1503d65d1d67a578928e3c55.exe	125
PID 3020 wrote to memory of 4268	3020	cmd.exe	124
PID 3020 wrote to memory of 4268	3020	cmd.exe	124
PID 4268 wrote to memory of 3512	4268	net.exe	123
PID 4268 wrote to memory of 3512	4268	net.exe	123
PID 2556 wrote to memory of 3128	2556	c92c59fa1503d65d1d67a578928e3c55.exe	120
PID 2556 wrote to memory of 3128	2556	c92c59fa1503d65d1d67a578928e3c55.exe	120
PID 3128 wrote to memory of 4992	3128	cmd.exe	121
PID 3128 wrote to memory of 4992	3128	cmd.exe	121
PID 4992 wrote to memory of 3088	4992	net.exe	122
PID 4992 wrote to memory of 3088	4992	net.exe	122
PID 2556 wrote to memory of 1072	2556	c92c59fa1503d65d1d67a578928e3c55.exe	136
PID 2556 wrote to memory of 1072	2556	c92c59fa1503d65d1d67a578928e3c55.exe	136
PID 2556 wrote to memory of 1072	2556	c92c59fa1503d65d1d67a578928e3c55.exe	136
PID 1072 wrote to memory of 2724	1072	RDPWinst.exe	141
PID 1072 wrote to memory of 2724	1072	RDPWinst.exe	141
PID 2556 wrote to memory of 3492	2556	c92c59fa1503d65d1d67a578928e3c55.exe	154
PID 2556 wrote to memory of 3492	2556	c92c59fa1503d65d1d67a578928e3c55.exe	154
PID 3492 wrote to memory of 4908	3492	cmd.exe	156
PID 3492 wrote to memory of 4908	3492	cmd.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55.exe
"C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4424
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2628
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2964
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user John 12345 /add
      4⤵
      PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\system32\net.exe
    net localgroup "Remote Desktop Users" john /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
      4⤵
      PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SYSTEM32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
1⤵
PID:3172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
1⤵
PID:1016

C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
1⤵
PID:3760

C:\Windows\system32\net.exe
net localgroup "Администраторы" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
PID:3888

C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
1⤵
PID:4280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
1⤵
PID:3512

C:\Windows\system32\net.exe
net localgroup "Administradores" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\system32\net.exe
net localgroup "Administrators" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1948

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
60KB

MD5
2d9d334e2b3083cb15ca2489662617ef

SHA1
5cbdfe28ba2059a0a6fdc27db075b5348562e34b

SHA256
891a44c58771d63bf1de0e8b886a90c173f25d1fdeb7fee5a2c08662410f44c2

SHA512
6a0155d8ce43a1e82166a44b27101b80fd9ce57d31320a962f3940aad1162bf3e267e4152c9b37446c1ea2d6ee797773f132ccad181e08df3cabb76cddfef209

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
166KB

MD5
22986efa837593bf64a6663fbed25f3d

SHA1
666581e03baae6126181658eb50cb511f70dea84

SHA256
394ed26cb2b9ced6e31fd6c213382e24f3c9348182750c60cf0d4c2501d01fac

SHA512
9492ab8aada5bda6550f99acf3cbe6dc02ad868a7391a534c3d0f876d0cc81e342e0fe1d6b3657b781fe9b892b5709a586d0fb0fc89497b50de16753ccb6f5a4

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
241KB

MD5
47592a7196c58af42e0da9bf8cf5e567

SHA1
7aacb92afe6c19848785ceca43192d54d558ad0e

SHA256
1cf5fd09c811edc73c35560eaaecf89d1a653d1b51f9a69f06066ad0ccd46955

SHA512
603229d11d632afecdcc36a1f03e74789281e55b29f8bec3a225382bf7738cb31bc1cf31d6ce87a09928cb9d9913aa7e6b3056e83fe6a68609c04ef43a8b0445

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
e21b95f6f2e5a0483e40b4caef16c718

SHA1
4310628908a9ff2c30064700f90a502cb3e13e49

SHA256
5deccd3b77e7f261ca0d427f0aa7dbdabb1d8c4ba92672a15855949813a16a58

SHA512
fd5b05a1f42ab36b39b4bfd08a244362b456bd5ecaee14912538d9a2d9c26583b0b824c4d606ae5e869cc143ea67d48269204dd5897878f35360439fd61246f2

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
83KB

MD5
4b78663b9fcf0b68306c0cc3f714b47c

SHA1
af452a1bbfaca2172618bb4ea76fb4f44801c91f

SHA256
e1d1ddf27784f9ff73ed95e1637501e09449898ad7ccee7e7f4270936ae77e3b

SHA512
33f03c894eee67cd24e9121b94c5772f31b6ae98f0ffae6a8c8644dcd11daf0a79974c74085810c0e508560a7327534573ad904ea43d1ca98222b8472a056d33

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
149KB

MD5
808e98f12e78e79235f67ccbe0a8b4a7

SHA1
2c04c42af057cfce974e3acce51a6e0fe1e325f5

SHA256
7431db5308f158ac9d18fdea4593c528516b9bbefe7ae7eb8faa5cd0edb15e48

SHA512
25c90cea48e64a8200e79a89bae71ab32bd092c2eaefed166c10dc644ab886854f89ec10be3cb6cb4cbffec7b017faed4c9f667a35e2ecbec71bdc558c5aed62

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
181KB

MD5
0f83069d9657dd4232c2464302062e2b

SHA1
f0ff14f417738e04fe0657e24697d84430afdbc8

SHA256
7567c81917d610228ce493a4d3517334a7ec3078513c5f15ea57b0c4a54b4e44

SHA512
f5738d0fc7f0d9f4c739582d11a4495958857400c54448ec3f2b6cd2bd441f08299e3c4750ef6d319a24e3f23198defa6126adebd9889d6cf767e74f64bc43bd

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
77KB

MD5
fb18d9d88282ef4a06fe4eead3f89d71

SHA1
e59bb4656a1c6f86e416ba75084aed04f75cb4d6

SHA256
b869b3c609747f4a1aa6d5e58be120e679faf2445db0fe6ca8577d051c7a3913

SHA512
a1d5be9e2f50b70c99c8a9b362d5e45ea18068b1c40d99710b183a208961e41562a9c966ef1bfb3d2fb2d47a9fa7a7ffe1a8ad180a63badeeb0265a9199f14ce

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
171KB

MD5
5e0709c3231a91aaf8d225e5917d9754

SHA1
ea06386a21cae2e39b6aa90bab3b7fab8f33a839

SHA256
ae18f54a3b9179a3c65a498c711364e3334c301fdce6fca825121d8b750618cc

SHA512
76573993558608a244b7e4b9eb4c09bd9294cabb357307f3ffbe807e592765173f89f82b9efd9fed186361b44c9c683a935b081b14670e93362007051601570f

Download Submit
C:\Programdata\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
64KB

MD5
e95886a6547d99b9fb25cfdf04d7b50e

SHA1
dc3dd3a0ecfabc4b78b56528016b5ec351248450

SHA256
05ab4e980d93bb5471779cd150e780e82a6ab62147f4dde31ae2869cbb213163

SHA512
bb2ea505184fcdb29c852288fa7db4c52b4f4acebdedf911ad4c3e84511306abf7b5fada62ee3358221fc28c71bcd4acd8134bf2cf2e2c44dd44fe134c6ac5a2

Download Submit
memory/1072-72-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1072-61-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1948-63-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/1948-64-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1948-62-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2964-19-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/2964-14-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2964-15-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2964-13-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2964-18-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2964-12-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2964-10-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3148-23-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3148-33-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/3148-31-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/3148-29-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/3148-30-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/3148-35-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3148-36-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/3148-58-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3148-37-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3148-38-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/3148-39-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/3148-32-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/3148-34-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3148-28-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/3148-27-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3148-67-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3148-69-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3148-25-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/3148-26-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/3148-24-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3312-84-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download