Analysis

  • max time kernel
    144s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 01:31

General

  • Target

    0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe

  • Size

    3.4MB

  • MD5

    40f4513096356284e69f79311cf710bd

  • SHA1

    ae01690acb25cc0d2ec1beaa8f9092e2b62d86f3

  • SHA256

    0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db

  • SHA512

    590073de07ba1f3688eb7e7887d5ba0dc6a6c48e071ce375d974ff23cd0031b717face9606df3222e6e23075fc475501ca488a4b40129dfdcc5a8a9d580de625

Score
10/10

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Executes dropped EXE 7 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 10 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe
    "C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rutserv.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1500
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rfusclient.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:296
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im svnhost.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1992
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im systemsmss.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1836
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im svshost.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1548
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im upgradewin.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1952
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im updated.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1688
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im systemswin.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1628
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im systems.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1740
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im systeminfo.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1756
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
          4⤵
            PID:2012
          • C:\Windows\SysWOW64\reg.exe
            reg delete "HKLM\SYSTEM\System Corporation Update" /f
            4⤵
              PID:1776
            • C:\Windows\SysWOW64\regedit.exe
              regedit /s "regedit.reg"
              4⤵
              • Runs .reg file with regedit
              PID:2004
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              4⤵
              • Delays execution with timeout.exe
              PID:1476
            • C:\Users\Admin\AppData\Local\Temp\svshost.exe
              svshost.exe /silentinstall
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1160
            • C:\Users\Admin\AppData\Local\Temp\svshost.exe
              svshost.exe /firewall
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1360
            • C:\Users\Admin\AppData\Local\Temp\svshost.exe
              svshost.exe /start
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1544
            • C:\Windows\SysWOW64\attrib.exe
              attrib +r +a +s +h "C:\Windows\System64" /S /D
              4⤵
              • Views/modifies file attributes
              PID:1984
      • C:\Users\Admin\AppData\Local\Temp\svshost.exe
        C:\Users\Admin\AppData\Local\Temp\svshost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1760
        • C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
          C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:872
          • C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
            C:\Users\Admin\AppData\Local\Temp\upgradewin.exe /tray
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: SetClipboardViewer
            PID:956
        • C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
          C:\Users\Admin\AppData\Local\Temp\upgradewin.exe /tray
          2⤵
          • Executes dropped EXE
          PID:764

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.bat

        MD5

        e595f1eed00fef50a90ede49468cbe60

        SHA1

        62d19a693bc252b889d684a147cf0206f77e7576

        SHA256

        55faa864b3d8af8ee2560acc9bc002b296b375b209056d16fe9aa057859205c1

        SHA512

        4c3a0d3275c2d809da77d7ce6aa560dd9827023de653a4bca6dbbb276fd1c1f9166537054bbdc7a02c2950488d7e658d989f0c76245f60e163ba917dc83f6a7b

      • C:\Users\Admin\AppData\Local\Temp\install.vbs

        MD5

        65fc32766a238ff3e95984e325357dbb

        SHA1

        3ac16a2648410be8aa75f3e2817fbf69bb0e8922

        SHA256

        a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

        SHA512

        621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

      • C:\Users\Admin\AppData\Local\Temp\regedit.reg

        MD5

        b5da186c88f3e629882a94768910ac4a

        SHA1

        8fa7b238cf4f08dc04ed54334bf1e6834781733e

        SHA256

        f2cfedc94567c049ae83f884d54c8b6e2758372adee9e9e50e16d76add165000

        SHA512

        0829d0f16e689897737f0c57055723bece8a943ee394a785c38ae18903bcf2bbd254132b078f88724a03c319f57b072d9b8a546bbb85778b01865aaadc4cba0e

      • C:\Users\Admin\AppData\Local\Temp\svshost.exe

        MD5

        8d071134c46b96619483975fc06a4c2a

        SHA1

        b6e20f7de308a6e6a9852965e25b581f34e8227b

        SHA256

        b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0

        SHA512

        5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

      • C:\Users\Admin\AppData\Local\Temp\svshost.exe

        MD5

        8d071134c46b96619483975fc06a4c2a

        SHA1

        b6e20f7de308a6e6a9852965e25b581f34e8227b

        SHA256

        b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0

        SHA512

        5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

      • C:\Users\Admin\AppData\Local\Temp\svshost.exe

        MD5

        8d071134c46b96619483975fc06a4c2a

        SHA1

        b6e20f7de308a6e6a9852965e25b581f34e8227b

        SHA256

        b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0

        SHA512

        5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

      • C:\Users\Admin\AppData\Local\Temp\svshost.exe

        MD5

        8d071134c46b96619483975fc06a4c2a

        SHA1

        b6e20f7de308a6e6a9852965e25b581f34e8227b

        SHA256

        b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0

        SHA512

        5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

      • C:\Users\Admin\AppData\Local\Temp\svshost.exe

        MD5

        8d071134c46b96619483975fc06a4c2a

        SHA1

        b6e20f7de308a6e6a9852965e25b581f34e8227b

        SHA256

        b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0

        SHA512

        5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

      • C:\Users\Admin\AppData\Local\Temp\upgradewin.exe

        MD5

        d8aa01236323dab4facb72d3af631203

        SHA1

        01f18748f9c95121e22df54b192b383baff6b802

        SHA256

        29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df

        SHA512

        e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

      • C:\Users\Admin\AppData\Local\Temp\upgradewin.exe

        MD5

        d8aa01236323dab4facb72d3af631203

        SHA1

        01f18748f9c95121e22df54b192b383baff6b802

        SHA256

        29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df

        SHA512

        e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

      • C:\Users\Admin\AppData\Local\Temp\upgradewin.exe

        MD5

        d8aa01236323dab4facb72d3af631203

        SHA1

        01f18748f9c95121e22df54b192b383baff6b802

        SHA256

        29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df

        SHA512

        e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

      • C:\Users\Admin\AppData\Local\Temp\upgradewin.exe

        MD5

        d8aa01236323dab4facb72d3af631203

        SHA1

        01f18748f9c95121e22df54b192b383baff6b802

        SHA256

        29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df

        SHA512

        e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

      • \Users\Admin\AppData\Local\Temp\svshost.exe

        MD5

        8d071134c46b96619483975fc06a4c2a

        SHA1

        b6e20f7de308a6e6a9852965e25b581f34e8227b

        SHA256

        b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0

        SHA512

        5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

      • \Users\Admin\AppData\Local\Temp\svshost.exe

        MD5

        8d071134c46b96619483975fc06a4c2a

        SHA1

        b6e20f7de308a6e6a9852965e25b581f34e8227b

        SHA256

        b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0

        SHA512

        5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

      • \Users\Admin\AppData\Local\Temp\svshost.exe

        MD5

        8d071134c46b96619483975fc06a4c2a

        SHA1

        b6e20f7de308a6e6a9852965e25b581f34e8227b

        SHA256

        b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0

        SHA512

        5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

      • \Users\Admin\AppData\Local\Temp\upgradewin.exe

        MD5

        d8aa01236323dab4facb72d3af631203

        SHA1

        01f18748f9c95121e22df54b192b383baff6b802

        SHA256

        29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df

        SHA512

        e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

      • \Users\Admin\AppData\Local\Temp\upgradewin.exe

        MD5

        d8aa01236323dab4facb72d3af631203

        SHA1

        01f18748f9c95121e22df54b192b383baff6b802

        SHA256

        29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df

        SHA512

        e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

      • memory/764-84-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

      • memory/872-83-0x00000000001C0000-0x00000000001C1000-memory.dmp

        Filesize

        4KB

      • memory/1084-54-0x0000000075341000-0x0000000075343000-memory.dmp

        Filesize

        8KB

      • memory/1160-64-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

      • memory/1360-68-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

      • memory/1544-74-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

      • memory/1760-76-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB