Overview

overview

10

Static

static

1

7e7da6cf2c...4f.exe

windows7_x64

10

7e7da6cf2c...4f.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f.exe

  • Size

    3.7MB

  • MD5

    eb4542ec4ea785d8ad731a0e8a6c04dc

  • SHA1

    66b87ec611b1839cc2465e4326288f0c0eb6f800

  • SHA256

    7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f

  • SHA512

    3847e2dfcf877bb092ab225c0c016c4256d64921a6cc0dbd4a2f8a5f67cb06bda384a4e7ae49d63a3b3215047b26a9854249ec679d4ce660454699fcbb0257ce

Score
10/10
rmspersistencerattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Executes dropped EXE 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f.exe
    "C:\Users\Admin\AppData\Local\Temp\7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Roaming\Microsoft\up.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\up.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c install.cmd
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1032
        • C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe
          "Total.exe" x -pcpnZZ69kP0EgpnhDnJFhEPDOj data.tmp -y
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1632
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:436
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys" /t REG_SZ /d "c:\ProgramData\rutserv.exe"
          4⤵
          • Adds Run key to start application
          PID:1956
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1948
        • C:\ProgramData\rutserv.exe
          "C:\ProgramData\rutserv.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1260
          • C:\ProgramData\rutserv.exe
            C:\ProgramData\rutserv.exe -second
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1584

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1156-55-0x0000000076071000-0x0000000076073000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1260-75-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-82-0x00000000043C0000-0x00000000043C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-81-0x00000000043A0000-0x00000000043A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-80-0x0000000004390000-0x0000000004391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-83-0x0000000004E80000-0x0000000004E81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-84-0x0000000004F10000-0x0000000004F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-86-0x0000000005600000-0x0000000005601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-85-0x00000000050E0000-0x00000000050E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-88-0x0000000005610000-0x0000000005611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-87-0x0000000005570000-0x0000000005571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-89-0x0000000005980000-0x0000000005981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-91-0x0000000005A90000-0x0000000005A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-90-0x0000000005970000-0x0000000005971000-memory.dmp

    Filesize

    4KB

    Download