rms | ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc

Analysis

max time kernel
151s
max time network
185s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe
Size

6.5MB
MD5

c9de51cab6447bd557eaba11ea8f413f
SHA1

e95add090f42e16e3702edff5293ae4db347f689
SHA256

ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc
SHA512

75aae23ebb9b49096e94236e200d69e95426caa3290f34b0175cd3df398989bea7fec8ce7abb4b6c9333f5732a80ebaf1b974b3caa8d88b8763c4fc01bf39fbe

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 12 IoCs

pid	Process
576	set.exe
1548	setting.exe
1964	rfusclient.exe
1492	rutserv.exe
2008	rfusclient.exe
568	rutserv.exe
1904	rfusclient.exe
896	rutserv.exe
1540	rutserv.exe
1944	rfusclient.exe
1912	rfusclient.exe
1524	rfusclient.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 34 IoCs

pid	Process
1588	cmd.exe
576	set.exe
964	MsiExec.exe
1964	rfusclient.exe
1964	rfusclient.exe
1964	rfusclient.exe
1964	rfusclient.exe
1964	rfusclient.exe
1964	rfusclient.exe
1964	rfusclient.exe
1492	rutserv.exe
2008	rfusclient.exe
2008	rfusclient.exe
2008	rfusclient.exe
2008	rfusclient.exe
2008	rfusclient.exe
2008	rfusclient.exe
568	rutserv.exe
1904	rfusclient.exe
1904	rfusclient.exe
1904	rfusclient.exe
1904	rfusclient.exe
1904	rfusclient.exe
1904	rfusclient.exe
896	rutserv.exe
1540	rutserv.exe
1944	rfusclient.exe
1944	rfusclient.exe
1912	rfusclient.exe
1912	rfusclient.exe
1540	rutserv.exe
1912	rfusclient.exe
1524	rfusclient.exe
1524	rfusclient.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\gdiplus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcr90.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rasadhlp.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8encoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\oledlg.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\ripcserver.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rwln.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcp90.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8decoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\msimg32.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rfusclient.exe	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rutserv.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8085.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f767e48.msi	msiexec.exe
File created	C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\f767e44.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f767e44.msi	msiexec.exe
File created	C:\Windows\Installer\f767e46.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI893D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f767e46.ipi	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
2008	tasklist.exe
1508	tasklist.exe
1216	tasklist.exe
1704	tasklist.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1912	taskkill.exe
1900	taskkill.exe
1240	taskkill.exe
880	taskkill.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rfusclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rfusclient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "rms5.2.1.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList	msiexec.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1580	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
528	msiexec.exe
528	msiexec.exe
1492	rutserv.exe
1492	rutserv.exe
568	rutserv.exe
568	rutserv.exe
896	rutserv.exe
896	rutserv.exe
1540	rutserv.exe
1540	rutserv.exe
1540	rutserv.exe
1540	rutserv.exe
1944	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1524	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	tasklist.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	1508	tasklist.exe
Token: SeDebugPrivilege	1216	tasklist.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	1704	tasklist.exe
Token: SeShutdownPrivilege	1072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1072	msiexec.exe
Token: SeRestorePrivilege	528	msiexec.exe
Token: SeTakeOwnershipPrivilege	528	msiexec.exe
Token: SeSecurityPrivilege	528	msiexec.exe
Token: SeCreateTokenPrivilege	1072	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1072	msiexec.exe
Token: SeLockMemoryPrivilege	1072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1072	msiexec.exe
Token: SeMachineAccountPrivilege	1072	msiexec.exe
Token: SeTcbPrivilege	1072	msiexec.exe
Token: SeSecurityPrivilege	1072	msiexec.exe
Token: SeTakeOwnershipPrivilege	1072	msiexec.exe
Token: SeLoadDriverPrivilege	1072	msiexec.exe
Token: SeSystemProfilePrivilege	1072	msiexec.exe
Token: SeSystemtimePrivilege	1072	msiexec.exe
Token: SeProfSingleProcessPrivilege	1072	msiexec.exe
Token: SeIncBasePriorityPrivilege	1072	msiexec.exe
Token: SeCreatePagefilePrivilege	1072	msiexec.exe
Token: SeCreatePermanentPrivilege	1072	msiexec.exe
Token: SeBackupPrivilege	1072	msiexec.exe
Token: SeRestorePrivilege	1072	msiexec.exe
Token: SeShutdownPrivilege	1072	msiexec.exe
Token: SeDebugPrivilege	1072	msiexec.exe
Token: SeAuditPrivilege	1072	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1072	msiexec.exe
Token: SeChangeNotifyPrivilege	1072	msiexec.exe
Token: SeRemoteShutdownPrivilege	1072	msiexec.exe
Token: SeUndockPrivilege	1072	msiexec.exe
Token: SeSyncAgentPrivilege	1072	msiexec.exe
Token: SeEnableDelegationPrivilege	1072	msiexec.exe
Token: SeManageVolumePrivilege	1072	msiexec.exe
Token: SeImpersonatePrivilege	1072	msiexec.exe
Token: SeCreateGlobalPrivilege	1072	msiexec.exe
Token: SeShutdownPrivilege	1320	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1320	msiexec.exe
Token: SeCreateTokenPrivilege	1320	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1320	msiexec.exe
Token: SeLockMemoryPrivilege	1320	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1320	msiexec.exe
Token: SeMachineAccountPrivilege	1320	msiexec.exe
Token: SeTcbPrivilege	1320	msiexec.exe
Token: SeSecurityPrivilege	1320	msiexec.exe
Token: SeTakeOwnershipPrivilege	1320	msiexec.exe
Token: SeLoadDriverPrivilege	1320	msiexec.exe
Token: SeSystemProfilePrivilege	1320	msiexec.exe
Token: SeSystemtimePrivilege	1320	msiexec.exe
Token: SeProfSingleProcessPrivilege	1320	msiexec.exe
Token: SeIncBasePriorityPrivilege	1320	msiexec.exe
Token: SeCreatePagefilePrivilege	1320	msiexec.exe
Token: SeCreatePermanentPrivilege	1320	msiexec.exe
Token: SeBackupPrivilege	1320	msiexec.exe
Token: SeRestorePrivilege	1320	msiexec.exe
Token: SeShutdownPrivilege	1320	msiexec.exe
Token: SeDebugPrivilege	1320	msiexec.exe
Token: SeAuditPrivilege	1320	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1320	msiexec.exe
Token: SeChangeNotifyPrivilege	1320	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1588	944	ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe	27
PID 944 wrote to memory of 1588	944	ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe	27
PID 944 wrote to memory of 1588	944	ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe	27
PID 944 wrote to memory of 1588	944	ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe	27
PID 1588 wrote to memory of 576	1588	cmd.exe	29
PID 1588 wrote to memory of 576	1588	cmd.exe	29
PID 1588 wrote to memory of 576	1588	cmd.exe	29
PID 1588 wrote to memory of 576	1588	cmd.exe	29
PID 1588 wrote to memory of 576	1588	cmd.exe	29
PID 1588 wrote to memory of 576	1588	cmd.exe	29
PID 1588 wrote to memory of 576	1588	cmd.exe	29
PID 576 wrote to memory of 1548	576	set.exe	30
PID 576 wrote to memory of 1548	576	set.exe	30
PID 576 wrote to memory of 1548	576	set.exe	30
PID 576 wrote to memory of 1548	576	set.exe	30
PID 576 wrote to memory of 1548	576	set.exe	30
PID 576 wrote to memory of 1548	576	set.exe	30
PID 576 wrote to memory of 1548	576	set.exe	30
PID 1548 wrote to memory of 1132	1548	setting.exe	31
PID 1548 wrote to memory of 1132	1548	setting.exe	31
PID 1548 wrote to memory of 1132	1548	setting.exe	31
PID 1548 wrote to memory of 1132	1548	setting.exe	31
PID 1548 wrote to memory of 1132	1548	setting.exe	31
PID 1548 wrote to memory of 1132	1548	setting.exe	31
PID 1548 wrote to memory of 1132	1548	setting.exe	31
PID 1132 wrote to memory of 432	1132	cmd.exe	33
PID 1132 wrote to memory of 432	1132	cmd.exe	33
PID 1132 wrote to memory of 432	1132	cmd.exe	33
PID 1132 wrote to memory of 432	1132	cmd.exe	33
PID 1132 wrote to memory of 432	1132	cmd.exe	33
PID 1132 wrote to memory of 432	1132	cmd.exe	33
PID 1132 wrote to memory of 432	1132	cmd.exe	33
PID 1132 wrote to memory of 1976	1132	cmd.exe	34
PID 1132 wrote to memory of 1976	1132	cmd.exe	34
PID 1132 wrote to memory of 1976	1132	cmd.exe	34
PID 1132 wrote to memory of 1976	1132	cmd.exe	34
PID 1132 wrote to memory of 1976	1132	cmd.exe	34
PID 1132 wrote to memory of 1976	1132	cmd.exe	34
PID 1132 wrote to memory of 1976	1132	cmd.exe	34
PID 1132 wrote to memory of 1972	1132	cmd.exe	35
PID 1132 wrote to memory of 1972	1132	cmd.exe	35
PID 1132 wrote to memory of 1972	1132	cmd.exe	35
PID 1132 wrote to memory of 1972	1132	cmd.exe	35
PID 1132 wrote to memory of 1972	1132	cmd.exe	35
PID 1132 wrote to memory of 1972	1132	cmd.exe	35
PID 1132 wrote to memory of 1972	1132	cmd.exe	35
PID 1132 wrote to memory of 1968	1132	cmd.exe	36
PID 1132 wrote to memory of 1968	1132	cmd.exe	36
PID 1132 wrote to memory of 1968	1132	cmd.exe	36
PID 1132 wrote to memory of 1968	1132	cmd.exe	36
PID 1132 wrote to memory of 1968	1132	cmd.exe	36
PID 1132 wrote to memory of 1968	1132	cmd.exe	36
PID 1132 wrote to memory of 1968	1132	cmd.exe	36
PID 1132 wrote to memory of 1960	1132	cmd.exe	37
PID 1132 wrote to memory of 1960	1132	cmd.exe	37
PID 1132 wrote to memory of 1960	1132	cmd.exe	37
PID 1132 wrote to memory of 1960	1132	cmd.exe	37
PID 1132 wrote to memory of 1960	1132	cmd.exe	37
PID 1132 wrote to memory of 1960	1132	cmd.exe	37
PID 1132 wrote to memory of 1960	1132	cmd.exe	37
PID 1132 wrote to memory of 1356	1132	cmd.exe	38
PID 1132 wrote to memory of 1356	1132	cmd.exe	38
PID 1132 wrote to memory of 1356	1132	cmd.exe	38
PID 1132 wrote to memory of 1356	1132	cmd.exe	38

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1976	attrib.exe
1972	attrib.exe
1968	attrib.exe
1960	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe
"C:\Users\Admin\AppData\Local\Temp\ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\123.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\set.exe
    set.exe -p1234567890__
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Users\Admin\AppData\Local\Temp\setting.exe
      "C:\Users\Admin\AppData\Local\Temp\setting.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.cmd" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1132
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:432
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -S -H -r "C:\Windows\system32\sysfiles"
        6⤵
        Views/modifies file attributes
        
        PID:1976
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -S -H -r "C:\Windows\syswow64\sysfiles"
        6⤵
        Views/modifies file attributes
        
        PID:1972
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"
        6⤵
        Views/modifies file attributes
        
        PID:1968
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"
        6⤵
        Views/modifies file attributes
        
        PID:1960
      - C:\Windows\SysWOW64\net.exe
        
        net stop rmanservice
        6⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop rmanservice
        7⤵
        
        PID:1492
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete "rmanservice"
        6⤵
        
        PID:1552
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
      - C:\Windows\SysWOW64\find.exe
        
        find "rfusclient.exe"
        6⤵
        
        PID:1652
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
      - C:\Windows\SysWOW64\find.exe
        
        find "rfusclient.exe *32"
        6⤵
        
        PID:1560
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe *32
        6⤵
        Kills process with taskkill
        
        PID:1900
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
      - C:\Windows\SysWOW64\find.exe
        
        find "rutserv.exe"
        6⤵
        
        PID:1580
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
      - C:\Windows\SysWOW64\find.exe
        
        find "rutserv.exe *32"
        6⤵
        
        PID:1712
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe *32
        6⤵
        Kills process with taskkill
        
        PID:880
      - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
      - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
      - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress
        6⤵
        
        PID:1692
      - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress
        6⤵
        
        PID:1996
      - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {FE83B905-4554-4DFF-97F4-9292178CB171} /qn REBOOT=ReallySuppress
        6⤵
        
        PID:1488
      - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress
        6⤵
        
        PID:1000
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11A90858-40BB-4858-A2DA-CA6495B5E907}" /f
        6⤵
        
        PID:1756
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\85809A11BB0485842AADAC46595B9E70\InstallProperties" /f
        6⤵
        
        PID:1480
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCR\Installer\Products\85809A11BB0485842AADAC465 95B9E70" /f
        6⤵
        
        PID:568
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        6⤵
        
        PID:1724
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}" /f
        6⤵
        
        PID:1484
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCR\Installer\Products\506AA7BAF00535142870BF5536141921" /f
        6⤵
        
        PID:1560
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EDC4423414699340B5D245426472701" /f
        6⤵
        
        PID:816
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E45BAE6295648E74689FC47BF4E730EB" /f
        6⤵
        
        PID:552
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5052F47A02BDEA469F8EAB572D83BA8" /f
        6⤵
        
        PID:380
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlSet\Services\RManService" /f
        6⤵
        
        PID:1136
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 -w 500 google.com.ua
        6⤵
        Runs ping.exe
        
        PID:1580
      - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /I "rms5.2.1.msi" /qn
        6⤵
        
        PID:1240
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        5⤵
        
        PID:516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B603BA5451C785DBBB24A591E95F3857
  2⤵
  - Loads dropped DLL
  PID:964
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1964
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1492
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2008
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:568
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1904
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:896

C:\Windows\SysWOW64\sysfiles\rutserv.exe
C:\Windows\SysWOW64\sysfiles\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1540
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- - C:\Windows\SysWOW64\sysfiles\rfusclient.exe
    C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: SetClipboardViewer
    PID:1524
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/528-87-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/896-165-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/944-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1492-137-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1540-178-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1904-155-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1912-185-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1944-186-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1964-126-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2008-143-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download