Analysis Overview
SHA256
19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
Threat Level: Known bad
The file 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167 was found to be: Known bad.
Malicious Activity Summary
RMS
Modifies WinLogon for persistence
Sets file to hidden
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: SetClipboardViewer
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-27 21:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-27 21:51
Reported
2022-01-27 21:54
Platform
win7-en-20211208
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Good\\1svshost.exe, explorer.exe" | C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Good\\svshost.exe, explorer.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe | N/A |
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe | N/A |
Sets file to hidden
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe | N/A |
Enumerates physical storage devices
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe
"C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe"
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat" "
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /silentinstall
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /firewall
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /start
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe /tray
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\*.*" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good" +s +h
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe /tray
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/1676-55-0x0000000076141000-0x0000000076143000-memory.dmp
memory/1676-56-0x0000000000220000-0x0000000000221000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
| MD5 | 23ef883914f616ad2e344670d1f5c50c |
| SHA1 | 0ad839ab1744b516e999b2e48b6758392be7bd4c |
| SHA256 | 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167 |
| SHA512 | 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
| MD5 | 23ef883914f616ad2e344670d1f5c50c |
| SHA1 | 0ad839ab1744b516e999b2e48b6758392be7bd4c |
| SHA256 | 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167 |
| SHA512 | 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
| MD5 | 23ef883914f616ad2e344670d1f5c50c |
| SHA1 | 0ad839ab1744b516e999b2e48b6758392be7bd4c |
| SHA256 | 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167 |
| SHA512 | 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38 |
memory/1148-61-0x00000000001B0000-0x00000000001B1000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
| MD5 | 23ef883914f616ad2e344670d1f5c50c |
| SHA1 | 0ad839ab1744b516e999b2e48b6758392be7bd4c |
| SHA256 | 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167 |
| SHA512 | 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
| MD5 | 23ef883914f616ad2e344670d1f5c50c |
| SHA1 | 0ad839ab1744b516e999b2e48b6758392be7bd4c |
| SHA256 | 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167 |
| SHA512 | 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38 |
C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg
| MD5 | ab0d25296977f825446bac16fa03983b |
| SHA1 | a7a3800963da0ff92f62158f72581b3249f522f4 |
| SHA256 | 95881f9b400382a50610f7d3f0a6fe42c62de1c3620e6d9cff808250689630b1 |
| SHA512 | f328cb19806addd1f7bf072ddbabb1135a8f1eacbd1dccd92bbbfa66fc79766a2b82fce012fd1d3156ddaaa11bb059ad82e4c10f30122652a274baa90c3fccd3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat
| MD5 | 6383feb85a2eee2918921ed5e4674bae |
| SHA1 | 6c25d4e157a8dae0305bfe09c12dd0d4c80e0994 |
| SHA256 | a08fd4ff2c5f669d247e2098f55c2ec253fb87371255eb3b07e9f1ff7ec7efda |
| SHA512 | 84d5888d264d201c698c3de8e6b8cda885abcc6b3a976d85c78ceba6d43fe22688475c6bcb5946e90abf751f54127c8397abd55c07668cbdd0628e7f604e1866 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
memory/1056-72-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
memory/1832-75-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
memory/1680-81-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/956-80-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\vp8decoder.dll
| MD5 | e48c0e66dbfef46696c92785d158ddc7 |
| SHA1 | 7a333891d6000603ecb9a9bac3784fff78f88718 |
| SHA256 | 54911e050fce3345ec0d05c7cd02c2d345921dcf3aca724f072277bda0c6995c |
| SHA512 | 98004dabfb09f207997d82f304a57eefdb6e94764ac958c0b314a2e16293454c3e22bb0a6ff1cacfd2f5f675e8f7a8bf6594924ec29e23e11d035fd6c0e4cb66 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\vp8encoder.dll
| MD5 | 52c276be805fe7b86fed6755bb4211d9 |
| SHA1 | 34c4fa24890fefba170eb065c546b56ada981777 |
| SHA256 | 7a30f464ad62611212fbd6db948b814cb0d0e8093ddae9fd0c2ecf320b58d722 |
| SHA512 | 735a8645419e89a9421ead028658a897e9f894de65fe47f1da23c08065d55cdff02acbe9d0ae75cf388d9bd03ea87121e4f555cbdf862df8add067262fea3cd9 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
memory/1664-92-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/108-91-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
memory/1712-98-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-27 21:51
Reported
2022-01-27 21:55
Platform
win10-en-20211208
Max time kernel
160s
Max time network
162s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Good\\1svshost.exe, explorer.exe" | C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Good\\svshost.exe, explorer.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe | N/A |
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe | N/A |
Sets file to hidden
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe
"C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe"
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat" "
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /silentinstall
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /firewall
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /start
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe /tray
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\*.*" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good" +s +h
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/3424-115-0x0000000000C90000-0x0000000000C91000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
| MD5 | 23ef883914f616ad2e344670d1f5c50c |
| SHA1 | 0ad839ab1744b516e999b2e48b6758392be7bd4c |
| SHA256 | 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167 |
| SHA512 | 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
| MD5 | 23ef883914f616ad2e344670d1f5c50c |
| SHA1 | 0ad839ab1744b516e999b2e48b6758392be7bd4c |
| SHA256 | 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167 |
| SHA512 | 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38 |
memory/748-201-0x00000000025F0000-0x00000000025F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg
| MD5 | ab0d25296977f825446bac16fa03983b |
| SHA1 | a7a3800963da0ff92f62158f72581b3249f522f4 |
| SHA256 | 95881f9b400382a50610f7d3f0a6fe42c62de1c3620e6d9cff808250689630b1 |
| SHA512 | f328cb19806addd1f7bf072ddbabb1135a8f1eacbd1dccd92bbbfa66fc79766a2b82fce012fd1d3156ddaaa11bb059ad82e4c10f30122652a274baa90c3fccd3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat
| MD5 | 6383feb85a2eee2918921ed5e4674bae |
| SHA1 | 6c25d4e157a8dae0305bfe09c12dd0d4c80e0994 |
| SHA256 | a08fd4ff2c5f669d247e2098f55c2ec253fb87371255eb3b07e9f1ff7ec7efda |
| SHA512 | 84d5888d264d201c698c3de8e6b8cda885abcc6b3a976d85c78ceba6d43fe22688475c6bcb5946e90abf751f54127c8397abd55c07668cbdd0628e7f604e1866 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
memory/1204-207-0x0000000000AC0000-0x0000000000AE3000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
memory/2356-209-0x0000000000D00000-0x0000000000D01000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
| MD5 | 526d398938e18cb52192d77c7905cefe |
| SHA1 | 940c377ac831a97c9ca2d475382b71643e842d85 |
| SHA256 | 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8 |
| SHA512 | ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0 |
memory/4024-213-0x00000000001D0000-0x00000000001F3000-memory.dmp
memory/1644-212-0x0000000000C20000-0x0000000000C21000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\vp8decoder.dll
| MD5 | e48c0e66dbfef46696c92785d158ddc7 |
| SHA1 | 7a333891d6000603ecb9a9bac3784fff78f88718 |
| SHA256 | 54911e050fce3345ec0d05c7cd02c2d345921dcf3aca724f072277bda0c6995c |
| SHA512 | 98004dabfb09f207997d82f304a57eefdb6e94764ac958c0b314a2e16293454c3e22bb0a6ff1cacfd2f5f675e8f7a8bf6594924ec29e23e11d035fd6c0e4cb66 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\vp8encoder.dll
| MD5 | 52c276be805fe7b86fed6755bb4211d9 |
| SHA1 | 34c4fa24890fefba170eb065c546b56ada981777 |
| SHA256 | 7a30f464ad62611212fbd6db948b814cb0d0e8093ddae9fd0c2ecf320b58d722 |
| SHA512 | 735a8645419e89a9421ead028658a897e9f894de65fe47f1da23c08065d55cdff02acbe9d0ae75cf388d9bd03ea87121e4f555cbdf862df8add067262fea3cd9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
memory/2296-219-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
memory/2056-220-0x0000000002870000-0x0000000002871000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
| MD5 | db5c2aac133f76135c6b5f6dd0f1132c |
| SHA1 | 1615a7067a6fc0afdc94af35123eff628a68f0ff |
| SHA256 | 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea |
| SHA512 | 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57 |
memory/2164-222-0x0000000002720000-0x0000000002721000-memory.dmp