Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 18:44
Static task
static1
Behavioral task
behavioral1
Sample
b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe
Resource
win10-en-20211208
General
-
Target
b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe
-
Size
3.0MB
-
MD5
e722b64756034173c98ace2352df1904
-
SHA1
8d01e508901935f31931fc9503de053f2a967d5c
-
SHA256
b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111
-
SHA512
219ba9831b59b206561cd039317e2ac6286dcee7d37fe98865fa40d7234ac664d1a51841dbea63d612ac925a7868e646d27c45efa080754de2638f92a005ef89
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid Process 3 1556 WScript.exe 5 1556 WScript.exe 7 1556 WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
rutserv.exerutserv.exepid Process 836 rutserv.exe 968 rutserv.exe -
Processes:
resource yara_rule behavioral1/files/0x000800000001222f-61.dat upx behavioral1/files/0x000800000001222f-62.dat upx behavioral1/files/0x000800000001222f-63.dat upx behavioral1/files/0x000800000001222f-68.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rutserv.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation rutserv.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid Process 1864 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\rutserv.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
WScript.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
rutserv.exerutserv.exepid Process 836 rutserv.exe 836 rutserv.exe 836 rutserv.exe 836 rutserv.exe 836 rutserv.exe 968 rutserv.exe 968 rutserv.exe 968 rutserv.exe 968 rutserv.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rutserv.exerutserv.exedescription pid Process Token: SeDebugPrivilege 836 rutserv.exe Token: SeTakeOwnershipPrivilege 968 rutserv.exe Token: SeTcbPrivilege 968 rutserv.exe Token: SeTcbPrivilege 968 rutserv.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
rutserv.exerutserv.exepid Process 836 rutserv.exe 836 rutserv.exe 836 rutserv.exe 836 rutserv.exe 968 rutserv.exe 968 rutserv.exe 968 rutserv.exe 968 rutserv.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exeWScript.execmd.exedescription pid Process procid_target PID 756 wrote to memory of 1556 756 b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe 27 PID 756 wrote to memory of 1556 756 b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe 27 PID 756 wrote to memory of 1556 756 b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe 27 PID 756 wrote to memory of 1556 756 b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe 27 PID 756 wrote to memory of 1556 756 b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe 27 PID 756 wrote to memory of 1556 756 b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe 27 PID 756 wrote to memory of 1556 756 b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe 27 PID 1556 wrote to memory of 1864 1556 WScript.exe 28 PID 1556 wrote to memory of 1864 1556 WScript.exe 28 PID 1556 wrote to memory of 1864 1556 WScript.exe 28 PID 1556 wrote to memory of 1864 1556 WScript.exe 28 PID 1556 wrote to memory of 1864 1556 WScript.exe 28 PID 1556 wrote to memory of 1864 1556 WScript.exe 28 PID 1556 wrote to memory of 1864 1556 WScript.exe 28 PID 1864 wrote to memory of 1108 1864 cmd.exe 30 PID 1864 wrote to memory of 1108 1864 cmd.exe 30 PID 1864 wrote to memory of 1108 1864 cmd.exe 30 PID 1864 wrote to memory of 1108 1864 cmd.exe 30 PID 1864 wrote to memory of 1108 1864 cmd.exe 30 PID 1864 wrote to memory of 1108 1864 cmd.exe 30 PID 1864 wrote to memory of 1108 1864 cmd.exe 30 PID 1864 wrote to memory of 1260 1864 cmd.exe 31 PID 1864 wrote to memory of 1260 1864 cmd.exe 31 PID 1864 wrote to memory of 1260 1864 cmd.exe 31 PID 1864 wrote to memory of 1260 1864 cmd.exe 31 PID 1864 wrote to memory of 1260 1864 cmd.exe 31 PID 1864 wrote to memory of 1260 1864 cmd.exe 31 PID 1864 wrote to memory of 1260 1864 cmd.exe 31 PID 1864 wrote to memory of 836 1864 cmd.exe 32 PID 1864 wrote to memory of 836 1864 cmd.exe 32 PID 1864 wrote to memory of 836 1864 cmd.exe 32 PID 1864 wrote to memory of 836 1864 cmd.exe 32 PID 1864 wrote to memory of 836 1864 cmd.exe 32 PID 1864 wrote to memory of 836 1864 cmd.exe 32 PID 1864 wrote to memory of 836 1864 cmd.exe 32 PID 1864 wrote to memory of 2024 1864 cmd.exe 33 PID 1864 wrote to memory of 2024 1864 cmd.exe 33 PID 1864 wrote to memory of 2024 1864 cmd.exe 33 PID 1864 wrote to memory of 2024 1864 cmd.exe 33 PID 1864 wrote to memory of 2024 1864 cmd.exe 33 PID 1864 wrote to memory of 2024 1864 cmd.exe 33 PID 1864 wrote to memory of 2024 1864 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe"C:\Users\Admin\AppData\Local\Temp\b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\wet.vbs"2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd" /silent"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\PING.EXEping -n 9 localhost4⤵
- Runs ping.exe
PID:1108
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"4⤵
- Adds Run key to start application
PID:1260
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:836 -
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exeC:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:968
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:2024
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9673756e6ab652046992df62a212d485
SHA13c8eeae1079d1121b4fadb60236e61c4c3d9e275
SHA256bf626af13cdf1e1e39b498d095ec61c82ed956207317e23197e5d85f6355fa2a
SHA512ead526cf9de7c6c394f88932140486f388b01b7d68a57754e080f175164350fc6bb886373ba51fa5e29016f59ad6c32ee65665b01c75ab00fc8088cb47019eba
-
MD5
dd17e8305bc0be4c9d05579e1305c6b4
SHA19d6416c6e9536ff522c435e9b7e7be417d570b4d
SHA256e300c4e9541550a95100b59b2b72a1652916b516b36b83d4a77b758e949c861c
SHA5125bada9396df7381d511d0843ba744a15db02f1142166f184db2fcdd7dae384ffbf299c2735a7f358daa4a8f79ede6ce33cfa19a81a289278f6b5eb72cda8126d
-
MD5
dd17e8305bc0be4c9d05579e1305c6b4
SHA19d6416c6e9536ff522c435e9b7e7be417d570b4d
SHA256e300c4e9541550a95100b59b2b72a1652916b516b36b83d4a77b758e949c861c
SHA5125bada9396df7381d511d0843ba744a15db02f1142166f184db2fcdd7dae384ffbf299c2735a7f358daa4a8f79ede6ce33cfa19a81a289278f6b5eb72cda8126d
-
MD5
dd17e8305bc0be4c9d05579e1305c6b4
SHA19d6416c6e9536ff522c435e9b7e7be417d570b4d
SHA256e300c4e9541550a95100b59b2b72a1652916b516b36b83d4a77b758e949c861c
SHA5125bada9396df7381d511d0843ba744a15db02f1142166f184db2fcdd7dae384ffbf299c2735a7f358daa4a8f79ede6ce33cfa19a81a289278f6b5eb72cda8126d
-
MD5
404c8d81670c30c9a5d537eb306fef3d
SHA1ff81042232679f55ed0471a5ca735b4d03095624
SHA256326696228d99f62e0c3702262db3d95a5c7169a748b616acaa282be2793baf97
SHA5127fbad0a9d3668f09cf25142436d5386cf44c85147a2f5d075d07c1f0ac51588dce89df76d9b2f9266d5bbe8bd967f281947ec598ef5fcea6faeffecb4e3929fd
-
MD5
2ebafd87ca849c0e04d7c4cae8780a72
SHA1014a39edd1f28a0ccf77fd80b22050cc4a1a58cd
SHA256a074faad6e540c8b489577b973ac2bbcc364ffb69a6c9f35fc8733795c34f41c
SHA51273fcd7572d34ecc9ecd63f57d2090a67bf0418816ac9f568149bdd569971545fc80b4248c8daddf6f2688bc1b0fec3ff8bdde3d7371f36b662a0b18cb9b18c12
-
MD5
dd17e8305bc0be4c9d05579e1305c6b4
SHA19d6416c6e9536ff522c435e9b7e7be417d570b4d
SHA256e300c4e9541550a95100b59b2b72a1652916b516b36b83d4a77b758e949c861c
SHA5125bada9396df7381d511d0843ba744a15db02f1142166f184db2fcdd7dae384ffbf299c2735a7f358daa4a8f79ede6ce33cfa19a81a289278f6b5eb72cda8126d