rms | 4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50

Analysis

max time kernel
149s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
Size

6.2MB
MD5

c92c59fa1503d65d1d67a578928e3c55
SHA1

0cb1106bde45dd5be118bb7b9ebb2be3e41b7203
SHA256

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50
SHA512

1f8c714bfc23bd642ec6f4e5539ac1585e0cd8a54ba2b72ff06d7b4f0dd94589a8e6ab41b689f11f51425067784e071eeffc7e803470d55793492d38f6d11241
SSDEEP

196608:CIgAn6JaxBEvXUJyXEJDNfZJoExr77dZWoNMUyr:SA6YxBYXY+sJokFZWdUy

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Processes:

netsh.exe

pid	Process
4612	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winserv.exewinserv.exewinserv.exewinserv.exe4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	winserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

Executes dropped EXE 6 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exewinserv.exewinserv.exewinserv.exe

pid	Process
4016	winserv.exe
2116	winserv.exe
1756	RDPWinst.exe
1900	winserv.exe
3844	winserv.exe
4248	winserv.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid	Process
2828	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
52	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDPWinst.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

Drops file in System32 directory 1 IoCs

Processes:

RDPWinst.exe

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWinst.exe

Drops file in Program Files directory 5 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exeRDPWinst.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Program Files\RDP Wrapper	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	\??\c:\program files\rdp wrapper\rdpwrap.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
4436	schtasks.exe
2004	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
3336	timeout.exe

Modifies registry class 3 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\MIME\Database	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

NTFS ADS 3 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exewinserv.exewinserv.exewinserv.exesvchost.exe

pid	Process
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4016	winserv.exe
4016	winserv.exe
4016	winserv.exe
4016	winserv.exe
4016	winserv.exe
4016	winserv.exe
2116	winserv.exe
2116	winserv.exe
2116	winserv.exe
2116	winserv.exe
1900	winserv.exe
1900	winserv.exe
1900	winserv.exe
1900	winserv.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
656

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

winserv.exewinserv.exeRDPWinst.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	4016	winserv.exe
Token: SeTakeOwnershipPrivilege	2116	winserv.exe
Token: SeTcbPrivilege	2116	winserv.exe
Token: SeTcbPrivilege	2116	winserv.exe
Token: SeDebugPrivilege	1756	RDPWinst.exe
Token: SeAuditPrivilege	2828	svchost.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

winserv.exewinserv.exewinserv.exewinserv.exewinserv.exe

pid	Process
4016	winserv.exe
4016	winserv.exe
4016	winserv.exe
4016	winserv.exe
2116	winserv.exe
2116	winserv.exe
2116	winserv.exe
2116	winserv.exe
1900	winserv.exe
1900	winserv.exe
1900	winserv.exe
1900	winserv.exe
3844	winserv.exe
3844	winserv.exe
3844	winserv.exe
3844	winserv.exe
4248	winserv.exe
4248	winserv.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.execmd.exenet.execmd.execmd.exenet.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exeRDPWinst.execmd.exe

description	pid	Process	procid_target
PID 4440 wrote to memory of 4436	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	89
PID 4440 wrote to memory of 4436	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	89
PID 4440 wrote to memory of 2004	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	93
PID 4440 wrote to memory of 2004	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	93
PID 4440 wrote to memory of 4016	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	95
PID 4440 wrote to memory of 4016	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	95
PID 4440 wrote to memory of 4016	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	95
PID 4440 wrote to memory of 2784	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	99
PID 4440 wrote to memory of 2784	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	99
PID 4440 wrote to memory of 2744	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	101
PID 4440 wrote to memory of 2744	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	101
PID 2784 wrote to memory of 3548	2784	cmd.exe	125
PID 2784 wrote to memory of 3548	2784	cmd.exe	125
PID 4440 wrote to memory of 2788	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	102
PID 4440 wrote to memory of 2788	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	102
PID 3548 wrote to memory of 1328	3548	net.exe	103
PID 3548 wrote to memory of 1328	3548	net.exe	103
PID 2788 wrote to memory of 3504	2788	cmd.exe	123
PID 2788 wrote to memory of 3504	2788	cmd.exe	123
PID 2744 wrote to memory of 1636	2744	cmd.exe	104
PID 2744 wrote to memory of 1636	2744	cmd.exe	104
PID 1636 wrote to memory of 3120	1636	net.exe	122
PID 1636 wrote to memory of 3120	1636	net.exe	122
PID 3504 wrote to memory of 1368	3504	net.exe	121
PID 3504 wrote to memory of 1368	3504	net.exe	121
PID 4440 wrote to memory of 4748	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	106
PID 4440 wrote to memory of 4748	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	106
PID 4748 wrote to memory of 336	4748	cmd.exe	120
PID 4748 wrote to memory of 336	4748	cmd.exe	120
PID 336 wrote to memory of 2028	336	net.exe	109
PID 336 wrote to memory of 2028	336	net.exe	109
PID 4440 wrote to memory of 1292	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	108
PID 4440 wrote to memory of 1292	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	108
PID 4440 wrote to memory of 2908	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	118
PID 4440 wrote to memory of 2908	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	118
PID 1292 wrote to memory of 4268	1292	cmd.exe	119
PID 1292 wrote to memory of 4268	1292	cmd.exe	119
PID 4268 wrote to memory of 5044	4268	net.exe	111
PID 4268 wrote to memory of 5044	4268	net.exe	111
PID 2908 wrote to memory of 4904	2908	cmd.exe	115
PID 2908 wrote to memory of 4904	2908	cmd.exe	115
PID 4904 wrote to memory of 4656	4904	net.exe	114
PID 4904 wrote to memory of 4656	4904	net.exe	114
PID 4440 wrote to memory of 4840	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	113
PID 4440 wrote to memory of 4840	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	113
PID 4840 wrote to memory of 4244	4840	cmd.exe	117
PID 4840 wrote to memory of 4244	4840	cmd.exe	117
PID 4244 wrote to memory of 4500	4244	net.exe	116
PID 4244 wrote to memory of 4500	4244	net.exe	116
PID 4440 wrote to memory of 1756	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	127
PID 4440 wrote to memory of 1756	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	127
PID 4440 wrote to memory of 1756	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	127
PID 1756 wrote to memory of 4612	1756	RDPWinst.exe	134
PID 1756 wrote to memory of 4612	1756	RDPWinst.exe	134
PID 4440 wrote to memory of 3120	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	144
PID 4440 wrote to memory of 3120	4440	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	144
PID 3120 wrote to memory of 3336	3120	cmd.exe	146
PID 3120 wrote to memory of 3336	3120	cmd.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
"C:\Users\Admin\AppData\Local\Temp\4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4436
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2004
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4016
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\net.exe
    net localgroup "Администраторы" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Администраторы" John /add
      4⤵
      PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного рабочего стола" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного управления" john /add" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\system32\net.exe
    net localgroup "Administrators" John /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\system32\net.exe
    net localgroup "Remote Desktop Users" john /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SYSTEM32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:3336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user John 12345 /add
1⤵
PID:1328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
PID:2028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
1⤵
PID:5044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
1⤵
PID:4656

C:\Windows\system32\net.exe
net localgroup "Administradores" John /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
1⤵
PID:4500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
1⤵
PID:1368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:1640

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3844

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RDPWinst.exe

Filesize
893KB

MD5
1e7645d46982d9745b022d824268ed96

SHA1
7f56f28c3ba72fe0c8d2aaa6299359b3b8966a84

SHA256
6b8fc4c23ffc97a2453d32e1e550f6d0ca0fb551e07b9c85aa8fdeece1397ad6

SHA512
7f1a2178dc38ac02dba2a63094a67d32daebed58b2ab77de380f906a033e97a33742b0c3e30b6c3d98aadaa8627a41ae4baaf6e2f2323a08233a36b6851bf585

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
470KB

MD5
69b10e70c22c3f2ee2c9c4a788536181

SHA1
7b3983b54948753640789da59e355f6c7da8b20f

SHA256
1beda78004873ab26ed94023a70d6fd9e6c21198256b3074b1ba73d8ad3df988

SHA512
4ebf733d180bbd8305fc326f774b8c1874f76ecd60ed87c4f4ba2fd8f83b3bb0bccb078bad045757db632743b57fd39508dbd8881128ed10acd1838a1988768d

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
bc909d39981af556d07dc67178f61472

SHA1
a4e5b1c5bc746435a5baf11b728e83fb8e654da0

SHA256
10cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8

SHA512
acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1.8MB

MD5
c28ac5630b0a953fee612a4241b0d40b

SHA1
018ec015e44b1ca7c75ff97a5329ffd88e1bc00d

SHA256
25f7b1192758b4e7c9bd431f6f108fa317fd91f028d74a033f0a84f9d0a1b57c

SHA512
d1eae18693d52d867259d332050fd3d207e57aa2154abbe47d39307d8ace5e17c9f16a61f217c50b47f0262e0e75595a7a9e527b95bc8a6ef1c538af9da49a2d

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
413KB

MD5
ab2cbf529c5055e961b7ff146480bf62

SHA1
7b1ec25d61ff72836df09c8e905db46cb157393b

SHA256
87aa7f2ba4a112456f946dff5d2bb75b17c04cf1fed57cd21ebdae44b4c85fa6

SHA512
d51e0bda2cfd9707a304cacee7f2a9dbb967d44f41ca034a2a8ebf629fcb952b0256c0980c1f75603c5b2514746d8a76933ae3e8d2fe31b233f2c42e938e3c44

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
5.7MB

MD5
019b88e398ae14938839dd05578c29f1

SHA1
12085c604e5e969406f1e75bace27491757521a1

SHA256
4475f082c38ce09e8bd0d716a0c1741051f6fa78fd05ccff57dee24c1a74d659

SHA512
0753928b8fee8bdb7d8a299a675f67743bc2c27e19103512dc953b1569b4fe60755376c12a2451c560a47f9d56a1866e5a323ad4ecddb26ed47cc16f6090c5fb

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
2.0MB

MD5
a8fa4c557735e92fd23896599ad683ab

SHA1
118f1af078131f02e0343b3de9851c9d16cb290c

SHA256
a61ea043aab672aa53bb0454a5af88bb71c9c74f0d80d55b9d33cd815dfcb40a

SHA512
dfd6cd17896cced2b405856289e74fd578c29ba779d32de0795e110d7027edec03ae9e2991e0365a0c1f7b88f9b2839573e1091e68ce1f303f583df26cfc77f0

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
3.5MB

MD5
dcde4ed2195f403a6441ec56e088220c

SHA1
68d6e67798f10566efc53d979333fa3f6f13669b

SHA256
c3ecb505e626879fa4ec46a84eca430477392a5205b89f6e9bbcfd5363d7f242

SHA512
ee2608230767fb5115d19acf7b458a8de832a7f43aed8c54de4612cfbd7591245e7a936dd4b03a910c7f5db8ac0b872f5f2be017f4d3220659151901eb035007

Download Submit
C:\Programdata\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
memory/1756-61-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1900-56-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1900-57-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1900-62-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/1900-58-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2116-29-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/2116-24-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/2116-36-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2116-35-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/2116-34-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/2116-33-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/2116-32-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/2116-31-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/2116-30-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/2116-64-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2116-28-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/2116-27-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/2116-25-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/2116-26-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2116-23-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2116-22-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2116-37-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/2116-72-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3844-87-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3844-86-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3844-88-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3844-89-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4016-18-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/4016-12-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4016-13-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4016-14-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4016-17-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4016-16-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4016-11-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4248-97-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4248-99-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4248-101-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4248-100-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download