rms | 4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50

Analysis

max time kernel
141s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c92c59fa1503d65d1d67a578928e3c55exe.exe
Size

6.2MB
MD5

c92c59fa1503d65d1d67a578928e3c55
SHA1

0cb1106bde45dd5be118bb7b9ebb2be3e41b7203
SHA256

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50
SHA512

1f8c714bfc23bd642ec6f4e5539ac1585e0cd8a54ba2b72ff06d7b4f0dd94589a8e6ab41b689f11f51425067784e071eeffc7e803470d55793492d38f6d11241
SSDEEP

196608:CIgAn6JaxBEvXUJyXEJDNfZJoExr77dZWoNMUyr:SA6YxBYXY+sJokFZWdUy

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Processes:

netsh.exe

pid	Process
1252	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exewinserv.exewinserv.exec92c59fa1503d65d1d67a578928e3c55exe.exewinserv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	c92c59fa1503d65d1d67a578928e3c55exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 6 IoCs

Processes:

winserv.exewinserv.execmd.exeRDPWinst.exewinserv.exewinserv.exe

pid	Process
3200	winserv.exe
1584	winserv.exe
4996	cmd.exe
1316	RDPWinst.exe
3508	winserv.exe
2076	winserv.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid	Process
492	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
61	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

Drops file in System32 directory 1 IoCs

Processes:

RDPWinst.exe

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWinst.exe

Drops file in Program Files directory 5 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55exe.exeRDPWinst.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	c92c59fa1503d65d1d67a578928e3c55exe.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	\??\c:\program files\rdp wrapper\rdpwrap.txt	svchost.exe
File opened for modification	C:\Program Files\RDP Wrapper	c92c59fa1503d65d1d67a578928e3c55exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c92c59fa1503d65d1d67a578928e3c55exe.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c92c59fa1503d65d1d67a578928e3c55exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c92c59fa1503d65d1d67a578928e3c55exe.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2308	schtasks.exe
740	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
4280	timeout.exe

Modifies registry class 3 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55exe.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\MIME\Database	c92c59fa1503d65d1d67a578928e3c55exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	c92c59fa1503d65d1d67a578928e3c55exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	c92c59fa1503d65d1d67a578928e3c55exe.exe

NTFS ADS 3 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55exe.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	c92c59fa1503d65d1d67a578928e3c55exe.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	c92c59fa1503d65d1d67a578928e3c55exe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	c92c59fa1503d65d1d67a578928e3c55exe.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55exe.exewinserv.exewinserv.execmd.exesvchost.exe

pid	Process
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
3200	winserv.exe
3200	winserv.exe
3200	winserv.exe
3200	winserv.exe
3200	winserv.exe
3200	winserv.exe
1584	winserv.exe
1584	winserv.exe
1584	winserv.exe
1584	winserv.exe
4996	cmd.exe
4996	cmd.exe
4996	cmd.exe
4996	cmd.exe
492	svchost.exe
492	svchost.exe
492	svchost.exe
492	svchost.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe
2968	c92c59fa1503d65d1d67a578928e3c55exe.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
668

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	3200	winserv.exe
Token: SeTakeOwnershipPrivilege	1584	winserv.exe
Token: SeTcbPrivilege	1584	winserv.exe
Token: SeTcbPrivilege	1584	winserv.exe
Token: SeDebugPrivilege	1316	RDPWinst.exe
Token: SeAuditPrivilege	492	svchost.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

winserv.exewinserv.execmd.exewinserv.exewinserv.exe

pid	Process
3200	winserv.exe
3200	winserv.exe
3200	winserv.exe
3200	winserv.exe
1584	winserv.exe
1584	winserv.exe
1584	winserv.exe
1584	winserv.exe
4996	cmd.exe
4996	cmd.exe
4996	cmd.exe
4996	cmd.exe
3508	winserv.exe
3508	winserv.exe
3508	winserv.exe
3508	winserv.exe
2076	winserv.exe
2076	winserv.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

c92c59fa1503d65d1d67a578928e3c55exe.execmd.exenet.execmd.exenet.execmd.exenetsh.execmd.exenet.execmd.execmd.exenet.exenet.execmd.exenet.exeRDPWinst.execmd.exe

description	pid	Process	procid_target
PID 2968 wrote to memory of 2308	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	93
PID 2968 wrote to memory of 2308	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	93
PID 2968 wrote to memory of 740	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	95
PID 2968 wrote to memory of 740	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	95
PID 2968 wrote to memory of 3200	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	97
PID 2968 wrote to memory of 3200	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	97
PID 2968 wrote to memory of 3200	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	97
PID 2968 wrote to memory of 4076	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	103
PID 2968 wrote to memory of 4076	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	103
PID 4076 wrote to memory of 404	4076	cmd.exe	109
PID 4076 wrote to memory of 404	4076	cmd.exe	109
PID 2968 wrote to memory of 2604	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	108
PID 2968 wrote to memory of 2604	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	108
PID 404 wrote to memory of 5004	404	net.exe	105
PID 404 wrote to memory of 5004	404	net.exe	105
PID 2968 wrote to memory of 3664	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	107
PID 2968 wrote to memory of 3664	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	107
PID 2604 wrote to memory of 1640	2604	cmd.exe	110
PID 2604 wrote to memory of 1640	2604	cmd.exe	110
PID 1640 wrote to memory of 3684	1640	net.exe	115
PID 1640 wrote to memory of 3684	1640	net.exe	115
PID 2968 wrote to memory of 2096	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	113
PID 2968 wrote to memory of 2096	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	113
PID 3664 wrote to memory of 1252	3664	cmd.exe	139
PID 3664 wrote to memory of 1252	3664	cmd.exe	139
PID 1252 wrote to memory of 1704	1252	netsh.exe	111
PID 1252 wrote to memory of 1704	1252	netsh.exe	111
PID 2968 wrote to memory of 2712	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	130
PID 2968 wrote to memory of 2712	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	130
PID 2096 wrote to memory of 4344	2096	cmd.exe	117
PID 2096 wrote to memory of 4344	2096	cmd.exe	117
PID 4344 wrote to memory of 4380	4344	net.exe	116
PID 4344 wrote to memory of 4380	4344	net.exe	116
PID 2968 wrote to memory of 3996	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	128
PID 2968 wrote to memory of 3996	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	128
PID 2712 wrote to memory of 1884	2712	cmd.exe	126
PID 2712 wrote to memory of 1884	2712	cmd.exe	126
PID 3996 wrote to memory of 832	3996	cmd.exe	125
PID 3996 wrote to memory of 832	3996	cmd.exe	125
PID 832 wrote to memory of 1468	832	net.exe	118
PID 832 wrote to memory of 1468	832	net.exe	118
PID 2968 wrote to memory of 2016	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	124
PID 2968 wrote to memory of 2016	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	124
PID 1884 wrote to memory of 1448	1884	net.exe	123
PID 1884 wrote to memory of 1448	1884	net.exe	123
PID 2016 wrote to memory of 5052	2016	cmd.exe	121
PID 2016 wrote to memory of 5052	2016	cmd.exe	121
PID 5052 wrote to memory of 2568	5052	net.exe	119
PID 5052 wrote to memory of 2568	5052	net.exe	119
PID 2968 wrote to memory of 1316	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	136
PID 2968 wrote to memory of 1316	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	136
PID 2968 wrote to memory of 1316	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	136
PID 1316 wrote to memory of 1252	1316	RDPWinst.exe	139
PID 1316 wrote to memory of 1252	1316	RDPWinst.exe	139
PID 2968 wrote to memory of 4996	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	145
PID 2968 wrote to memory of 4996	2968	c92c59fa1503d65d1d67a578928e3c55exe.exe	145
PID 4996 wrote to memory of 4280	4996	cmd.exe	146
PID 4996 wrote to memory of 4280	4996	cmd.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55exe.exe
"C:\Users\Admin\AppData\Local\Temp\c92c59fa1503d65d1d67a578928e3c55exe.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2308
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:740
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3200
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного рабочего стола" John /add
    3⤵
    PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\net.exe
    net localgroup "Администраторы" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Администраторы" John /add
      4⤵
      PID:3684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного управления" john /add" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SYSTEM32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    - Suspicious use of WriteProcessMemory
    PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4280

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
PID:4996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user John 12345 /add
1⤵
PID:5004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
1⤵
PID:1704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
PID:4380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
1⤵
PID:1468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
1⤵
PID:2568

C:\Windows\system32\net.exe
net localgroup "Remote Desktop Users" john /add
1⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
1⤵
PID:1448

C:\Windows\system32\net.exe
net localgroup "Administradores" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\net.exe
net localgroup "Administrators" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3508

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
374KB

MD5
f80b544b99bb413dd7b75557a43cf589

SHA1
cfe8a05b72959794426057c9c611e03b86a57d53

SHA256
585f33ce2b735cf4d174c1e1144258c01bc518970418ceb3db0b35e82bda592c

SHA512
07a3f650dab9a038189e1fc14afec8b263c723d2b4fcbb6ca541b1a905b758d1c59b5bb12e8808466c1068392a37b0cc8b47db3605c86e6b5f3e3e8ecd47c53e

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
314KB

MD5
3953b408304523a87959715faec261c8

SHA1
eb504db4c0bcaab25e47850479e8ba62817aae54

SHA256
d4b6b1e06a16db4fbfc77f43f23883549a2aefa371071e64697300a93c995fef

SHA512
913af950ed4eb87a7567cb568cca3f8936e5fecb5c52f7c8d50261d3a0119f72d2e8efcd30c3ae9b467f1e29d88fb6cc3276fdc22476e13a0636fe461fa64ea5

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
bc909d39981af556d07dc67178f61472

SHA1
a4e5b1c5bc746435a5baf11b728e83fb8e654da0

SHA256
10cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8

SHA512
acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1.4MB

MD5
e1c9894328722ed2745b9cc680da24ef

SHA1
032f40203c93ea3c0268b17ca4c163b5a3b08a82

SHA256
d9c77aa3430153c483c608301ef32545e8e3f4b80aed5e9ad2737b05eb252aa3

SHA512
15b66b8e824251277e900246bdd4eb7160126c58c7d8292219902b93a0dea47ede0b32719d941236df551c6118e459358c432c7d361f689e29e07399d9798006

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
764KB

MD5
34525c82a3de896d62aabe45b1c72f7d

SHA1
8ffc924721c5e6318cc00ca0887a69de76c95caa

SHA256
5c035fe6da6b775918aaa1272745786f9c227e4e239fba0ca5f7059b24d206e9

SHA512
52bc9b69f88b8ebe20ecdf5bb3d7a1f355a9e476c7e68d3fbcb4e6fdfe8cac88311faf80f329e32a2839eea545feaecc9a221cf303f5bf1907d01259ba85c58f

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
88KB

MD5
6ae2678e8d3b8f9a5736bd07fe2c6d12

SHA1
e3368eaf5604fb34ab3561a609028a734bdf5ce5

SHA256
52761876ed58e89beff15ce1352e12b4ce3dbc23ea8924fc62aef8ea9a4c499e

SHA512
4f2d54d31b851cde040e4801fa1c5f2adc6895bdef7d26289d1ffc802c88cb86c5a74563fcd0cbe2be66123401baaac4bda699986c9abfafac748ff6cac40b07

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
7.9MB

MD5
e2f282fb885d463f88ef01e1fbb19b0c

SHA1
224e97c95f58d0f5bd9e05f9d5f0db4569e95518

SHA256
186f7f510c77f58848815137536748529124a4dd634bcb1a1ab6d7641712dbcd

SHA512
89341bc62ddde28d52a7e87db67f934febc5a47c86cedc4d20df7d070e374fe9af335864d8428cc38a90c743f2a845d6e85e6e4c64e960a40bb3762b97853b1e

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
735KB

MD5
df588efd841724fe5d51cb5aaf0323bd

SHA1
143d90b74a8877781059118baa9e7a3929792cbc

SHA256
27fc2c5ebbf4eb2327f19c57a6d737bf617011e4a8a934c230e615010af43a59

SHA512
b681fb24fc7386aee866828627360aa93ad3c4e659a8993809df200e53f3a0ba5e4de08f248a66cfcd92ea684c2eef680a3eb37a00b9cd89c50145185a467b9e

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
6.3MB

MD5
2ccd9fd641ce22fb49aa683ba03ba182

SHA1
683c8853d663d44d5f454bec07a682f89e769a0a

SHA256
bfd32a336fa5855c3906ac77238e96e7c916347c25cd5ce12b3c16b31b8cd868

SHA512
c31136f4c4f9185ac60030c9aa7bdf4386f835b52551535c1c163b24f3fbc33c50a7b3aa07f42e2f93b1babb91818aea3b1b7357045d1524f0235dfca443013c

Download Submit
C:\Programdata\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1316-59-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1584-33-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/1584-35-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/1584-26-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/1584-25-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/1584-78-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1584-30-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/1584-31-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/1584-34-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/1584-32-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/1584-28-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/1584-38-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/1584-24-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/1584-39-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/1584-37-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/1584-36-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/1584-27-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/1584-22-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1584-68-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2076-94-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2076-97-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2076-96-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2076-95-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3200-11-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3200-12-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3200-17-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3200-13-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3200-18-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/3200-14-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3508-81-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3508-83-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3508-82-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4996-29-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download