Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
14/01/2024, 06:42
General
-
Target
RDPW_Installer.exe
-
Size
2.4MB
-
MD5
6ebea4d46302623d47827cd82e0aa4b3
-
SHA1
51c8d2af8a8f00da1eab9ce34a9f9505115295de
-
SHA256
932bcf6c68e34fb99ffafb5ae62a1473fe761d961034cb5630dc3a9ba9155ccb
-
SHA512
5c37af879652aee3f18be92732c0bf52ac8b7e6aaded5a7f31303e5f0eef0fea75a4a779a436dbb06960af390bcc5722cac3fa7db3cd283fa80ce499af94700d
-
SSDEEP
49152:7QT501gtKhLiL4uvT4pHmaBfxoxokdwsCIG0nUCqIOQvVLJg5Hugq:7fZ8aHNBfLRIRUwOQtLJ1gq
Malware Config
Signatures
-
Modifies RDP port number used by Windows 1 TTPs
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RDPW_Installer.exe"C:\Users\Admin\AppData\Local\Temp\RDPW_Installer.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\540B.tmp\540C.tmp\540D.bat C:\Users\Admin\AppData\Local\Temp\RDPW_Installer.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\540B.tmp\RDPWInst.exe"RDPWInst" -u3⤵
- Executes dropped EXE
-
-
C:\Windows\system32\PING.EXEping -n 3 localhost3⤵
- Runs ping.exe
-
-
C:\Windows\system32\xcopy.exexcopy "RDP_CnC.exe" "C:\Program Files\RDP Wrapper\" /s /I /y3⤵
- Drops file in Program Files directory
-
-
C:\Windows\system32\xcopy.exexcopy "RDPWInst.exe" "C:\Program Files\RDP Wrapper\" /s /I /y3⤵
- Drops file in Program Files directory
-
-
C:\Program Files\RDP Wrapper\RDPWInst.exe"C:\Program Files\RDP Wrapper\RDPWInst" -i -o3⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=udp localport=3389 profile=any action=allow4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\xcopy.exexcopy "RDP_CnC.lnk" "C:\Users\Admin\Desktop\" /s /I /y3⤵
-
-
C:\Windows\system32\xcopy.exexcopy "update.bat" "C:\Program Files\RDP Wrapper\" /s /I /y3⤵
- Drops file in Program Files directory
-
-
C:\Users\Admin\AppData\Local\Temp\540B.tmp\LGPO.exelgpo /m H264_ON.pol3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /CREATE /SC ONSTART /DELAY 0002:00 /TN "RDPWUpdater" /TR "'C:\Program Files\RDP Wrapper\RDPWInst.exe' -w" /RL HIGHEST /RU SYSTEM /NP /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\cmd.execmd.exe /C start "" "C:\Program Files\RDP Wrapper\RDP_CnC.exe"3⤵
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\RDP Wrapper\RDP_CnC.exe"C:\Program Files\RDP Wrapper\RDP_CnC.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD50c35886c65928236fd15f27fd07786e7
SHA11097f9ca9bda45c42b4337165f38e1025ef44b52
SHA25644bb015bcf388b8fed512f901dc58dc763da3f517071a0f156d95910cc6fa8d9
SHA5121afff358c1a5a8a286686e38b4633453362bc591cfafdb80aeb35098d17b69644dcd5381b7383a4f038089c87ee7afa99bf1b69200746d401d209a7cca0ae2ed
-
Filesize
27KB
MD556f284cd33dce8ff43c17ed293374dc2
SHA1a41cbb490ed5833d0da154e1b83207b4a9b56521
SHA25605bbfcb1e809ca8cb6a2b586d45b24db415cd7e1c9481277317d8d5113d787a4
SHA51284d3befb91e93693cbaaeebb898e8fbe3f73a14319d20a7538208faa181186ffdbe2256f8812fdfae08be36a5cb2d4a995673d093210efde6f81f17dadb2213e
-
Filesize
5KB
MD5f57017ea95f4a63355e888cb5fd99116
SHA1c4c8a5796868fdeaaf7d6f848605d157a8db3b45
SHA256b1b88c05d4f0bcf0f4cd03252d6c9838b39e030109d6c998e7218730988bfff2
SHA512bf8bacc77d4c7faed1d2cd0fbf1dfb6a719baeb3c86a74f5660de050a3fce9c9355778e587ba75d0175572ac5853263b706a73e2977346780fc8042ed0596385
-
Filesize
405KB
MD5ade75b73a33607453d53592e1173cd55
SHA133d4c605af6108b76d6c0631c2062661e7d92129
SHA25623ebe4aba9d68c471cc9d4fbac04f6e45eebd7d7bf99aafcdca5786dc26768b5
SHA5126dd225dc4664ab3e8ceaa5435462caa9bf4848cf86b2e6aa7cb91e18d4f4d1de601237153108833a92a33ca5d5c667c2185c31a85266dcf1000d5c3a5709e1d8
-
Filesize
432KB
MD586fccfc256b5b2246724362e846c0c0d
SHA175e1042255b82e41ae6b5ec06131879980c26887
SHA2567c8f4f8552970411bb0d09a5bca1c1e1971bd6de0b26f3e6b22cdad146712d7a
SHA512d32e3e99991f9e880edaa4c56a607f788f7ebb3c81756343ca263ec76348ac2c092789a29fc3ed8d4cd0ed0536f1ea4ec61d9a93c27bb061b3746a6b02f27ff7
-
Filesize
114KB
MD50c2180b8e8cf57d168b0e5f388f90650
SHA1dc6ba17b27e6611489c5c52f8956bc5a45001ecd
SHA25675fb4394ef5b8d1e7c74dfc61424101582ecdc406060caa9d66adea2ac8b37f8
SHA5128effc36cd55e0543219afa3df0d42e346ab8a6c67737977c24b4207281f490daf8f628614a745c26e6ef9f033a899c62378c99a8745e16c3e7935863c8f925ae
-
Filesize
322B
MD58f9a5bf6d5331c46c8d9bc63700077fc
SHA14fa07a1599d5ae06416ab9004eca85511f534094
SHA256ab0cf42c898e0fcff6332094226312901d6afe2eab5598cf7eaccdaaea6ea3d9
SHA5129c9d66f85c46ae532e58b724deddf01394df68fa7194355b4c8e92d7a6f4652fec38bbaaead669823f0dc2c3bc06fcc35e12e58affa9d306e2076a277064f35e
-
Filesize
824B
MD51c04db7c0404d977651e89247b449fb5
SHA10de81ba7099f77efa9d387a4e334fdcc4f1cde5f
SHA256bf7f1043f7d151e06440c07aa91bd2c7048657515c12a0af8dea2becfe6802bd
SHA5120e8c6c0edb187ec58f8447779f3f60189b59b35100eec530befa83705fdc32933dcd572e2d31bedd9b3546b63147af48b4437802a5f69d63d606d560ae5c6b2c
-
Filesize
186B
MD578952b476aa2e47bf0e27416acf6fe1f
SHA15543f22fe65fa4193008163107acd4ef8fbb338b
SHA256213da1274863316dbf91aa4c725b86f23e37784912930ed951003608834a0b46
SHA5125d4a1e4f13f01530ecfa399ac7e6db74403d4c1b3eed23f4fb0f068a387fde42d5651fadfbb9aad6a28c5a40345b70fb13c1e9210123157711622d9aab8fc21d
-
Filesize
401KB
MD532a0d430386b2ef9ee2b330fad1613b2
SHA17bd762fa06de618744359feac654f2679d1e8c2b
SHA256f67de96286bfd2083fc0df8db9e85f4e338163c0c6cd725dbb1f961fd8663b45
SHA5122aac9d6bc7ca5f9eccae698f0bc09ca860422a5f525b62fbb8cc29f29103956412606a5dcb0763ba558ac362a11286184c1d9b83a3f63194cdd73da66ec2a9ba
-
Filesize
360KB
MD5fbd615f6584c9f6a2a4bc7ef5ec7c9b5
SHA1c7189983dac71b4bfb3320eea71358d445860619
SHA256d15462db43a05e7e5d53a515a9271b048531a7a35bdbec31271a6356716483ef
SHA512e7fde67146f50d8c841ead601d60693073c97d0f28066156b14581c63c5431ca819611936be3fdb4c73550ba2d853fa48ddcad5528af172f4c5b9d08a822daca
-
Filesize
1.1MB
MD53bdfdd7462e5942066cfebcd3487aa92
SHA1765a021c6a3ae3b12b2385d8622a2b9a56d2f21e
SHA25651872d40650c1c141622e8985415a4a809986406234fefaefb71a380b03c6338
SHA512eec36a1d03558073e7277e86cc976c28537b51f813eea108f575ed9a391c07478362ecbf65d066cd1a89f4fcb6c3abfd8598bab2700d565c47f8f47b72b10e06
-
Filesize
36KB
MD5929afbb004c713657de30af956a9343b
SHA1833be2e3f40b2b6d1b3e06bcf2a79abe8f1b242c
SHA256a973cc2e4566ee2267ec4fd8667fd38c04228db55ade747b3e139c46c056a759
SHA512faa9706a6c189087ba9243cab2b0c6712e372a254a4193903ba6dea4f7dc880223590e6f387b8d298dbc75aa1018ecc60a53d4fba0859f64ad9856432533f805
-
Filesize
50KB
MD5cb0fa46ea083a800cdba89f4e9064049
SHA1b8bf92bbe84c0a141a7550aeda0a787365020205
SHA256e8475f7941256783cadc2381290d9b931a32a861e22dc63dbd969a2ca84048f3
SHA512bfeb8d2297ba88fc787dafeee989ac07798dde9e9d042cbc7aa7c0f48c04512e7fb84231c9b0c4f8c43009a756b055297865ad86f722b6c2d0ef499eea85c037
-
Filesize
1KB
MD5bf5e6e967e6df74051e971d62ee9d282
SHA1bcf85f18168b3b1e52d6f373afd8a3f81b6a7980
SHA25683f134b45e9e28abd1e4a773f48c0303bc5f8b8b22f7fc12ee4fcb4011a7733d
SHA5126715f19c42555d25fc8e8eedf162ef2a7875f08a142251f58ddccc6df62b0b10cd33f397e8ab10b0eb0bb69d08ea4ec285b9bdd422121ee472d10bc3e42e165f
-
Filesize
114KB
MD5870babbcd5d147ae67d48743c1e415b3
SHA1b62bb1a8aa3075eab85f1d670c3e9cb1d7878dfa
SHA256f1bc8182e486cade24e09c5064d7cfa142f145871bf1f1b19a82359f82fcd343
SHA512acada814f4aaa511dd233e8f5dd37a31ea169d7673eed49398cf1f3ebca335df9f89e93faa461f3b3a3ebba85d05e10351357a4a71acd235aecb2c99cc8ae25f
-
Filesize
179KB
MD5760dfa2278890f38a46519acdbd02787
SHA1dbb04f75d34f6984264e29c9947c7a0d9e7c92bb
SHA25608e03cc6451d67d5573d89bf3955a6a8d491693378a3089e35a488163d036c65
SHA512a505d7f72892456fa5c273466b97412ca700ecf336f173f8b85b5e7269b4a59eff6053a22532351619d62bdaf72c24f37643528451c9985b0029e7a7b74d939d
-
Filesize
4KB
-
Filesize
3.0MB
-
Filesize
2.4MB
-
Filesize
2.4MB