rms | 4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c92c59fa1503d65d1d67a578928e3c55.exe
Size

6.2MB
MD5

c92c59fa1503d65d1d67a578928e3c55
SHA1

0cb1106bde45dd5be118bb7b9ebb2be3e41b7203
SHA256

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50
SHA512

1f8c714bfc23bd642ec6f4e5539ac1585e0cd8a54ba2b72ff06d7b4f0dd94589a8e6ab41b689f11f51425067784e071eeffc7e803470d55793492d38f6d11241
SSDEEP

196608:CIgAn6JaxBEvXUJyXEJDNfZJoExr77dZWoNMUyr:SA6YxBYXY+sJokFZWdUy

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Processes:

netsh.exe

pid	Process
1988	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winserv.exewinserv.exewinserv.exec92c59fa1503d65d1d67a578928e3c55.exewinserv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	c92c59fa1503d65d1d67a578928e3c55.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 6 IoCs

Processes:

winserv.exewinserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exe

pid	Process
2972	winserv.exe
2992	winserv.exe
332	winserv.exe
1600	RDPWinst.exe
3340	winserv.exe
2924	winserv.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid	Process
4404	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
86	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

Drops file in System32 directory 1 IoCs

Processes:

RDPWinst.exe

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWinst.exe

Drops file in Program Files directory 5 IoCs

Processes:

RDPWinst.exesvchost.exec92c59fa1503d65d1d67a578928e3c55.exe

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	\??\c:\program files\rdp wrapper\rdpwrap.txt	svchost.exe
File opened for modification	C:\Program Files\RDP Wrapper	c92c59fa1503d65d1d67a578928e3c55.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	c92c59fa1503d65d1d67a578928e3c55.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c92c59fa1503d65d1d67a578928e3c55.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c92c59fa1503d65d1d67a578928e3c55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c92c59fa1503d65d1d67a578928e3c55.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
3868	schtasks.exe
3500	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
4868	timeout.exe

Modifies registry class 3 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	c92c59fa1503d65d1d67a578928e3c55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	c92c59fa1503d65d1d67a578928e3c55.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\MIME\Database	c92c59fa1503d65d1d67a578928e3c55.exe

NTFS ADS 3 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	c92c59fa1503d65d1d67a578928e3c55.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.exewinserv.exewinserv.exewinserv.exesvchost.exe

pid	Process
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
2972	winserv.exe
2972	winserv.exe
2972	winserv.exe
2972	winserv.exe
2972	winserv.exe
2972	winserv.exe
2992	winserv.exe
2992	winserv.exe
2992	winserv.exe
2992	winserv.exe
332	winserv.exe
332	winserv.exe
332	winserv.exe
332	winserv.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe
3748	c92c59fa1503d65d1d67a578928e3c55.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
660

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2972	winserv.exe
Token: SeTakeOwnershipPrivilege	2992	winserv.exe
Token: SeTcbPrivilege	2992	winserv.exe
Token: SeTcbPrivilege	2992	winserv.exe
Token: SeDebugPrivilege	1600	RDPWinst.exe
Token: SeAuditPrivilege	4404	svchost.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

winserv.exewinserv.exewinserv.exewinserv.exewinserv.exe

pid	Process
2972	winserv.exe
2972	winserv.exe
2972	winserv.exe
2972	winserv.exe
2992	winserv.exe
2992	winserv.exe
2992	winserv.exe
2992	winserv.exe
332	winserv.exe
332	winserv.exe
332	winserv.exe
332	winserv.exe
3340	winserv.exe
3340	winserv.exe
3340	winserv.exe
3340	winserv.exe
2924	winserv.exe
2924	winserv.exe
2924	winserv.exe
2924	winserv.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exewuapihost.exenet.execmd.exenet.exeRDPWinst.execmd.exe

description	pid	Process	procid_target
PID 3748 wrote to memory of 3868	3748	c92c59fa1503d65d1d67a578928e3c55.exe	65
PID 3748 wrote to memory of 3868	3748	c92c59fa1503d65d1d67a578928e3c55.exe	65
PID 3748 wrote to memory of 3500	3748	c92c59fa1503d65d1d67a578928e3c55.exe	112
PID 3748 wrote to memory of 3500	3748	c92c59fa1503d65d1d67a578928e3c55.exe	112
PID 3748 wrote to memory of 2972	3748	c92c59fa1503d65d1d67a578928e3c55.exe	96
PID 3748 wrote to memory of 2972	3748	c92c59fa1503d65d1d67a578928e3c55.exe	96
PID 3748 wrote to memory of 2972	3748	c92c59fa1503d65d1d67a578928e3c55.exe	96
PID 3748 wrote to memory of 3956	3748	c92c59fa1503d65d1d67a578928e3c55.exe	100
PID 3748 wrote to memory of 3956	3748	c92c59fa1503d65d1d67a578928e3c55.exe	100
PID 3748 wrote to memory of 4376	3748	c92c59fa1503d65d1d67a578928e3c55.exe	102
PID 3748 wrote to memory of 4376	3748	c92c59fa1503d65d1d67a578928e3c55.exe	102
PID 3748 wrote to memory of 404	3748	c92c59fa1503d65d1d67a578928e3c55.exe	105
PID 3748 wrote to memory of 404	3748	c92c59fa1503d65d1d67a578928e3c55.exe	105
PID 3956 wrote to memory of 3880	3956	cmd.exe	103
PID 3956 wrote to memory of 3880	3956	cmd.exe	103
PID 3880 wrote to memory of 4464	3880	net.exe	126
PID 3880 wrote to memory of 4464	3880	net.exe	126
PID 4376 wrote to memory of 1940	4376	cmd.exe	125
PID 4376 wrote to memory of 1940	4376	cmd.exe	125
PID 3748 wrote to memory of 752	3748	c92c59fa1503d65d1d67a578928e3c55.exe	108
PID 3748 wrote to memory of 752	3748	c92c59fa1503d65d1d67a578928e3c55.exe	108
PID 1940 wrote to memory of 1232	1940	net.exe	107
PID 1940 wrote to memory of 1232	1940	net.exe	107
PID 404 wrote to memory of 2912	404	cmd.exe	124
PID 404 wrote to memory of 2912	404	cmd.exe	124
PID 3748 wrote to memory of 4476	3748	c92c59fa1503d65d1d67a578928e3c55.exe	123
PID 3748 wrote to memory of 4476	3748	c92c59fa1503d65d1d67a578928e3c55.exe	123
PID 2912 wrote to memory of 3340	2912	net.exe	152
PID 2912 wrote to memory of 3340	2912	net.exe	152
PID 752 wrote to memory of 1560	752	cmd.exe	121
PID 752 wrote to memory of 1560	752	cmd.exe	121
PID 1560 wrote to memory of 4364	1560	net.exe	120
PID 1560 wrote to memory of 4364	1560	net.exe	120
PID 4476 wrote to memory of 4388	4476	cmd.exe	119
PID 4476 wrote to memory of 4388	4476	cmd.exe	119
PID 4388 wrote to memory of 2892	4388	net.exe	110
PID 4388 wrote to memory of 2892	4388	net.exe	110
PID 3748 wrote to memory of 1884	3748	c92c59fa1503d65d1d67a578928e3c55.exe	131
PID 3748 wrote to memory of 1884	3748	c92c59fa1503d65d1d67a578928e3c55.exe	131
PID 1884 wrote to memory of 2872	1884	wuapihost.exe	113
PID 1884 wrote to memory of 2872	1884	wuapihost.exe	113
PID 2872 wrote to memory of 3896	2872	net.exe	114
PID 2872 wrote to memory of 3896	2872	net.exe	114
PID 3748 wrote to memory of 5052	3748	c92c59fa1503d65d1d67a578928e3c55.exe	118
PID 3748 wrote to memory of 5052	3748	c92c59fa1503d65d1d67a578928e3c55.exe	118
PID 5052 wrote to memory of 4088	5052	cmd.exe	117
PID 5052 wrote to memory of 4088	5052	cmd.exe	117
PID 4088 wrote to memory of 3364	4088	net.exe	116
PID 4088 wrote to memory of 3364	4088	net.exe	116
PID 3748 wrote to memory of 1600	3748	c92c59fa1503d65d1d67a578928e3c55.exe	135
PID 3748 wrote to memory of 1600	3748	c92c59fa1503d65d1d67a578928e3c55.exe	135
PID 3748 wrote to memory of 1600	3748	c92c59fa1503d65d1d67a578928e3c55.exe	135
PID 1600 wrote to memory of 1988	1600	RDPWinst.exe	141
PID 1600 wrote to memory of 1988	1600	RDPWinst.exe	141
PID 3748 wrote to memory of 1192	3748	c92c59fa1503d65d1d67a578928e3c55.exe	150
PID 3748 wrote to memory of 1192	3748	c92c59fa1503d65d1d67a578928e3c55.exe	150
PID 1192 wrote to memory of 4868	1192	cmd.exe	151
PID 1192 wrote to memory of 4868	1192	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55.exe
"C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:3868
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:3500
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2972
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user John 12345 /add
      4⤵
      PID:4464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\system32\net.exe
    net localgroup "Администраторы" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного рабочего стола" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного управления" john /add" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  PID:1884
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3500
- - C:\Windows\system32\net.exe
    net localgroup "Administradores" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Administradores" John /add
      4⤵
      PID:3896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SYSTEM32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
1⤵
PID:1232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
1⤵
PID:2892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
1⤵
PID:3364

C:\Windows\system32\net.exe
net localgroup "Remote Desktop Users" john /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\system32\net.exe
net localgroup "Administrators" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
PID:4364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
1⤵
PID:3340

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:332

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3340

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
14KB

MD5
b04f083ff47c34b731f79ce48336df95

SHA1
16f4d7c95e13bd1ef8f6076a5a7668ac7b80f21f

SHA256
82891084858953e544652ec4d8346b74ecebe7ce8ee3aedc0e50266780918fd8

SHA512
8e4ed5ea6dcf16a4889b18f5b0562240637ac327f5d8e0483f44f0e37eec45f8753bc4dfa19cff071eae7654cf9073e5964ced9d15c9ecabbb465e1a010e524e

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
303KB

MD5
6c9c48d48f5089919122c5132e7d8a0b

SHA1
09931c59a694c0443d990f87c9d5feb8569a0f42

SHA256
032973aac2879f5eba7d3bb774364f71b85d8bd6423a77a209d87f9446feaed3

SHA512
3a0ad84942fc0a47cbdb14154e75baf3887d2e49369c2c55ca2b34330591401affbefd86c34a3a2c4534ccddb263818f51ed6481b9e9b21a5aa613f6669cdbac

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
269KB

MD5
7709a9fd5288502bdd1b93d854729332

SHA1
b99f633c9163de0786d473d9a959fdb06e057efb

SHA256
689ba967e6a58c25f4934ba98507ad00ac3f2599ae55643ca1a1f8c0ab6bc8fa

SHA512
4062accdc1be944f1a2b26f520bff73649a234d35259620b3e2e7312cc017b9a018bab2e748ece6b5d8617333ad1ce0db11eb61d15369c282def4eb3e10f390e

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
e21b95f6f2e5a0483e40b4caef16c718

SHA1
4310628908a9ff2c30064700f90a502cb3e13e49

SHA256
5deccd3b77e7f261ca0d427f0aa7dbdabb1d8c4ba92672a15855949813a16a58

SHA512
fd5b05a1f42ab36b39b4bfd08a244362b456bd5ecaee14912538d9a2d9c26583b0b824c4d606ae5e869cc143ea67d48269204dd5897878f35360439fd61246f2

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
276KB

MD5
59f81a4985e84ee1baa873577f51a5bd

SHA1
746aed24dd4748fe52463521239f2d687c9e982b

SHA256
c5a624b8d4143225c3a22bbdcfe509c83477cff6c5b0c4a8e09e81c942b59abb

SHA512
159db6fdb82e294b8c216639ba13773be839d6e9c4d0aa88600f6663f56db4a6c15af196668137c1c672cb2ccb830801057135b8a7014c95f10b81a416c15270

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
132KB

MD5
12a826623540a1e9d3bf6b04a3588b6a

SHA1
8b476116bddcf71ea3a23af88247ed19f96f24ef

SHA256
31bd31d4a3808516340e17f7bafdf10f563995b467f1ebaaf7679c75deebdffe

SHA512
72a8a370f78fbc2802338e22361199c5c863ca9284bb5c7b822ae22b769cf4d0e445c657790bbd55086c5eee653e393e05b7399c31f7fc9f00f63d665db335a0

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
338KB

MD5
9b90eb7ff05f7f46739903daae320b2a

SHA1
62df29391f6d0e1a016ea8c3325955663a9ebf6e

SHA256
e1ab09ef1aa88a3a21aa70adf44cebdc835a0cbd7ea8474c2f2ecc65136b62e4

SHA512
a0daf081f746dde9c55e05424ae60b7044f6cb81f9ff08ef9123fd0f8acc437728c43b293c40ff6808ec15c9be0a5d6389cc5f288395322dd5e97935d5ed5e80

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
280KB

MD5
f28afb19fdbe158d3ee8d6ad35f361a1

SHA1
54f8f672bade0228ae1f8c151edf5b34271687b5

SHA256
f15471a9a37891200741a955680f192a9726f26ae0ee1a3725dfc3f92033f621

SHA512
448032067e115a7f003bc2367383aeae19808c884cb721686a8655797b6569a540dd6e5df35b9c61bfff82300e55914a006912a73cb3c7444d37b5c333fa65a9

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
338KB

MD5
a0b700ccccab4b6a6c773f21e436dd88

SHA1
56756a32834dd81b115ec082b8d226743bfcbfb5

SHA256
195bc758fad4708069474f7dcd4deed987dbb205772c7ad847cb3b96cfd4ecff

SHA512
e5a9d8d8bfc2ac3e10ffceeefdc5637f0831fefd9fca822e355ed2eab83729bcb407f51c8a8a3c7ca64edad4259151342163a4795b13cba88c33b4eec3a17a74

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
2.5MB

MD5
c8ecab0657ab770d3ea0a9bfeedcecaa

SHA1
82f0b64357a95a35c822fef7352f6d6358afeb46

SHA256
f079cf109042a7bb10d4b83ce2f69081284ab93cb660eef6028e8e3d2010dffc

SHA512
e3fdfacc6cc2e869dcc64c407ca2dd7346e78dee81ca0c9328799d75248fe0f36ab8da384690fdc8f7e638e88eaed303c555516833e9ab77fb8c894a57180a07

Download Submit
C:\Programdata\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
95KB

MD5
45ec2706df35f988c775a6e662c9ef9c

SHA1
fca050476bbe3be4c86c152df6b81e0a27861f95

SHA256
fe614b67615b54d428c8c7ea339719fb36addfc9cdc8e7c56f295e9855d9dfe5

SHA512
ec4f74d2b1e078a8c3dc5576f817917075dbaf4f68543021c61a8d383c134ae0a37ef51114962eec45a0f555b709fca5a9938d005bdd6a68e704e2bbe45b4dbd

Download Submit
memory/332-41-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/332-42-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/332-43-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/332-44-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/332-45-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1600-65-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-99-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2924-97-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2924-100-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2972-12-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2972-11-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2972-13-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2972-15-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2972-14-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2972-18-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2992-26-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/2992-33-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/2992-29-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/2992-30-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/2992-31-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/2992-46-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2992-47-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2992-34-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/2992-35-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/2992-36-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/2992-32-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/2992-23-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2992-67-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2992-74-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2992-22-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/2992-24-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/2992-21-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2992-28-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/2992-27-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2992-25-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/3340-88-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3340-89-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3340-87-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download