Analysis
-
max time kernel
160s -
max time network
162s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 21:51
Static task
static1
Behavioral task
behavioral1
Sample
19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe
Resource
win10-en-20211208
General
-
Target
19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe
-
Size
5.9MB
-
MD5
23ef883914f616ad2e344670d1f5c50c
-
SHA1
0ad839ab1744b516e999b2e48b6758392be7bd4c
-
SHA256
19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
-
SHA512
5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe1svshost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Good\\1svshost.exe, explorer.exe" 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Good\\svshost.exe, explorer.exe" 1svshost.exe -
Executes dropped EXE 8 IoCs
Processes:
1svshost.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exesvshost.exepid Process 748 1svshost.exe 1204 rutserv.exe 2356 rutserv.exe 1644 rutserv.exe 4024 rutserv.exe 2056 rfusclient.exe 2296 rfusclient.exe 2164 svshost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1svshost.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation 1svshost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
1svshost.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 1svshost.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid Process 948 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe1svshost.exepid Process 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe 748 1svshost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rutserv.exerutserv.exerutserv.exedescription pid Process Token: SeDebugPrivilege 1204 rutserv.exe Token: SeDebugPrivilege 1644 rutserv.exe Token: SeTakeOwnershipPrivilege 4024 rutserv.exe Token: SeTcbPrivilege 4024 rutserv.exe Token: SeTcbPrivilege 4024 rutserv.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exepid Process 1204 rutserv.exe 2356 rutserv.exe 1644 rutserv.exe 4024 rutserv.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe1svshost.execmd.exerutserv.exedescription pid Process procid_target PID 3424 wrote to memory of 748 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 69 PID 3424 wrote to memory of 748 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 69 PID 3424 wrote to memory of 748 3424 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe 69 PID 748 wrote to memory of 948 748 1svshost.exe 70 PID 748 wrote to memory of 948 748 1svshost.exe 70 PID 748 wrote to memory of 948 748 1svshost.exe 70 PID 748 wrote to memory of 960 748 1svshost.exe 71 PID 748 wrote to memory of 960 748 1svshost.exe 71 PID 748 wrote to memory of 960 748 1svshost.exe 71 PID 960 wrote to memory of 1204 960 cmd.exe 73 PID 960 wrote to memory of 1204 960 cmd.exe 73 PID 960 wrote to memory of 1204 960 cmd.exe 73 PID 960 wrote to memory of 2356 960 cmd.exe 74 PID 960 wrote to memory of 2356 960 cmd.exe 74 PID 960 wrote to memory of 2356 960 cmd.exe 74 PID 960 wrote to memory of 1644 960 cmd.exe 75 PID 960 wrote to memory of 1644 960 cmd.exe 75 PID 960 wrote to memory of 1644 960 cmd.exe 75 PID 4024 wrote to memory of 2056 4024 rutserv.exe 77 PID 4024 wrote to memory of 2056 4024 rutserv.exe 77 PID 4024 wrote to memory of 2056 4024 rutserv.exe 77 PID 4024 wrote to memory of 2296 4024 rutserv.exe 78 PID 4024 wrote to memory of 2296 4024 rutserv.exe 78 PID 4024 wrote to memory of 2296 4024 rutserv.exe 78 PID 960 wrote to memory of 2140 960 cmd.exe 79 PID 960 wrote to memory of 2140 960 cmd.exe 79 PID 960 wrote to memory of 2140 960 cmd.exe 79 PID 960 wrote to memory of 3512 960 cmd.exe 80 PID 960 wrote to memory of 3512 960 cmd.exe 80 PID 960 wrote to memory of 3512 960 cmd.exe 80 PID 748 wrote to memory of 2164 748 1svshost.exe 81 PID 748 wrote to memory of 2164 748 1svshost.exe 81 PID 748 wrote to memory of 2164 748 1svshost.exe 81 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 3512 attrib.exe 2140 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe"C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg"3⤵
- Runs .reg file with regedit
PID:948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /silentinstall4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1204
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /firewall4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /start4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\*.*" +s +h4⤵
- Views/modifies file attributes
PID:2140
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good" +s +h4⤵
- Views/modifies file attributes
PID:3512
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe"3⤵
- Executes dropped EXE
PID:2164
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe2⤵
- Executes dropped EXE
PID:2056
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe /tray2⤵
- Executes dropped EXE
PID:2296
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ab0d25296977f825446bac16fa03983b
SHA1a7a3800963da0ff92f62158f72581b3249f522f4
SHA25695881f9b400382a50610f7d3f0a6fe42c62de1c3620e6d9cff808250689630b1
SHA512f328cb19806addd1f7bf072ddbabb1135a8f1eacbd1dccd92bbbfa66fc79766a2b82fce012fd1d3156ddaaa11bb059ad82e4c10f30122652a274baa90c3fccd3
-
MD5
6383feb85a2eee2918921ed5e4674bae
SHA16c25d4e157a8dae0305bfe09c12dd0d4c80e0994
SHA256a08fd4ff2c5f669d247e2098f55c2ec253fb87371255eb3b07e9f1ff7ec7efda
SHA51284d5888d264d201c698c3de8e6b8cda885abcc6b3a976d85c78ceba6d43fe22688475c6bcb5946e90abf751f54127c8397abd55c07668cbdd0628e7f604e1866
-
MD5
23ef883914f616ad2e344670d1f5c50c
SHA10ad839ab1744b516e999b2e48b6758392be7bd4c
SHA25619f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
SHA5125cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38
-
MD5
23ef883914f616ad2e344670d1f5c50c
SHA10ad839ab1744b516e999b2e48b6758392be7bd4c
SHA25619f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
SHA5125cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38
-
MD5
db5c2aac133f76135c6b5f6dd0f1132c
SHA11615a7067a6fc0afdc94af35123eff628a68f0ff
SHA25613d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA5124b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57
-
MD5
db5c2aac133f76135c6b5f6dd0f1132c
SHA11615a7067a6fc0afdc94af35123eff628a68f0ff
SHA25613d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA5124b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57
-
MD5
db5c2aac133f76135c6b5f6dd0f1132c
SHA11615a7067a6fc0afdc94af35123eff628a68f0ff
SHA25613d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA5124b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57
-
MD5
526d398938e18cb52192d77c7905cefe
SHA1940c377ac831a97c9ca2d475382b71643e842d85
SHA256490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0
-
MD5
526d398938e18cb52192d77c7905cefe
SHA1940c377ac831a97c9ca2d475382b71643e842d85
SHA256490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0
-
MD5
526d398938e18cb52192d77c7905cefe
SHA1940c377ac831a97c9ca2d475382b71643e842d85
SHA256490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0
-
MD5
526d398938e18cb52192d77c7905cefe
SHA1940c377ac831a97c9ca2d475382b71643e842d85
SHA256490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0
-
MD5
526d398938e18cb52192d77c7905cefe
SHA1940c377ac831a97c9ca2d475382b71643e842d85
SHA256490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0
-
MD5
db5c2aac133f76135c6b5f6dd0f1132c
SHA11615a7067a6fc0afdc94af35123eff628a68f0ff
SHA25613d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA5124b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57
-
MD5
db5c2aac133f76135c6b5f6dd0f1132c
SHA11615a7067a6fc0afdc94af35123eff628a68f0ff
SHA25613d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA5124b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57
-
MD5
e48c0e66dbfef46696c92785d158ddc7
SHA17a333891d6000603ecb9a9bac3784fff78f88718
SHA25654911e050fce3345ec0d05c7cd02c2d345921dcf3aca724f072277bda0c6995c
SHA51298004dabfb09f207997d82f304a57eefdb6e94764ac958c0b314a2e16293454c3e22bb0a6ff1cacfd2f5f675e8f7a8bf6594924ec29e23e11d035fd6c0e4cb66
-
MD5
52c276be805fe7b86fed6755bb4211d9
SHA134c4fa24890fefba170eb065c546b56ada981777
SHA2567a30f464ad62611212fbd6db948b814cb0d0e8093ddae9fd0c2ecf320b58d722
SHA512735a8645419e89a9421ead028658a897e9f894de65fe47f1da23c08065d55cdff02acbe9d0ae75cf388d9bd03ea87121e4f555cbdf862df8add067262fea3cd9