Analysis
-
max time kernel
166s -
max time network
175s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 14:20
Static task
static1
Behavioral task
behavioral1
Sample
ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe
-
Size
6.5MB
-
MD5
c9de51cab6447bd557eaba11ea8f413f
-
SHA1
e95add090f42e16e3702edff5293ae4db347f689
-
SHA256
ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc
-
SHA512
75aae23ebb9b49096e94236e200d69e95426caa3290f34b0175cd3df398989bea7fec8ce7abb4b6c9333f5732a80ebaf1b974b3caa8d88b8763c4fc01bf39fbe
Malware Config
Signatures
-
Executes dropped EXE 12 IoCs
pid Process 3192 set.exe 3972 setting.exe 3124 rfusclient.exe 2176 rutserv.exe 3676 rfusclient.exe 3644 rutserv.exe 2340 rfusclient.exe 492 rutserv.exe 1824 rutserv.exe 3940 rfusclient.exe 2744 rfusclient.exe 3224 rfusclient.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 23 IoCs
pid Process 3964 MsiExec.exe 3124 rfusclient.exe 3124 rfusclient.exe 3124 rfusclient.exe 2176 rutserv.exe 3676 rfusclient.exe 3676 rfusclient.exe 3676 rfusclient.exe 3644 rutserv.exe 2340 rfusclient.exe 2340 rfusclient.exe 2340 rfusclient.exe 492 rutserv.exe 1824 rutserv.exe 3940 rfusclient.exe 3940 rfusclient.exe 3940 rfusclient.exe 2744 rfusclient.exe 2744 rfusclient.exe 2744 rfusclient.exe 3224 rfusclient.exe 3224 rfusclient.exe 3224 rfusclient.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll msiexec.exe File created C:\Windows\SysWOW64\sysfiles\msimg32.dll msiexec.exe File created C:\Windows\SysWOW64\sysfiles\msvcp90.dll msiexec.exe File created C:\Windows\SysWOW64\sysfiles\rwln.dll msiexec.exe File created C:\Windows\SysWOW64\sysfiles\vp8decoder.dll msiexec.exe File created C:\Windows\SysWOW64\sysfiles\vp8encoder.dll msiexec.exe File created C:\Windows\SysWOW64\RWLN.dll rutserv.exe File opened for modification C:\Windows\SysWOW64\RWLN.dll rutserv.exe File created C:\Windows\SysWOW64\sysfiles\oledlg.dll msiexec.exe File created C:\Windows\SysWOW64\sysfiles\rfusclient.exe msiexec.exe File created C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll msiexec.exe File created C:\Windows\SysWOW64\sysfiles\gdiplus.dll msiexec.exe File created C:\Windows\SysWOW64\sysfiles\rasadhlp.dll msiexec.exe File created C:\Windows\SysWOW64\sysfiles\ripcserver.dll msiexec.exe File created C:\Windows\SysWOW64\sysfiles\rutserv.exe msiexec.exe File created C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest msiexec.exe File created C:\Windows\SysWOW64\sysfiles\msvcr90.dll msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI6D4D.tmp msiexec.exe File created C:\Windows\Installer\f76637c.msi msiexec.exe File opened for modification C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\Installer\f766379.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI69E1.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\f766379.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{AB7AA605-500F-4153-8207-FB5563419112} msiexec.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 3804 tasklist.exe 2664 tasklist.exe 3620 tasklist.exe 3088 tasklist.exe -
Kills process with taskkill 4 IoCs
pid Process 3056 taskkill.exe 2920 taskkill.exe 3168 taskkill.exe 3644 taskkill.exe -
Modifies data under HKEY_USERS 20 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rfusclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rfusclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rfusclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rfusclient.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rutserv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rfusclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rfusclient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rfusclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rfusclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rfusclient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" rutserv.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rfusclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rfusclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rfusclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rfusclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rfusclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rfusclient.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "rms5.2.1.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1" msiexec.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3732 PING.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2020 msiexec.exe 2020 msiexec.exe 2176 rutserv.exe 2176 rutserv.exe 3644 rutserv.exe 3644 rutserv.exe 492 rutserv.exe 492 rutserv.exe 1824 rutserv.exe 1824 rutserv.exe 1824 rutserv.exe 1824 rutserv.exe 1824 rutserv.exe 1824 rutserv.exe 3940 rfusclient.exe 3940 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 3224 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3088 tasklist.exe Token: SeDebugPrivilege 3056 taskkill.exe Token: SeDebugPrivilege 3804 tasklist.exe Token: SeDebugPrivilege 2664 tasklist.exe Token: SeDebugPrivilege 3168 taskkill.exe Token: SeDebugPrivilege 3620 tasklist.exe Token: SeShutdownPrivilege 3988 msiexec.exe Token: SeIncreaseQuotaPrivilege 3988 msiexec.exe Token: SeSecurityPrivilege 2020 msiexec.exe Token: SeCreateTokenPrivilege 3988 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3988 msiexec.exe Token: SeLockMemoryPrivilege 3988 msiexec.exe Token: SeIncreaseQuotaPrivilege 3988 msiexec.exe Token: SeMachineAccountPrivilege 3988 msiexec.exe Token: SeTcbPrivilege 3988 msiexec.exe Token: SeSecurityPrivilege 3988 msiexec.exe Token: SeTakeOwnershipPrivilege 3988 msiexec.exe Token: SeLoadDriverPrivilege 3988 msiexec.exe Token: SeSystemProfilePrivilege 3988 msiexec.exe Token: SeSystemtimePrivilege 3988 msiexec.exe Token: SeProfSingleProcessPrivilege 3988 msiexec.exe Token: SeIncBasePriorityPrivilege 3988 msiexec.exe Token: SeCreatePagefilePrivilege 3988 msiexec.exe Token: SeCreatePermanentPrivilege 3988 msiexec.exe Token: SeBackupPrivilege 3988 msiexec.exe Token: SeRestorePrivilege 3988 msiexec.exe Token: SeShutdownPrivilege 3988 msiexec.exe Token: SeDebugPrivilege 3988 msiexec.exe Token: SeAuditPrivilege 3988 msiexec.exe Token: SeSystemEnvironmentPrivilege 3988 msiexec.exe Token: SeChangeNotifyPrivilege 3988 msiexec.exe Token: SeRemoteShutdownPrivilege 3988 msiexec.exe Token: SeUndockPrivilege 3988 msiexec.exe Token: SeSyncAgentPrivilege 3988 msiexec.exe Token: SeEnableDelegationPrivilege 3988 msiexec.exe Token: SeManageVolumePrivilege 3988 msiexec.exe Token: SeImpersonatePrivilege 3988 msiexec.exe Token: SeCreateGlobalPrivilege 3988 msiexec.exe Token: SeShutdownPrivilege 3848 msiexec.exe Token: SeIncreaseQuotaPrivilege 3848 msiexec.exe Token: SeCreateTokenPrivilege 3848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3848 msiexec.exe Token: SeLockMemoryPrivilege 3848 msiexec.exe Token: SeIncreaseQuotaPrivilege 3848 msiexec.exe Token: SeMachineAccountPrivilege 3848 msiexec.exe Token: SeTcbPrivilege 3848 msiexec.exe Token: SeSecurityPrivilege 3848 msiexec.exe Token: SeTakeOwnershipPrivilege 3848 msiexec.exe Token: SeLoadDriverPrivilege 3848 msiexec.exe Token: SeSystemProfilePrivilege 3848 msiexec.exe Token: SeSystemtimePrivilege 3848 msiexec.exe Token: SeProfSingleProcessPrivilege 3848 msiexec.exe Token: SeIncBasePriorityPrivilege 3848 msiexec.exe Token: SeCreatePagefilePrivilege 3848 msiexec.exe Token: SeCreatePermanentPrivilege 3848 msiexec.exe Token: SeBackupPrivilege 3848 msiexec.exe Token: SeRestorePrivilege 3848 msiexec.exe Token: SeShutdownPrivilege 3848 msiexec.exe Token: SeDebugPrivilege 3848 msiexec.exe Token: SeAuditPrivilege 3848 msiexec.exe Token: SeSystemEnvironmentPrivilege 3848 msiexec.exe Token: SeChangeNotifyPrivilege 3848 msiexec.exe Token: SeRemoteShutdownPrivilege 3848 msiexec.exe Token: SeUndockPrivilege 3848 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3488 wrote to memory of 1824 3488 ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe 68 PID 3488 wrote to memory of 1824 3488 ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe 68 PID 3488 wrote to memory of 1824 3488 ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe 68 PID 1824 wrote to memory of 3192 1824 cmd.exe 70 PID 1824 wrote to memory of 3192 1824 cmd.exe 70 PID 1824 wrote to memory of 3192 1824 cmd.exe 70 PID 3192 wrote to memory of 3972 3192 set.exe 71 PID 3192 wrote to memory of 3972 3192 set.exe 71 PID 3192 wrote to memory of 3972 3192 set.exe 71 PID 3972 wrote to memory of 2252 3972 setting.exe 72 PID 3972 wrote to memory of 2252 3972 setting.exe 72 PID 3972 wrote to memory of 2252 3972 setting.exe 72 PID 2252 wrote to memory of 1324 2252 cmd.exe 74 PID 2252 wrote to memory of 1324 2252 cmd.exe 74 PID 2252 wrote to memory of 1324 2252 cmd.exe 74 PID 2252 wrote to memory of 1388 2252 cmd.exe 75 PID 2252 wrote to memory of 1388 2252 cmd.exe 75 PID 2252 wrote to memory of 1388 2252 cmd.exe 75 PID 2252 wrote to memory of 3976 2252 cmd.exe 76 PID 2252 wrote to memory of 3976 2252 cmd.exe 76 PID 2252 wrote to memory of 3976 2252 cmd.exe 76 PID 2252 wrote to memory of 2364 2252 cmd.exe 77 PID 2252 wrote to memory of 2364 2252 cmd.exe 77 PID 2252 wrote to memory of 2364 2252 cmd.exe 77 PID 2252 wrote to memory of 1672 2252 cmd.exe 78 PID 2252 wrote to memory of 1672 2252 cmd.exe 78 PID 2252 wrote to memory of 1672 2252 cmd.exe 78 PID 2252 wrote to memory of 1736 2252 cmd.exe 79 PID 2252 wrote to memory of 1736 2252 cmd.exe 79 PID 2252 wrote to memory of 1736 2252 cmd.exe 79 PID 1736 wrote to memory of 3012 1736 net.exe 80 PID 1736 wrote to memory of 3012 1736 net.exe 80 PID 1736 wrote to memory of 3012 1736 net.exe 80 PID 2252 wrote to memory of 1972 2252 cmd.exe 81 PID 2252 wrote to memory of 1972 2252 cmd.exe 81 PID 2252 wrote to memory of 1972 2252 cmd.exe 81 PID 2252 wrote to memory of 3088 2252 cmd.exe 82 PID 2252 wrote to memory of 3088 2252 cmd.exe 82 PID 2252 wrote to memory of 3088 2252 cmd.exe 82 PID 2252 wrote to memory of 1976 2252 cmd.exe 83 PID 2252 wrote to memory of 1976 2252 cmd.exe 83 PID 2252 wrote to memory of 1976 2252 cmd.exe 83 PID 2252 wrote to memory of 3056 2252 cmd.exe 85 PID 2252 wrote to memory of 3056 2252 cmd.exe 85 PID 2252 wrote to memory of 3056 2252 cmd.exe 85 PID 2252 wrote to memory of 3804 2252 cmd.exe 86 PID 2252 wrote to memory of 3804 2252 cmd.exe 86 PID 2252 wrote to memory of 3804 2252 cmd.exe 86 PID 2252 wrote to memory of 2272 2252 cmd.exe 87 PID 2252 wrote to memory of 2272 2252 cmd.exe 87 PID 2252 wrote to memory of 2272 2252 cmd.exe 87 PID 2252 wrote to memory of 2920 2252 cmd.exe 88 PID 2252 wrote to memory of 2920 2252 cmd.exe 88 PID 2252 wrote to memory of 2920 2252 cmd.exe 88 PID 2252 wrote to memory of 2664 2252 cmd.exe 89 PID 2252 wrote to memory of 2664 2252 cmd.exe 89 PID 2252 wrote to memory of 2664 2252 cmd.exe 89 PID 2252 wrote to memory of 3936 2252 cmd.exe 90 PID 2252 wrote to memory of 3936 2252 cmd.exe 90 PID 2252 wrote to memory of 3936 2252 cmd.exe 90 PID 2252 wrote to memory of 3168 2252 cmd.exe 91 PID 2252 wrote to memory of 3168 2252 cmd.exe 91 PID 2252 wrote to memory of 3168 2252 cmd.exe 91 PID 2252 wrote to memory of 3620 2252 cmd.exe 92 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 3976 attrib.exe 2364 attrib.exe 1672 attrib.exe 1388 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe"C:\Users\Admin\AppData\Local\Temp\ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\set.exeset.exe -p1234567890__3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\setting.exe"C:\Users\Admin\AppData\Local\Temp\setting.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.cmd" "5⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:1324
-
-
C:\Windows\SysWOW64\attrib.exeattrib -S -H -r "C:\Windows\system32\sysfiles"6⤵
- Views/modifies file attributes
PID:1388
-
-
C:\Windows\SysWOW64\attrib.exeattrib -S -H -r "C:\Windows\syswow64\sysfiles"6⤵
- Views/modifies file attributes
PID:3976
-
-
C:\Windows\SysWOW64\attrib.exeattrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"6⤵
- Views/modifies file attributes
PID:2364
-
-
C:\Windows\SysWOW64\attrib.exeattrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"6⤵
- Views/modifies file attributes
PID:1672
-
-
C:\Windows\SysWOW64\net.exenet stop rmanservice6⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rmanservice7⤵PID:3012
-
-
-
C:\Windows\SysWOW64\sc.exesc delete "rmanservice"6⤵PID:1972
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
C:\Windows\SysWOW64\find.exefind "rfusclient.exe"6⤵PID:1976
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Windows\SysWOW64\find.exefind "rfusclient.exe *32"6⤵PID:2272
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe *326⤵
- Kills process with taskkill
PID:2920
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\SysWOW64\find.exefind "rutserv.exe"6⤵PID:3936
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
-
C:\Windows\SysWOW64\find.exefind "rutserv.exe *32"6⤵PID:4020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe *326⤵
- Kills process with taskkill
PID:3644
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress6⤵PID:416
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress6⤵PID:3260
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {FE83B905-4554-4DFF-97F4-9292178CB171} /qn REBOOT=ReallySuppress6⤵PID:2916
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress6⤵PID:3940
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11A90858-40BB-4858-A2DA-CA6495B5E907}" /f6⤵PID:584
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\85809A11BB0485842AADAC46595B9E70\InstallProperties" /f6⤵PID:2552
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Installer\Products\85809A11BB0485842AADAC465 95B9E70" /f6⤵PID:1744
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f6⤵PID:1592
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}" /f6⤵PID:872
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Installer\Products\506AA7BAF00535142870BF5536141921" /f6⤵PID:1280
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EDC4423414699340B5D245426472701" /f6⤵PID:1052
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E45BAE6295648E74689FC47BF4E730EB" /f6⤵PID:3116
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5052F47A02BDEA469F8EAB572D83BA8" /f6⤵PID:1500
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\System\CurrentControlSet\Services\RManService" /f6⤵PID:1256
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 -w 500 google.com.ua6⤵
- Runs ping.exe
PID:3732
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /I "rms5.2.1.msi" /qn6⤵PID:832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "5⤵PID:1212
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 310A726E74D5FDA53CA1D428FB4C20222⤵
- Loads dropped DLL
PID:3964
-
-
C:\Windows\SysWOW64\sysfiles\rfusclient.exe"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3124 -
C:\Windows\SysWOW64\sysfiles\rutserv.exe"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
-
C:\Windows\SysWOW64\sysfiles\rfusclient.exe"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3676 -
C:\Windows\SysWOW64\sysfiles\rutserv.exe"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3644
-
-
-
C:\Windows\SysWOW64\sysfiles\rfusclient.exe"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2340 -
C:\Windows\SysWOW64\sysfiles\rutserv.exe"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:492
-
-
-
C:\Windows\SysWOW64\sysfiles\rutserv.exeC:\Windows\SysWOW64\sysfiles\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1824 -
C:\Windows\SysWOW64\sysfiles\rfusclient.exeC:\Windows\SysWOW64\sysfiles\rfusclient.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3940 -
C:\Windows\SysWOW64\sysfiles\rfusclient.exeC:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: SetClipboardViewer
PID:3224
-
-
-
C:\Windows\SysWOW64\sysfiles\rfusclient.exeC:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744
-