Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    27-01-2022 21:51

General

  • Target

    19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe

  • Size

    5.9MB

  • MD5

    23ef883914f616ad2e344670d1f5c50c

  • SHA1

    0ad839ab1744b516e999b2e48b6758392be7bd4c

  • SHA256

    19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167

  • SHA512

    5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Executes dropped EXE 9 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe
    "C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg"
        3⤵
        • Runs .reg file with regedit
        PID:1396
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:616
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /silentinstall
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1056
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /firewall
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1832
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /start
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:956
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\*.*" +s +h
          4⤵
          • Views/modifies file attributes
          PID:1968
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good" +s +h
          4⤵
          • Views/modifies file attributes
          PID:2016
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe"
        3⤵
        • Executes dropped EXE
        PID:1712
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe /tray
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: SetClipboardViewer
        PID:1016
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe /tray
      2⤵
      • Executes dropped EXE
      PID:108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg

    MD5

    ab0d25296977f825446bac16fa03983b

    SHA1

    a7a3800963da0ff92f62158f72581b3249f522f4

    SHA256

    95881f9b400382a50610f7d3f0a6fe42c62de1c3620e6d9cff808250689630b1

    SHA512

    f328cb19806addd1f7bf072ddbabb1135a8f1eacbd1dccd92bbbfa66fc79766a2b82fce012fd1d3156ddaaa11bb059ad82e4c10f30122652a274baa90c3fccd3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat

    MD5

    6383feb85a2eee2918921ed5e4674bae

    SHA1

    6c25d4e157a8dae0305bfe09c12dd0d4c80e0994

    SHA256

    a08fd4ff2c5f669d247e2098f55c2ec253fb87371255eb3b07e9f1ff7ec7efda

    SHA512

    84d5888d264d201c698c3de8e6b8cda885abcc6b3a976d85c78ceba6d43fe22688475c6bcb5946e90abf751f54127c8397abd55c07668cbdd0628e7f604e1866

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

    MD5

    23ef883914f616ad2e344670d1f5c50c

    SHA1

    0ad839ab1744b516e999b2e48b6758392be7bd4c

    SHA256

    19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167

    SHA512

    5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

    MD5

    23ef883914f616ad2e344670d1f5c50c

    SHA1

    0ad839ab1744b516e999b2e48b6758392be7bd4c

    SHA256

    19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167

    SHA512

    5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

    MD5

    db5c2aac133f76135c6b5f6dd0f1132c

    SHA1

    1615a7067a6fc0afdc94af35123eff628a68f0ff

    SHA256

    13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea

    SHA512

    4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

    MD5

    db5c2aac133f76135c6b5f6dd0f1132c

    SHA1

    1615a7067a6fc0afdc94af35123eff628a68f0ff

    SHA256

    13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea

    SHA512

    4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

    MD5

    db5c2aac133f76135c6b5f6dd0f1132c

    SHA1

    1615a7067a6fc0afdc94af35123eff628a68f0ff

    SHA256

    13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea

    SHA512

    4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

    MD5

    db5c2aac133f76135c6b5f6dd0f1132c

    SHA1

    1615a7067a6fc0afdc94af35123eff628a68f0ff

    SHA256

    13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea

    SHA512

    4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

    MD5

    526d398938e18cb52192d77c7905cefe

    SHA1

    940c377ac831a97c9ca2d475382b71643e842d85

    SHA256

    490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8

    SHA512

    ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

    MD5

    526d398938e18cb52192d77c7905cefe

    SHA1

    940c377ac831a97c9ca2d475382b71643e842d85

    SHA256

    490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8

    SHA512

    ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

    MD5

    526d398938e18cb52192d77c7905cefe

    SHA1

    940c377ac831a97c9ca2d475382b71643e842d85

    SHA256

    490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8

    SHA512

    ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

    MD5

    526d398938e18cb52192d77c7905cefe

    SHA1

    940c377ac831a97c9ca2d475382b71643e842d85

    SHA256

    490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8

    SHA512

    ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

    MD5

    526d398938e18cb52192d77c7905cefe

    SHA1

    940c377ac831a97c9ca2d475382b71643e842d85

    SHA256

    490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8

    SHA512

    ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

    MD5

    db5c2aac133f76135c6b5f6dd0f1132c

    SHA1

    1615a7067a6fc0afdc94af35123eff628a68f0ff

    SHA256

    13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea

    SHA512

    4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

    MD5

    db5c2aac133f76135c6b5f6dd0f1132c

    SHA1

    1615a7067a6fc0afdc94af35123eff628a68f0ff

    SHA256

    13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea

    SHA512

    4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\vp8decoder.dll

    MD5

    e48c0e66dbfef46696c92785d158ddc7

    SHA1

    7a333891d6000603ecb9a9bac3784fff78f88718

    SHA256

    54911e050fce3345ec0d05c7cd02c2d345921dcf3aca724f072277bda0c6995c

    SHA512

    98004dabfb09f207997d82f304a57eefdb6e94764ac958c0b314a2e16293454c3e22bb0a6ff1cacfd2f5f675e8f7a8bf6594924ec29e23e11d035fd6c0e4cb66

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\vp8encoder.dll

    MD5

    52c276be805fe7b86fed6755bb4211d9

    SHA1

    34c4fa24890fefba170eb065c546b56ada981777

    SHA256

    7a30f464ad62611212fbd6db948b814cb0d0e8093ddae9fd0c2ecf320b58d722

    SHA512

    735a8645419e89a9421ead028658a897e9f894de65fe47f1da23c08065d55cdff02acbe9d0ae75cf388d9bd03ea87121e4f555cbdf862df8add067262fea3cd9

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

    MD5

    23ef883914f616ad2e344670d1f5c50c

    SHA1

    0ad839ab1744b516e999b2e48b6758392be7bd4c

    SHA256

    19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167

    SHA512

    5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

    MD5

    23ef883914f616ad2e344670d1f5c50c

    SHA1

    0ad839ab1744b516e999b2e48b6758392be7bd4c

    SHA256

    19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167

    SHA512

    5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

    MD5

    23ef883914f616ad2e344670d1f5c50c

    SHA1

    0ad839ab1744b516e999b2e48b6758392be7bd4c

    SHA256

    19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167

    SHA512

    5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

    MD5

    db5c2aac133f76135c6b5f6dd0f1132c

    SHA1

    1615a7067a6fc0afdc94af35123eff628a68f0ff

    SHA256

    13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea

    SHA512

    4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

    MD5

    db5c2aac133f76135c6b5f6dd0f1132c

    SHA1

    1615a7067a6fc0afdc94af35123eff628a68f0ff

    SHA256

    13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea

    SHA512

    4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

    MD5

    526d398938e18cb52192d77c7905cefe

    SHA1

    940c377ac831a97c9ca2d475382b71643e842d85

    SHA256

    490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8

    SHA512

    ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

    MD5

    db5c2aac133f76135c6b5f6dd0f1132c

    SHA1

    1615a7067a6fc0afdc94af35123eff628a68f0ff

    SHA256

    13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea

    SHA512

    4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

  • memory/108-91-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/956-80-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/1056-72-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/1148-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/1664-92-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

  • memory/1676-55-0x0000000076141000-0x0000000076143000-memory.dmp

    Filesize

    8KB

  • memory/1676-56-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/1680-81-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

  • memory/1712-98-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/1832-75-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB