Malware Analysis Report

2024-11-30 19:49

Sample ID 220127-1qrglsbgg5
Target 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
SHA256 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
Tags
rms evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167

Threat Level: Known bad

The file 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167 was found to be: Known bad.

Malicious Activity Summary

rms evasion persistence rat trojan

RMS

Modifies WinLogon for persistence

Sets file to hidden

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious behavior: SetClipboardViewer

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-27 21:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-27 21:51

Reported

2022-01-27 21:54

Platform

win7-en-20211208

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Good\\1svshost.exe, explorer.exe" C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Good\\svshost.exe, explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A

RMS

trojan rat rms

Sets file to hidden

evasion

Enumerates physical storage devices

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
PID 1676 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
PID 1676 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
PID 1676 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
PID 1148 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\regedit.exe
PID 1148 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\regedit.exe
PID 1148 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\regedit.exe
PID 1148 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\regedit.exe
PID 1148 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\cmd.exe
PID 616 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 616 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 1680 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1680 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1680 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1680 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1680 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1680 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1680 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1680 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 616 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1664 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1664 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1664 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1664 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 1148 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
PID 1148 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
PID 1148 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
PID 1148 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe

"C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe"

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat" "

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /silentinstall

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /firewall

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /start

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe /tray

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\*.*" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good" +s +h

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe /tray

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1676-55-0x0000000076141000-0x0000000076143000-memory.dmp

memory/1676-56-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

MD5 23ef883914f616ad2e344670d1f5c50c
SHA1 0ad839ab1744b516e999b2e48b6758392be7bd4c
SHA256 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
SHA512 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

MD5 23ef883914f616ad2e344670d1f5c50c
SHA1 0ad839ab1744b516e999b2e48b6758392be7bd4c
SHA256 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
SHA512 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

MD5 23ef883914f616ad2e344670d1f5c50c
SHA1 0ad839ab1744b516e999b2e48b6758392be7bd4c
SHA256 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
SHA512 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

memory/1148-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

MD5 23ef883914f616ad2e344670d1f5c50c
SHA1 0ad839ab1744b516e999b2e48b6758392be7bd4c
SHA256 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
SHA512 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

MD5 23ef883914f616ad2e344670d1f5c50c
SHA1 0ad839ab1744b516e999b2e48b6758392be7bd4c
SHA256 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
SHA512 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg

MD5 ab0d25296977f825446bac16fa03983b
SHA1 a7a3800963da0ff92f62158f72581b3249f522f4
SHA256 95881f9b400382a50610f7d3f0a6fe42c62de1c3620e6d9cff808250689630b1
SHA512 f328cb19806addd1f7bf072ddbabb1135a8f1eacbd1dccd92bbbfa66fc79766a2b82fce012fd1d3156ddaaa11bb059ad82e4c10f30122652a274baa90c3fccd3

C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat

MD5 6383feb85a2eee2918921ed5e4674bae
SHA1 6c25d4e157a8dae0305bfe09c12dd0d4c80e0994
SHA256 a08fd4ff2c5f669d247e2098f55c2ec253fb87371255eb3b07e9f1ff7ec7efda
SHA512 84d5888d264d201c698c3de8e6b8cda885abcc6b3a976d85c78ceba6d43fe22688475c6bcb5946e90abf751f54127c8397abd55c07668cbdd0628e7f604e1866

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

memory/1056-72-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

memory/1832-75-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

memory/1680-81-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/956-80-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\vp8decoder.dll

MD5 e48c0e66dbfef46696c92785d158ddc7
SHA1 7a333891d6000603ecb9a9bac3784fff78f88718
SHA256 54911e050fce3345ec0d05c7cd02c2d345921dcf3aca724f072277bda0c6995c
SHA512 98004dabfb09f207997d82f304a57eefdb6e94764ac958c0b314a2e16293454c3e22bb0a6ff1cacfd2f5f675e8f7a8bf6594924ec29e23e11d035fd6c0e4cb66

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\vp8encoder.dll

MD5 52c276be805fe7b86fed6755bb4211d9
SHA1 34c4fa24890fefba170eb065c546b56ada981777
SHA256 7a30f464ad62611212fbd6db948b814cb0d0e8093ddae9fd0c2ecf320b58d722
SHA512 735a8645419e89a9421ead028658a897e9f894de65fe47f1da23c08065d55cdff02acbe9d0ae75cf388d9bd03ea87121e4f555cbdf862df8add067262fea3cd9

\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

memory/1664-92-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/108-91-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

memory/1712-98-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-27 21:51

Reported

2022-01-27 21:55

Platform

win10-en-20211208

Max time kernel

160s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Good\\1svshost.exe, explorer.exe" C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Good\\svshost.exe, explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A

RMS

trojan rat rms

Sets file to hidden

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
PID 3424 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
PID 3424 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe
PID 748 wrote to memory of 948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\regedit.exe
PID 748 wrote to memory of 948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\regedit.exe
PID 748 wrote to memory of 948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\regedit.exe
PID 748 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 960 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 960 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 960 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 960 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 960 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 960 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 960 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 960 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe
PID 4024 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 4024 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 4024 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 4024 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 4024 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 4024 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe
PID 960 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 960 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 748 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
PID 748 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe
PID 748 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe

"C:\Users\Admin\AppData\Local\Temp\19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe"

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat" "

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /silentinstall

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /firewall

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe" /start

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe /tray

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\*.*" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good" +s +h

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe"

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/3424-115-0x0000000000C90000-0x0000000000C91000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

MD5 23ef883914f616ad2e344670d1f5c50c
SHA1 0ad839ab1744b516e999b2e48b6758392be7bd4c
SHA256 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
SHA512 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\1svshost.exe

MD5 23ef883914f616ad2e344670d1f5c50c
SHA1 0ad839ab1744b516e999b2e48b6758392be7bd4c
SHA256 19f28d00098dfa8146bec64dd3545fad8fb83c239cc7b723eaaba8ae2ab77167
SHA512 5cf22827e9300a413b85b35de17b060299512cdc5152d6033ead59fab2aa1d8b2a2c5ec0411f74af0f263c69c1f5f6ae7081e460387e3427924a6121c1200e38

memory/748-201-0x00000000025F0000-0x00000000025F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Regedit.reg

MD5 ab0d25296977f825446bac16fa03983b
SHA1 a7a3800963da0ff92f62158f72581b3249f522f4
SHA256 95881f9b400382a50610f7d3f0a6fe42c62de1c3620e6d9cff808250689630b1
SHA512 f328cb19806addd1f7bf072ddbabb1135a8f1eacbd1dccd92bbbfa66fc79766a2b82fce012fd1d3156ddaaa11bb059ad82e4c10f30122652a274baa90c3fccd3

C:\Users\Admin\AppData\Roaming\Microsoft\Tupe.bat

MD5 6383feb85a2eee2918921ed5e4674bae
SHA1 6c25d4e157a8dae0305bfe09c12dd0d4c80e0994
SHA256 a08fd4ff2c5f669d247e2098f55c2ec253fb87371255eb3b07e9f1ff7ec7efda
SHA512 84d5888d264d201c698c3de8e6b8cda885abcc6b3a976d85c78ceba6d43fe22688475c6bcb5946e90abf751f54127c8397abd55c07668cbdd0628e7f604e1866

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

memory/1204-207-0x0000000000AC0000-0x0000000000AE3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

memory/2356-209-0x0000000000D00000-0x0000000000D01000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rutserv.exe

MD5 526d398938e18cb52192d77c7905cefe
SHA1 940c377ac831a97c9ca2d475382b71643e842d85
SHA256 490b24ff4b255cffb795bfdff04762ab499f0fc4afa214cf6dd40e0063e7b5d8
SHA512 ef44db312ed6a14f29623487fe1c35fa8770ed1295476edd769a402f80b9a259b26530be5dcb5597c97f5dbea6fe09fd443199c68cd552c669d95d8ff9dcadb0

memory/4024-213-0x00000000001D0000-0x00000000001F3000-memory.dmp

memory/1644-212-0x0000000000C20000-0x0000000000C21000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\vp8decoder.dll

MD5 e48c0e66dbfef46696c92785d158ddc7
SHA1 7a333891d6000603ecb9a9bac3784fff78f88718
SHA256 54911e050fce3345ec0d05c7cd02c2d345921dcf3aca724f072277bda0c6995c
SHA512 98004dabfb09f207997d82f304a57eefdb6e94764ac958c0b314a2e16293454c3e22bb0a6ff1cacfd2f5f675e8f7a8bf6594924ec29e23e11d035fd6c0e4cb66

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\vp8encoder.dll

MD5 52c276be805fe7b86fed6755bb4211d9
SHA1 34c4fa24890fefba170eb065c546b56ada981777
SHA256 7a30f464ad62611212fbd6db948b814cb0d0e8093ddae9fd0c2ecf320b58d722
SHA512 735a8645419e89a9421ead028658a897e9f894de65fe47f1da23c08065d55cdff02acbe9d0ae75cf388d9bd03ea87121e4f555cbdf862df8add067262fea3cd9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\rfusclient.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

memory/2296-219-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/2056-220-0x0000000002870000-0x0000000002871000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Good\svshost.exe

MD5 db5c2aac133f76135c6b5f6dd0f1132c
SHA1 1615a7067a6fc0afdc94af35123eff628a68f0ff
SHA256 13d07cb804f29eb218fd713c8d9b3970048dec889458af73dadfb6d0126513ea
SHA512 4b1120a3cae620c1193d4eed23c6f54eb2f179e324175657c35c8d23426533141a84efd876fd054cfd24cc08065ec08db323299a9b7a588426c268767359df57

memory/2164-222-0x0000000002720000-0x0000000002721000-memory.dmp