Analysis Report https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip

Overview

General Information

Sample URL: https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip
Analysis ID: 367764
Infos:

Most interesting Screenshot:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Modifies existing windows services
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Netsh Port or Application Allowed
Spawns drivers
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\extract\RDPCheck.exe Avira: detection malicious, Label: SPR/Remoteadmin.560333
Source: C:\Users\user\Desktop\extract\RDPConf.exe Avira: detection malicious, Label: SPR/Remoteadmin.AN
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Avira: detection malicious, Label: SPR/Remoteadmin.AO
Multi AV Scanner detection for dropped file
Source: C:\Program Files\RDP Wrapper\rdpwrap.dll Metadefender: Detection: 22% Perma Link
Source: C:\Program Files\RDP Wrapper\rdpwrap.dll ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\extract\RDPCheck.exe Metadefender: Detection: 27% Perma Link
Source: C:\Users\user\Desktop\extract\RDPCheck.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\extract\RDPConf.exe Metadefender: Detection: 36% Perma Link
Source: C:\Users\user\Desktop\extract\RDPConf.exe ReversingLabs: Detection: 40%
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Metadefender: Detection: 44% Perma Link
Source: C:\Users\user\Desktop\extract\RDPWInst.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Directory created: C:\Program Files\RDP Wrapper Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll Jump to behavior
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.154:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: Binary string: rdpclip.pdbH source: RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPWInst.exe.5.dr
Source: Binary string: rdpclip.pdbJ source: RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPWInst.exe.5.dr
Source: Binary string: RfxVmt.pdb source: 7za.exe, 00000005.00000003.653679459.0000000002AE0000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPWInst.exe.5.dr
Source: Binary string: rdpclip.pdb source: RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPWInst.exe.5.dr
Source: Binary string: RfxVmt.pdbGCTL source: 7za.exe, 00000005.00000003.653679459.0000000002AE0000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPWInst.exe.5.dr
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_004092D8 FindFirstFileW,FindClose, 10_2_004092D8
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0040F73C FindFirstFileW,FindClose, 10_2_0040F73C
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00408EB9 lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 10_2_00408EB9
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0043CF60 InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 10_2_0043CF60
Source: unknown DNS traffic detected: queries for: github.com
Source: wget.exe, 00000002.00000002.650515458.0000000002DA8000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
Source: wget.exe, 00000002.00000002.650515458.0000000002DA8000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671591155.0000000000971000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: wget.exe, 00000002.00000003.649859571.0000000002D68000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000003.649859571.0000000002D68000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000003.649859571.0000000002D68000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl
Source: wget.exe, 00000002.00000002.650515458.0000000002DA8000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671591155.0000000000971000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: RDPWInst.exe, 0000000A.00000002.671610643.0000000000990000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digi
Source: wget.exe, 00000002.00000003.647568002.0000000002DBB000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.647544093.0000000002DA8000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
Source: wget.exe, 00000002.00000003.647568002.0000000002DBB000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671591155.0000000000971000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: wget.exe, 00000002.00000003.647568002.0000000002DBB000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crlUS1
Source: wget.exe, 00000002.00000003.649859571.0000000002D68000.00000004.00000001.sdmp, wget.exe, 00000002.00000002.650515458.0000000002DA8000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl
Source: wget.exe, 00000002.00000002.650515458.0000000002DA8000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671591155.0000000000971000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: wget.exe, 00000002.00000002.650515458.0000000002DA8000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crlo
Source: wget.exe, 00000002.00000003.649859571.0000000002D68000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com
Source: wget.exe, 00000002.00000003.647568002.0000000002DBB000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671591155.0000000000971000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: wget.exe, 00000002.00000002.650515458.0000000002DA8000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671591155.0000000000971000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0M
Source: RDPWInst.exe, RDPWInst.exe, 0000000A.00000002.671081818.0000000000401000.00000020.00020000.sdmp, RDPWInst.exe.5.dr String found in binary or memory: http://stascorp.com/load/1-1-0-62
Source: 7za.exe, 00000005.00000003.653679459.0000000002AE0000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPCheck.exe.5.dr String found in binary or memory: http://stascorp.comDVarFileInfo$
Source: RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPConf.exe.5.dr String found in binary or memory: http://www.apache.org/licenses/
Source: RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPConf.exe.5.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: cmdline.out.2.dr String found in binary or memory: https://github-releases.githubusercontent.com/25609086/d473b802-eb5f-11e7-8ccc-5944bc969a40?X-Amz-Al
Source: wget.exe, 00000002.00000002.650111219.0000000000B40000.00000004.00000020.sdmp, cmdline.out.2.dr String found in binary or memory: https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip
Source: wget.exe, 00000002.00000002.650067070.00000000009E8000.00000004.00000020.sdmp String found in binary or memory: https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zipxB
Source: RDPWInst.exe, 0000000A.00000002.671564766.000000000093F000.00000004.00000020.sdmp String found in binary or memory: https://raw.githubusercontent.com/
Source: RDPWInst.exe, RDPWInst.exe, 0000000A.00000002.671564766.000000000093F000.00000004.00000020.sdmp, RDPWInst.exe, 0000000A.00000002.671575571.000000000094F000.00000004.00000020.sdmp String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
Source: RDPWInst.exe, 0000000A.00000002.671575571.000000000094F000.00000004.00000020.sdmp String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini?G
Source: RDPWInst.exe, 0000000A.00000002.671564766.000000000093F000.00000004.00000020.sdmp String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniHU
Source: RDPWInst.exe, 0000000A.00000002.671081818.0000000000401000.00000020.00020000.sdmp, RDPWInst.exe.5.dr String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU
Source: RDPWInst.exe, 0000000A.00000002.671575571.000000000094F000.00000004.00000020.sdmp String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.inigG
Source: RDPWInst.exe, 0000000A.00000002.671564766.000000000093F000.00000004.00000020.sdmp String found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.inihT
Source: wget.exe, 00000002.00000003.647568002.0000000002DBB000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS
Source: wget.exe, 00000002.00000003.647568002.0000000002DBB000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671591155.0000000000971000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.154:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49725 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: RDPWInst.exe, 0000000A.00000002.671552525.0000000000929000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0040360C 10_2_0040360C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: String function: 00406BE0 appears 36 times
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: String function: 00404CDC appears 74 times
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: String function: 00407450 appears 135 times
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: String function: 004042F8 appears 74 times
PE file contains strange resources
Source: RDPCheck.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RDPConf.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
Source: classification engine Classification label: mal64.evad.win@12/15@3/3
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0043BF00 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError, 10_2_0043BF00
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0040FAE8 GetDiskFreeSpaceW, 10_2_0040FAE8
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0043DC64 LoadLibraryExW,FindResourceW,LoadResource,FreeLibrary, 10_2_0043DC64
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0043B1A8 OpenSCManagerW,GetLastError,OpenServiceW,CloseServiceHandle,GetLastError,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle, 10_2_0043B1A8
Source: C:\Users\user\Desktop\extract\RDPWInst.exe File created: C:\Program Files\RDP Wrapper Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_01
Source: Yara match File source: 0000000A.00000002.671081818.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.660079281.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\Desktop\extract\RDPWInst.exe, type: DROPPED
Source: Yara match File source: 10.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\extract\install.bat' '
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: RDPWInst.exe String found in binary or memory: Link: http://stascorp.com/load/1-1-0-62
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip' > cmdline.out 2>&1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip'
Source: unknown Process created: C:\Windows\SysWOW64\7za.exe 7za x -y -pinfected -o'C:\Users\user\Desktop\extract' 'C:\Users\user\Desktop\download\RDPWrap-v1.6.2.zip'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\extract\install.bat' '
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\extract\RDPWInst.exe 'C:\Users\user\Desktop\extract\RDPWInst' -i -o
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name='Remote Desktop' dir=in protocol=tcp localport=3389 profile=any action=allow
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\extract\RDPWInst.exe 'C:\Users\user\Desktop\extract\RDPWInst' -i -o Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name='Remote Desktop' dir=in protocol=tcp localport=3389 profile=any action=allow Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe File written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\rdpwrap[1].ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Directory created: C:\Program Files\RDP Wrapper Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Directory created: C:\Program Files\RDP Wrapper\rdpwrap.ini Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Directory created: C:\Program Files\RDP Wrapper\rdpwrap.dll Jump to behavior
Source: Binary string: rdpclip.pdbH source: RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPWInst.exe.5.dr
Source: Binary string: rdpclip.pdbJ source: RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPWInst.exe.5.dr
Source: Binary string: RfxVmt.pdb source: 7za.exe, 00000005.00000003.653679459.0000000002AE0000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPWInst.exe.5.dr
Source: Binary string: rdpclip.pdb source: RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPWInst.exe.5.dr
Source: Binary string: RfxVmt.pdbGCTL source: 7za.exe, 00000005.00000003.653679459.0000000002AE0000.00000004.00000001.sdmp, RDPWInst.exe, 0000000A.00000002.671154362.0000000000450000.00000002.00020000.sdmp, RDPWInst.exe.5.dr

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: RDPCheck.exe.5.dr Static PE information: section name: .didata
Source: RDPConf.exe.5.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_009F1D0D push cs; iretd 2_2_009F1D1A
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_004430DC push 00443161h; ret 10_2_00443159
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00439674 push ecx; mov dword ptr [esp], ecx 10_2_00439675
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00420164 push 004201DAh; ret 10_2_004201D2
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0040A178 push 0040A1E7h; ret 10_2_0040A1DF
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00437134 push 00437201h; ret 10_2_004371F9
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00443188 push 00443230h; ret 10_2_00443228
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0043421C push ecx; mov dword ptr [esp], edx 10_2_0043421E
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0044323C push 004432C7h; ret 10_2_004432BF
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00437298 push 0043732Eh; ret 10_2_00437326
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00437360 push 004373ADh; ret 10_2_004373A5
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0043A3F8 push 0043A450h; ret 10_2_0043A448
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_004176D4 push 00417879h; ret 10_2_00417871
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00421998 push 004219E5h; ret 10_2_004219DD
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0042AA70 push ecx; mov dword ptr [esp], edx 10_2_0042AA75
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0040CA10 push eax; retf 0040h 10_2_0040CA11
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0042AAB4 push ecx; mov dword ptr [esp], edx 10_2_0042AAB9
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00415C58 push ecx; mov dword ptr [esp], edx 10_2_00415C5D
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0040EC80 push ecx; mov dword ptr [esp], ecx 10_2_0040EC85
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00404E0C push eax; ret 10_2_00404E48
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0043FE8C push 0043FEE0h; ret 10_2_0043FED8

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\extract\RDPWInst.exe File created: C:\Program Files\RDP Wrapper\rdpwrap.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\RDPConf.exe Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\RDPCheck.exe Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\RDPWInst.exe Jump to dropped file

Boot Survival:

barindex
Creates or modifies windows services
Source: C:\Windows\system32\drivers\tsusbhub.sys Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf Jump to behavior
Modifies existing windows services
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0043B58C OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle, 10_2_0043B58C
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: OpenSCManagerW,GetLastError,EnumServicesStatusExW,GetLastError,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,GetLastError,CloseServiceHandle, 10_2_0043B7D4
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Dropped PE file which has not been started: C:\Program Files\RDP Wrapper\rdpwrap.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\RDPConf.exe Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\RDPCheck.exe Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_004092D8 FindFirstFileW,FindClose, 10_2_004092D8
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_0040F73C FindFirstFileW,FindClose, 10_2_0040F73C
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00408EB9 lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 10_2_00408EB9
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00409D02 GetSystemInfo, 10_2_00409D02
Source: wget.exe, RDPWInst.exe, 0000000A.00000002.671591155.0000000000971000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.650067070.00000000009E8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\system32\drivers\tsusbhub.sys System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\extract\RDPWInst.exe 'C:\Users\user\Desktop\extract\RDPWInst' -i -o Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name='Remote Desktop' dir=in protocol=tcp localport=3389 profile=any action=allow Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 10_2_004093C0
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 10_2_00408908
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: GetLocaleInfoW, 10_2_00412C4A
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: GetLocaleInfoW, 10_2_00412C4C
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: GetLocaleInfoW, 10_2_00412C98
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\wget.exe Queries volume information: C:\Users\user\Desktop\download VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00411154 GetLocalTime, 10_2_00411154
Source: C:\Users\user\Desktop\extract\RDPWInst.exe Code function: 10_2_00414698 GetVersionExW, 10_2_00414698
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the windows firewall
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name='Remote Desktop' dir=in protocol=tcp localport=3389 profile=any action=allow
Uses netsh to modify the Windows network and firewall settings
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name='Remote Desktop' dir=in protocol=tcp localport=3389 profile=any action=allow
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 367764 URL: https://github.com/stascorp... Startdate: 12/03/2021 Architecture: WINDOWS Score: 64 45 Antivirus detection for dropped file 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Uses netsh to modify the Windows network and firewall settings 2->49 51 Modifies the windows firewall 2->51 7 cmd.exe 1 2->7         started        9 7za.exe 7 2->9         started        12 cmd.exe 2 2->12         started        14 3 other processes 2->14 process3 file4 16 RDPWInst.exe 2 18 7->16         started        21 conhost.exe 7->21         started        33 C:\Users\user\Desktop\extract\RDPWInst.exe, PE32 9->33 dropped 35 C:\Users\user\Desktop\extract\RDPConf.exe, PE32 9->35 dropped 37 C:\Users\user\Desktop\extract\RDPCheck.exe, PE32 9->37 dropped 23 conhost.exe 9->23         started        25 wget.exe 3 12->25         started        27 conhost.exe 12->27         started        process5 dnsIp6 39 raw.githubusercontent.com 185.199.111.133, 443, 49725 FASTLYUS Netherlands 16->39 31 C:\Program Files\RDP Wrapper\rdpwrap.dll, PE32+ 16->31 dropped 53 Antivirus detection for dropped file 16->53 55 Multi AV Scanner detection for dropped file 16->55 29 netsh.exe 3 16->29         started        41 github.com 140.82.121.3, 443, 49723 GITHUBUS United States 25->41 43 github-releases.githubusercontent.com 185.199.111.154, 443, 49724 FASTLYUS Netherlands 25->43 file7 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
140.82.121.3
 github.com United States
36459 GITHUBUS false
185.199.111.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false
185.199.111.154
 github-releases.githubusercontent.com Netherlands
54113 FASTLYUS false

Contacted Domains

Name IP Active
github.com 140.82.121.3 true
raw.githubusercontent.com 185.199.111.133 true
github-releases.githubusercontent.com 185.199.111.154 true