9899ffecf141ab4535ec702facbf2b4233903b428b862f3a87e635d09c6244de

Analysis

max time kernel
7s
max time network
11s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
06/07/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RDPWInst-v1.6.2.msi
Size

640KB
MD5

92cbbe2d06d03c156c83ae1a02ab30e3
SHA1

7d14f457f193d75dd7f52becdee5cf25b948573b
SHA256

9899ffecf141ab4535ec702facbf2b4233903b428b862f3a87e635d09c6244de
SHA512

b7eafccee7ab76411209f20cf370de53b0c83fc700047b2de66b26e540a07797b8f7eb1513bcceaa4cee4c8c0b2382788a154003236980f125c281cc7479bb4a
SSDEEP

12288:GnAYhZFoqIVAV0yjNZzucNNZLVk/dJJibRoQu9kzWEYCdrflYemcS1/U:UASZFKAVbBZzu0Ni49oQu9DuZYebSS

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
3	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2016	netsh.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DF5687DB477671896C.TMP	msiexec.exe
File created	C:\Windows\Installer\e5794ed.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5794ed.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{37EA5771-3352-4A52-9FAC-9297331DAEBD}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDA22685F759E844C.TMP	msiexec.exe
File created	C:\Windows\Installer\e5794ef.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB0D7FCBBB3C08B2E.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF0DE5C6864CA8411.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95E7.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4952	RDPWInst.exe

Loads dropped DLL 1 IoCs

pid	Process
4980	svchost.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
424	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1032	msiexec.exe
1032	msiexec.exe
4980	svchost.exe
4980	svchost.exe
4980	svchost.exe
4980	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
684	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	424	msiexec.exe
Token: SeIncreaseQuotaPrivilege	424	msiexec.exe
Token: SeSecurityPrivilege	1032	msiexec.exe
Token: SeCreateTokenPrivilege	424	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	424	msiexec.exe
Token: SeLockMemoryPrivilege	424	msiexec.exe
Token: SeIncreaseQuotaPrivilege	424	msiexec.exe
Token: SeMachineAccountPrivilege	424	msiexec.exe
Token: SeTcbPrivilege	424	msiexec.exe
Token: SeSecurityPrivilege	424	msiexec.exe
Token: SeTakeOwnershipPrivilege	424	msiexec.exe
Token: SeLoadDriverPrivilege	424	msiexec.exe
Token: SeSystemProfilePrivilege	424	msiexec.exe
Token: SeSystemtimePrivilege	424	msiexec.exe
Token: SeProfSingleProcessPrivilege	424	msiexec.exe
Token: SeIncBasePriorityPrivilege	424	msiexec.exe
Token: SeCreatePagefilePrivilege	424	msiexec.exe
Token: SeCreatePermanentPrivilege	424	msiexec.exe
Token: SeBackupPrivilege	424	msiexec.exe
Token: SeRestorePrivilege	424	msiexec.exe
Token: SeShutdownPrivilege	424	msiexec.exe
Token: SeDebugPrivilege	424	msiexec.exe
Token: SeAuditPrivilege	424	msiexec.exe
Token: SeSystemEnvironmentPrivilege	424	msiexec.exe
Token: SeChangeNotifyPrivilege	424	msiexec.exe
Token: SeRemoteShutdownPrivilege	424	msiexec.exe
Token: SeUndockPrivilege	424	msiexec.exe
Token: SeSyncAgentPrivilege	424	msiexec.exe
Token: SeEnableDelegationPrivilege	424	msiexec.exe
Token: SeManageVolumePrivilege	424	msiexec.exe
Token: SeImpersonatePrivilege	424	msiexec.exe
Token: SeCreateGlobalPrivilege	424	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
424	msiexec.exe
424	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 4952	1032	msiexec.exe	83
PID 1032 wrote to memory of 4952	1032	msiexec.exe	83
PID 1032 wrote to memory of 4952	1032	msiexec.exe	83
PID 4952 wrote to memory of 2016	4952	RDPWInst.exe	87
PID 4952 wrote to memory of 2016	4952	RDPWInst.exe	87

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RDPWInst-v1.6.2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:424

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\ProgramData\Package Cache\{37ea5771-3352-4a52-9fac-9297331daebd}\RDPWInst.exe
  "C:\ProgramData\Package Cache\{37ea5771-3352-4a52-9fac-9297331daebd}\RDPWInst.exe" -i -o
  2⤵
  - Server Software Component: Terminal Services DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5794ee.rbs

Filesize
8KB

MD5
fef72579ca42112b3aed2ac1992814e3

SHA1
423ca57a525069c7c426832f59bf80032dbdc048

SHA256
43bc3cf4fccfd4bf70d2b5f0c7c6358f7333d0b2360b7015a07be97f9516d0ea

SHA512
87132ba99be9535d6e689c17c63e6da3efb8895d59cf4f2d6d1fe5974f11cc5a6a9d831fb1784d20dcdb4fbb059daa33a1b5464fb5719a72ef3fe79a4748a5d6

Download Submit
C:\ProgramData\Package Cache\{37ea5771-3352-4a52-9fac-9297331daebd}\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Windows\Installer\e5794ed.msi

Filesize
640KB

MD5
92cbbe2d06d03c156c83ae1a02ab30e3

SHA1
7d14f457f193d75dd7f52becdee5cf25b948573b

SHA256
9899ffecf141ab4535ec702facbf2b4233903b428b862f3a87e635d09c6244de

SHA512
b7eafccee7ab76411209f20cf370de53b0c83fc700047b2de66b26e540a07797b8f7eb1513bcceaa4cee4c8c0b2382788a154003236980f125c281cc7479bb4a

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
memory/4952-30-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download