Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1524989 |
| MD5: | ea2954e7fc00520a5300e72edea11b0f |
| SHA1: | cb9c5443999a5f62e83bb03756f8e1a8bcbefdb1 |
| SHA256: | ae939c4c31af5fc5e66e5f991239949a572f3af905118ae2f94fdf6dd080bc01 |
| Tags: | exeuser-Bitsight |
| Infos: |   |
 | |
Detection
RDPWrap Tool
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
AI detected suspicious sample
Adds a new user with administrator rights
Allows multiple concurrent remote connection
Enables remote desktop connection
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Outbound RDP Connections Over Non-Standard Tools
Sigma detected: RDP Sensitive Settings Changed
Sigma detected: Suspicious Add User to Remote Desktop Users Group
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected RDPWrap Tool
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: New User Created Via Net.EXE
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Classification
- System is w10x64
file.exe (PID: 6980 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: EA2954E7FC00520A5300E72EDEA11B0F) 
cmd.exe (PID: 1440 cmdline: "cmd.exe" /c reg add "HKEY_LOC AL_MACHINE \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Policie s\System" /v "AllowR emoteRPC" /t REG_DWO RD /d 1 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 4160 cmdline:
reg add "H KEY_LOCAL_ MACHINE\SO FTWARE\Mic rosoft\Win dows\Curre ntVersion\ Policies\S ystem" /v "AllowRemo teRPC" /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 2296 cmdline:
"cmd.exe" /c reg add "HKEY_LOC AL_MACHINE \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Policie s\System" /v "Disabl eRemoteDes ktop" /t R EG_DWORD / d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6728 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 6516 cmdline:
reg add "H KEY_LOCAL_ MACHINE\SO FTWARE\Mic rosoft\Win dows\Curre ntVersion\ Policies\S ystem" /v "DisableRe moteDeskto p" /t REG_ DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 5496 cmdline:
"cmd.exe" /c "C:\Use rs\user\Ap pData\Loca l\Temp\RDP WInst.exe" -i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RDPWInst.exe (PID: 7060 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\RDPWIns t.exe -i MD5: C213162C86BB943BCDF91B3DF381D2F6) - netsh.exe (PID: 5876 cmdline:
netsh advf irewall fi rewall add rule name ="Remote D esktop" di r=in proto col=tcp lo calport=33 89 profile =any actio n=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 7632 cmdline:
"cmd.exe" /c net use r BoydKraj cik hDNQhf jKM9S0 /ad d MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7712 cmdline:
"cmd.exe" /c net loc algroup MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7792 cmdline:
"cmd.exe" /c net loc algroup "R emote Desk top Users" BoydKrajc ik /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7872 cmdline:
"cmd.exe" /c netsh a dvfirewall firewall add rule n ame="RDP" dir=in act ion=allow protocol=t cp localpo rt=3389 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7880 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 7920 cmdline:
netsh advf irewall fi rewall add rule name ="RDP" dir =in action =allow pro tocol=tcp localport= 3389 MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - cmd.exe (PID: 7948 cmdline:
"cmd.exe" /c net loc algroup "A dministrat ors" BoydK rajcik /ad d MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- rdpvideominiport.sys (PID: 4 cmdline:
MD5: 77FF15B9237D62A5CBC6C80E5B20A492)
- rdpdr.sys (PID: 4 cmdline:
MD5: 64991B36F0BD38026F7589572C98E3D6)
- tsusbhub.sys (PID: 4 cmdline:
MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| Click to see the 4 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |   |
|---|
| Source: | Author: Markus Neis: | ||
| Source: | Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Max Altgelt (Nextron Systems): | ||
| Source: | Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): | ||
| Source: | Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-03T15:07:46.813181+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.5 | 49713 | 104.26.12.205 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 10_2_004092D8 | |
| Source: | Code function: | 10_2_0040F73C | |
| Source: | Code function: | 10_2_00408EB9 | |
Networking | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||