Analysis
-
max time kernel
141s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 18:21
Static task
static1
Behavioral task
behavioral1
Sample
c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe
Resource
win10-en-20211208
General
-
Target
c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe
-
Size
3.0MB
-
MD5
82b0862419c79ee25b934be588c7ce87
-
SHA1
4da3cc133932f5e1b73e131d53b5fc4af642ba95
-
SHA256
c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4
-
SHA512
c75aa017af6dbe6ee3231e4abea4fb9a6ff9e7a38d23ffcabfafb85019307577279c9d1fc4e85e7540e4c1f0d7e3cfc276f3aab78b9d758f8b5e1dc8749b888e
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rutserv.exerutserv.exepid Process 1180 rutserv.exe 1480 rutserv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rutserv.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation rutserv.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid Process 1160 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\rutserv.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
rutserv.exerutserv.exepid Process 1180 rutserv.exe 1180 rutserv.exe 1180 rutserv.exe 1180 rutserv.exe 1180 rutserv.exe 1480 rutserv.exe 1480 rutserv.exe 1480 rutserv.exe 1480 rutserv.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rutserv.exerutserv.exedescription pid Process Token: SeDebugPrivilege 1180 rutserv.exe Token: SeTakeOwnershipPrivilege 1480 rutserv.exe Token: SeTcbPrivilege 1480 rutserv.exe Token: SeTcbPrivilege 1480 rutserv.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
rutserv.exerutserv.exepid Process 1180 rutserv.exe 1180 rutserv.exe 1180 rutserv.exe 1180 rutserv.exe 1480 rutserv.exe 1480 rutserv.exe 1480 rutserv.exe 1480 rutserv.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exeWScript.execmd.exedescription pid Process procid_target PID 1660 wrote to memory of 856 1660 c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe 27 PID 1660 wrote to memory of 856 1660 c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe 27 PID 1660 wrote to memory of 856 1660 c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe 27 PID 1660 wrote to memory of 856 1660 c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe 27 PID 1660 wrote to memory of 856 1660 c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe 27 PID 1660 wrote to memory of 856 1660 c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe 27 PID 1660 wrote to memory of 856 1660 c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe 27 PID 856 wrote to memory of 1160 856 WScript.exe 28 PID 856 wrote to memory of 1160 856 WScript.exe 28 PID 856 wrote to memory of 1160 856 WScript.exe 28 PID 856 wrote to memory of 1160 856 WScript.exe 28 PID 856 wrote to memory of 1160 856 WScript.exe 28 PID 856 wrote to memory of 1160 856 WScript.exe 28 PID 856 wrote to memory of 1160 856 WScript.exe 28 PID 1160 wrote to memory of 1696 1160 cmd.exe 30 PID 1160 wrote to memory of 1696 1160 cmd.exe 30 PID 1160 wrote to memory of 1696 1160 cmd.exe 30 PID 1160 wrote to memory of 1696 1160 cmd.exe 30 PID 1160 wrote to memory of 1696 1160 cmd.exe 30 PID 1160 wrote to memory of 1696 1160 cmd.exe 30 PID 1160 wrote to memory of 1696 1160 cmd.exe 30 PID 1160 wrote to memory of 1180 1160 cmd.exe 33 PID 1160 wrote to memory of 1180 1160 cmd.exe 33 PID 1160 wrote to memory of 1180 1160 cmd.exe 33 PID 1160 wrote to memory of 1180 1160 cmd.exe 33 PID 1160 wrote to memory of 1180 1160 cmd.exe 33 PID 1160 wrote to memory of 1180 1160 cmd.exe 33 PID 1160 wrote to memory of 1180 1160 cmd.exe 33 PID 1160 wrote to memory of 328 1160 cmd.exe 34 PID 1160 wrote to memory of 328 1160 cmd.exe 34 PID 1160 wrote to memory of 328 1160 cmd.exe 34 PID 1160 wrote to memory of 328 1160 cmd.exe 34 PID 1160 wrote to memory of 328 1160 cmd.exe 34 PID 1160 wrote to memory of 328 1160 cmd.exe 34 PID 1160 wrote to memory of 328 1160 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe"C:\Users\Admin\AppData\Local\Temp\c986dc49d32ba8f0a0580ee06163562d9f6c5ad1969e21aa77db1641a819eab4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\wet.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd" /silent"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\PING.EXEping -n 9 localhost4⤵
- Runs ping.exe
PID:1696
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1180 -
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exeC:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1480
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"4⤵
- Adds Run key to start application
PID:328
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ad508eb4095f5a6041eb3cf37bd0e7d6
SHA16501ce523df29802bfc2c81e32bc8e98033958d6
SHA256f2ecaefeee8b594292a7b5e64afc1f4f5dcc1c21aa7ad8a910dccbc0f5385876
SHA512e0a64721ffd2bb30dec61bc1b63c148bb7289a63d5c1c6f151b0e79d6cf7181b22e76bea0c89b4882d83423727866e24087d9ee690ec3d939aca55666bc71ce5
-
MD5
133852043c5bc42337579df1377dc425
SHA1ae49521602846df51c8c5a9d08a4d3de8c207aee
SHA2567b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493
SHA512a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327
-
MD5
133852043c5bc42337579df1377dc425
SHA1ae49521602846df51c8c5a9d08a4d3de8c207aee
SHA2567b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493
SHA512a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327
-
MD5
133852043c5bc42337579df1377dc425
SHA1ae49521602846df51c8c5a9d08a4d3de8c207aee
SHA2567b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493
SHA512a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327
-
MD5
6e4dfa11271182f559b54e4d8fd496ab
SHA13265a9b2f3386f1b9a1904b7d674a4aee9937470
SHA25696abb6e4fcb9d6ad3500fcc17c4f428fcb7dee3ec8074d8e5a278ce186989aa8
SHA5123ce5a910fb6df23ea846cfbe859a40b36d32ad091d9b7cb86070f594de29c45736df8a9d7150c964f369cf1bcca23a07822c1a88936020572260829e01123d47
-
MD5
0d3eed47d75c9c7d3185e7b61d06652a
SHA1ae2e913135d03cbc8f853321ef6b96906e1f6962
SHA2560c592272859379c675f4f5f741fe3cb44c22ee137a7d601ac712c59e1a0f6041
SHA512328766ce9996c34a740e8853f3df4fe384fa56a6032f6480e5e422daef87ddb957872a31b91174c4f2de13580f6e0669854b3b38d1536b62b02093fc1e14cae7
-
MD5
133852043c5bc42337579df1377dc425
SHA1ae49521602846df51c8c5a9d08a4d3de8c207aee
SHA2567b24f3dad3d4e9c0474ff34a98160ae52b3c9134757b834bebaeca6efa013493
SHA512a5291691f625b369f5e75f24299dd2ac716f26ec5aa176d14bb765a1d732849565af60c652305b5b4c390694db2a8b61fb6a3d65665f6a4e9fab559a5a4ce327