rms | 4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50

Analysis

max time kernel
177s
max time network
189s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c92c59fa1503d65d1d67a578928e3c55.exe
Size

6.2MB
MD5

c92c59fa1503d65d1d67a578928e3c55
SHA1

0cb1106bde45dd5be118bb7b9ebb2be3e41b7203
SHA256

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50
SHA512

1f8c714bfc23bd642ec6f4e5539ac1585e0cd8a54ba2b72ff06d7b4f0dd94589a8e6ab41b689f11f51425067784e071eeffc7e803470d55793492d38f6d11241
SSDEEP

196608:CIgAn6JaxBEvXUJyXEJDNfZJoExr77dZWoNMUyr:SA6YxBYXY+sJokFZWdUy

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Processes:

netsh.exe

pid	Process
2680	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winserv.exewinserv.exewinserv.exewinserv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 6 IoCs

Processes:

winserv.exewinserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exe

pid	Process
1460	winserv.exe
1780	winserv.exe
808	winserv.exe
1744	RDPWinst.exe
2936	winserv.exe
2176	winserv.exe

Loads dropped DLL 1 IoCs

Processes:

pid	Process
2748

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
10	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

Drops file in Program Files directory 4 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exeRDPWinst.exe

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper	c92c59fa1503d65d1d67a578928e3c55.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	c92c59fa1503d65d1d67a578928e3c55.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c92c59fa1503d65d1d67a578928e3c55.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c92c59fa1503d65d1d67a578928e3c55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c92c59fa1503d65d1d67a578928e3c55.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2624	schtasks.exe
2380	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2344	timeout.exe

Modifies registry class 3 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	c92c59fa1503d65d1d67a578928e3c55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	c92c59fa1503d65d1d67a578928e3c55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	c92c59fa1503d65d1d67a578928e3c55.exe

NTFS ADS 3 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exewinserv.exewinserv.exewinserv.exewinserv.exewinserv.exe

pid	Process
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
1460	winserv.exe
1460	winserv.exe
1460	winserv.exe
1460	winserv.exe
1460	winserv.exe
1780	winserv.exe
1780	winserv.exe
1780	winserv.exe
1780	winserv.exe
808	winserv.exe
808	winserv.exe
808	winserv.exe
808	winserv.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2372	c92c59fa1503d65d1d67a578928e3c55.exe
2936	winserv.exe
2936	winserv.exe
2936	winserv.exe
2936	winserv.exe
2176	winserv.exe
2176	winserv.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid	Process
2748
2748
2748

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exe

description	pid	Process
Token: SeDebugPrivilege	1460	winserv.exe
Token: SeTakeOwnershipPrivilege	1780	winserv.exe
Token: SeTcbPrivilege	1780	winserv.exe
Token: SeTcbPrivilege	1780	winserv.exe
Token: SeDebugPrivilege	1744	RDPWinst.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

winserv.exewinserv.exewinserv.exewinserv.exewinserv.exe

pid	Process
1460	winserv.exe
1460	winserv.exe
1460	winserv.exe
1460	winserv.exe
1780	winserv.exe
1780	winserv.exe
1780	winserv.exe
1780	winserv.exe
808	winserv.exe
808	winserv.exe
808	winserv.exe
808	winserv.exe
2936	winserv.exe
2936	winserv.exe
2936	winserv.exe
2936	winserv.exe
2176	winserv.exe
2176	winserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	Process	procid_target
PID 2372 wrote to memory of 2624	2372	c92c59fa1503d65d1d67a578928e3c55.exe	30
PID 2372 wrote to memory of 2624	2372	c92c59fa1503d65d1d67a578928e3c55.exe	30
PID 2372 wrote to memory of 2624	2372	c92c59fa1503d65d1d67a578928e3c55.exe	30
PID 2372 wrote to memory of 2380	2372	c92c59fa1503d65d1d67a578928e3c55.exe	32
PID 2372 wrote to memory of 2380	2372	c92c59fa1503d65d1d67a578928e3c55.exe	32
PID 2372 wrote to memory of 2380	2372	c92c59fa1503d65d1d67a578928e3c55.exe	32
PID 2372 wrote to memory of 1460	2372	c92c59fa1503d65d1d67a578928e3c55.exe	35
PID 2372 wrote to memory of 1460	2372	c92c59fa1503d65d1d67a578928e3c55.exe	35
PID 2372 wrote to memory of 1460	2372	c92c59fa1503d65d1d67a578928e3c55.exe	35
PID 2372 wrote to memory of 1460	2372	c92c59fa1503d65d1d67a578928e3c55.exe	35
PID 2372 wrote to memory of 1916	2372	c92c59fa1503d65d1d67a578928e3c55.exe	38
PID 2372 wrote to memory of 1916	2372	c92c59fa1503d65d1d67a578928e3c55.exe	38
PID 2372 wrote to memory of 1916	2372	c92c59fa1503d65d1d67a578928e3c55.exe	38
PID 1916 wrote to memory of 1640	1916	cmd.exe	40
PID 1916 wrote to memory of 1640	1916	cmd.exe	40
PID 1916 wrote to memory of 1640	1916	cmd.exe	40
PID 1640 wrote to memory of 1836	1640	net.exe	41
PID 1640 wrote to memory of 1836	1640	net.exe	41
PID 1640 wrote to memory of 1836	1640	net.exe	41
PID 2372 wrote to memory of 1644	2372	c92c59fa1503d65d1d67a578928e3c55.exe	43
PID 2372 wrote to memory of 1644	2372	c92c59fa1503d65d1d67a578928e3c55.exe	43
PID 2372 wrote to memory of 1644	2372	c92c59fa1503d65d1d67a578928e3c55.exe	43
PID 2372 wrote to memory of 2340	2372	c92c59fa1503d65d1d67a578928e3c55.exe	47
PID 2372 wrote to memory of 2340	2372	c92c59fa1503d65d1d67a578928e3c55.exe	47
PID 2372 wrote to memory of 2340	2372	c92c59fa1503d65d1d67a578928e3c55.exe	47
PID 1644 wrote to memory of 2368	1644	cmd.exe	45
PID 1644 wrote to memory of 2368	1644	cmd.exe	45
PID 1644 wrote to memory of 2368	1644	cmd.exe	45
PID 2368 wrote to memory of 2316	2368	net.exe	46
PID 2368 wrote to memory of 2316	2368	net.exe	46
PID 2368 wrote to memory of 2316	2368	net.exe	46
PID 2340 wrote to memory of 2304	2340	cmd.exe	50
PID 2340 wrote to memory of 2304	2340	cmd.exe	50
PID 2340 wrote to memory of 2304	2340	cmd.exe	50
PID 2372 wrote to memory of 2876	2372	c92c59fa1503d65d1d67a578928e3c55.exe	65
PID 2372 wrote to memory of 2876	2372	c92c59fa1503d65d1d67a578928e3c55.exe	65
PID 2372 wrote to memory of 2876	2372	c92c59fa1503d65d1d67a578928e3c55.exe	65
PID 2304 wrote to memory of 988	2304	net.exe	48
PID 2304 wrote to memory of 988	2304	net.exe	48
PID 2304 wrote to memory of 988	2304	net.exe	48
PID 2876 wrote to memory of 2320	2876	cmd.exe	64
PID 2876 wrote to memory of 2320	2876	cmd.exe	64
PID 2876 wrote to memory of 2320	2876	cmd.exe	64
PID 2372 wrote to memory of 2240	2372	c92c59fa1503d65d1d67a578928e3c55.exe	63
PID 2372 wrote to memory of 2240	2372	c92c59fa1503d65d1d67a578928e3c55.exe	63
PID 2372 wrote to memory of 2240	2372	c92c59fa1503d65d1d67a578928e3c55.exe	63
PID 2320 wrote to memory of 1848	2320	net.exe	61
PID 2320 wrote to memory of 1848	2320	net.exe	61
PID 2320 wrote to memory of 1848	2320	net.exe	61
PID 2240 wrote to memory of 884	2240	cmd.exe	60
PID 2240 wrote to memory of 884	2240	cmd.exe	60
PID 2240 wrote to memory of 884	2240	cmd.exe	60
PID 884 wrote to memory of 1764	884	net.exe	59
PID 884 wrote to memory of 1764	884	net.exe	59
PID 884 wrote to memory of 1764	884	net.exe	59
PID 2372 wrote to memory of 2312	2372	c92c59fa1503d65d1d67a578928e3c55.exe	58
PID 2372 wrote to memory of 2312	2372	c92c59fa1503d65d1d67a578928e3c55.exe	58
PID 2372 wrote to memory of 2312	2372	c92c59fa1503d65d1d67a578928e3c55.exe	58
PID 2312 wrote to memory of 2024	2312	cmd.exe	57
PID 2312 wrote to memory of 2024	2312	cmd.exe	57
PID 2312 wrote to memory of 2024	2312	cmd.exe	57
PID 2024 wrote to memory of 1108	2024	net.exe	52
PID 2024 wrote to memory of 1108	2024	net.exe	52
PID 2024 wrote to memory of 1108	2024	net.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55.exe
"C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2624
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2380
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1460
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user John 12345 /add
      4⤵
      PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\net.exe
    net localgroup "Администраторы" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Администраторы" John /add
      4⤵
      PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного рабочего стола" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    PID:2680
- C:\Windows\system32\cmd.exe
  cmd /c C:\Programdata\Install\del.bat
  2⤵
  PID:1636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
1⤵
PID:988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
1⤵
PID:1108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
1⤵
PID:1532

C:\Windows\system32\net.exe
net localgroup "Remote Desktop Users" john /add
1⤵
PID:1536

C:\Windows\system32\net.exe
net localgroup "Administradores" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
1⤵
PID:1764

C:\Windows\system32\net.exe
net localgroup "Administrators" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
PID:1848

C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\system32\taskeng.exe
taskeng.exe {7216BAE8-18CB-4EEE-B06C-063571842B53} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
PID:880
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:808
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2936
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2176

C:\Windows\system32\timeout.exe
timeout 5
1⤵
- Delays execution with timeout.exe
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RDPWinst.exe

Filesize
11KB

MD5
6cc4b1a82b896f46a25c4a27288ba214

SHA1
3c18f398869ad71f5b8f92c8415de8401758768d

SHA256
1870de915459018945495276af277e9b619e3a94e82b28b1958e02bdb8d3f3f2

SHA512
779ab555163af1a40a754d9417dd636be07066846fd90f1564e21d15f6427cdd6cba09ed519222727f5fd5fa375692e92a2a0b9bc4122006a6b6372bcf73f78a

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
136KB

MD5
2921481c8cb91db7d4f1caf201ec861f

SHA1
193c914a432e0ed88f7f1b3f74913aae62c9c7e9

SHA256
e4c1678881ebcd3c6f32664ca83fad2eb66cc0b55cc7dec1f4e8a9f6ee968349

SHA512
a79a6b3d3b983e3696cde02adae0e69eeb3c06d63eab546a0ccf9a08169158ec6a735299a24a244e09453f666a878b581a72a0da1c64d3ba6d0d760b9ca35272

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
e21b95f6f2e5a0483e40b4caef16c718

SHA1
4310628908a9ff2c30064700f90a502cb3e13e49

SHA256
5deccd3b77e7f261ca0d427f0aa7dbdabb1d8c4ba92672a15855949813a16a58

SHA512
fd5b05a1f42ab36b39b4bfd08a244362b456bd5ecaee14912538d9a2d9c26583b0b824c4d606ae5e869cc143ea67d48269204dd5897878f35360439fd61246f2

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
160KB

MD5
3edd2fadee437fb4d1e093501b89b124

SHA1
464206728f57b13fc77301b6fb969b2b6b3c5463

SHA256
5e5ab3bd7b39cc8c817eefcb242a9b6ea469d33988035adfd417311d38d5fc5c

SHA512
fbd7305a8865d2f47975c58abcfea84300d5f7994844c0620a844d0143aa8c0ecb309257be09efe26acc87d7ec3a1069326ae18194ca1f5c5b7e36e6d000f531

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
706KB

MD5
ae5a7a4f0195764d8db91fdf13fb6b82

SHA1
5e8e404c7f87dfd65d5d9ef2e705ee261840e377

SHA256
e434c9657dc101a0f7acf927612629f6d7d0e7d32f2e53c8b6f1f176b23556fc

SHA512
ef23de8cd3576ba1957e16d2fafc3e0baa9f2e0d449e5f54e4686f87b3406b44e2af224266ee2631072ccb32f9e0af6b73fe7e437bae82be441b925d0dbc9907

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1.5MB

MD5
650f133d9c4216068eb9713da7f77984

SHA1
159fa31630312141970558280ce9e254870f3c43

SHA256
572924939c0bf0bc52722fc535a77da3fdeeadbd3abc6be9da5a97d15c68dccc

SHA512
29b496f00f40d5521f8a560a7b3ae30ed09c4a53d833ee541ae4b782d6d7444bcb7d96f05c8de91c02b8c0f85479fb050fb1925e7854d63827af43f44aa90b57

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
364KB

MD5
aefd6cecc95ac4e6c33d10a533b6e189

SHA1
36e7228adb574735f8af56f14881f2fe8ef9f62c

SHA256
37a60a9311c7500122a35c65691969983575b1f2181b54b2f5ebd3b5804d5fef

SHA512
3e2bc63af5436af25ec5a38b91334e9f35e8d645a9c55d3551037bbd859f857036126e1da1f4ed12f2c89971ac559452a96ea1225f472682bbd286e4bed0c48e

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1KB

MD5
a2d8b19ab1bbea76162d0e033e475d67

SHA1
83ff2a02b906bafbb93f8f8616a27e76ca598a26

SHA256
40280e367278916d4ec7dd23d0c8e803962a37149f1cc692da02463e9897bf94

SHA512
9f35e577f551a4c3f801f7d0c937e7fa45ffa2ae7ad1c2fd97e721ffcda7d6fcea5084402e5e48a89ccdef6d60ffd8ef40a268786719d1c82e490338a79eea73

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1008KB

MD5
8e28e46c5657e053308602fa12653b45

SHA1
66690b843a351c284909f762380af96a541717f4

SHA256
01457171ee7908d80a4cff792e173d6d2998af3cda4568030aabfb6d21e8ef3e

SHA512
08c7d5d98a8862c825b9193530fe0d3e375b358d8184e1f7298b76be5aa93fee626fc410bff3a2ef466e609cd92986c0a4712fadb9a18f0d27ad3860c04cccfc

Download Submit
C:\Programdata\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1F1.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar239.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/808-67-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/808-65-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1460-16-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1460-20-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1460-18-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1460-15-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1460-14-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1460-13-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1460-11-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1744-76-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-73-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1780-26-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-34-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/1780-40-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1780-43-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-39-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/1780-36-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/1780-44-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/1780-48-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/1780-47-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/1780-46-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/1780-45-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/1780-35-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/1780-49-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/1780-37-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/1780-53-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-59-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-38-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/1780-41-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/1780-33-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-32-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1780-31-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-74-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-30-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-29-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-78-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-28-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-27-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-25-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-24-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-21-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1780-22-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2176-141-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2176-142-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2176-143-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2936-119-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2936-120-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download