Analysis Overview
SHA256
7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f
Threat Level: Known bad
The file 7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f was found to be: Known bad.
Malicious Activity Summary
RMS
UPX packed file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
NSIS installer
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-28 20:02
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-28 20:02
Reported
2022-01-28 20:32
Platform
win7-en-20211208
Max time kernel
143s
Max time network
152s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\up.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation | C:\ProgramData\rutserv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "c:\\ProgramData\\rutserv.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\rutserv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f.exe
"C:\Users\Admin\AppData\Local\Temp\7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\up.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\up.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c install.cmd
C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe
"Total.exe" x -pcpnZZ69kP0EgpnhDnJFhEPDOj data.tmp -y
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys" /t REG_SZ /d "c:\ProgramData\rutserv.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\ProgramData\rutserv.exe
"C:\ProgramData\rutserv.exe"
C:\ProgramData\rutserv.exe
C:\ProgramData\rutserv.exe -second
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/1156-55-0x0000000076071000-0x0000000076073000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsj8AB4.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Roaming\Microsoft\up.exe
| MD5 | 5647dcce04a40dacf9db63cb2555026b |
| SHA1 | 1c321b3a77bd2857963a5da4de73f8f17a6b35f4 |
| SHA256 | 21f50119664b2aefa863df7f9948eb3c3deea3cbc1c153a2af7339a6ffe9f031 |
| SHA512 | b73aadd60546e669961d1110d593b0cf832b6671836e26b6f23c9d2dbf81acb8d09f9ac94867d63f295e22d92de030d6ba2d5290bd095c473eecd02911f0d171 |
C:\Users\Admin\AppData\Roaming\Microsoft\up.exe
| MD5 | 5647dcce04a40dacf9db63cb2555026b |
| SHA1 | 1c321b3a77bd2857963a5da4de73f8f17a6b35f4 |
| SHA256 | 21f50119664b2aefa863df7f9948eb3c3deea3cbc1c153a2af7339a6ffe9f031 |
| SHA512 | b73aadd60546e669961d1110d593b0cf832b6671836e26b6f23c9d2dbf81acb8d09f9ac94867d63f295e22d92de030d6ba2d5290bd095c473eecd02911f0d171 |
C:\Users\Admin\AppData\Roaming\Microsoft\up.exe
| MD5 | 5647dcce04a40dacf9db63cb2555026b |
| SHA1 | 1c321b3a77bd2857963a5da4de73f8f17a6b35f4 |
| SHA256 | 21f50119664b2aefa863df7f9948eb3c3deea3cbc1c153a2af7339a6ffe9f031 |
| SHA512 | b73aadd60546e669961d1110d593b0cf832b6671836e26b6f23c9d2dbf81acb8d09f9ac94867d63f295e22d92de030d6ba2d5290bd095c473eecd02911f0d171 |
C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd
| MD5 | 831c5c47f1c118e4ee286fa79a42f8fe |
| SHA1 | 0caccbcace73bae4423dd588adf1b0c5e0b442a2 |
| SHA256 | 45134c697df7a62c2410bdf8259a39d3488ac5b9590114adbad36821b42f334c |
| SHA512 | 653c409f6accc740c7d062686d56aaf5acbeb73a5469be0a293fe4073dc2c0e0c0cd5ec1e8e0fdec38f2947f81ce20c0af7b0519c83e71eabe74e0fe76a1f74e |
\Users\Admin\AppData\Roaming\Microsoft\Total.exe
| MD5 | a51d90f2f9394f5ea0a3acae3bd2b219 |
| SHA1 | 20fea1314dbed552d5fedee096e2050369172ee1 |
| SHA256 | ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f |
| SHA512 | c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe
| MD5 | a51d90f2f9394f5ea0a3acae3bd2b219 |
| SHA1 | 20fea1314dbed552d5fedee096e2050369172ee1 |
| SHA256 | ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f |
| SHA512 | c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6 |
\Users\Admin\AppData\Roaming\Microsoft\Total.exe
| MD5 | a51d90f2f9394f5ea0a3acae3bd2b219 |
| SHA1 | 20fea1314dbed552d5fedee096e2050369172ee1 |
| SHA256 | ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f |
| SHA512 | c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6 |
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
| MD5 | 04ad4b80880b32c94be8d0886482c774 |
| SHA1 | 344faf61c3eb76f4a2fb6452e83ed16c9cce73e0 |
| SHA256 | a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338 |
| SHA512 | 3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb |
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
| MD5 | 04ad4b80880b32c94be8d0886482c774 |
| SHA1 | 344faf61c3eb76f4a2fb6452e83ed16c9cce73e0 |
| SHA256 | a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338 |
| SHA512 | 3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb |
C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe
| MD5 | a51d90f2f9394f5ea0a3acae3bd2b219 |
| SHA1 | 20fea1314dbed552d5fedee096e2050369172ee1 |
| SHA256 | ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f |
| SHA512 | c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6 |
C:\Users\Admin\AppData\Roaming\Microsoft\data.tmp
| MD5 | 614d2963b1f06a95da48a5a034b20da7 |
| SHA1 | e4becf59bab88e7f4f89565ea2803d97c0b927cb |
| SHA256 | 6d0f1e3826f088b1cb5824a0fc27f32f2f9a25d77ab293ca3d6580612bb8c285 |
| SHA512 | 9279299743dc8b30534b33008e5b5efaabfb37094f932da922e93a919af0faed661de66f06d50e5479d65b359a277180f1afcc11d1de107399ae1dcf0bb2a7b1 |
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
| MD5 | aa874c546973604d4670c2b61f8795fa |
| SHA1 | b42d0fea829be6df3c7b9879db8f1ad4a44f5062 |
| SHA256 | ddd8227a0456ece67005d4b40d0072bdf8df6238e840ab3166a7befafdc732c0 |
| SHA512 | a91ef2ae8ed8a7e60bb55d210c6b285626477747f7fc8031c244cea6955438835a19602c2091b73633b723777e0f93564e9b9cb1182486720a200f0a223bab6f |
C:\Users\Admin\AppData\Roaming\Microsoft\settings.dat
| MD5 | be09301b66f97da5e051366b58cf1492 |
| SHA1 | 7e5d26ff2a65384c590be4987b7be751306dcf7d |
| SHA256 | 7de440636eac686f90708af7a8ed8805f919b727e53e42493a5c89ec06af77ff |
| SHA512 | 09b9fc2eedad23adae6e67e89ef03c6c848dd5be6f36b34b97b8a8c0261e7ea696fd38bd62e7d25481a4fa121b520aa71eab8a1d5d489b08692a6fcebf8f65be |
\ProgramData\rutserv.exe
| MD5 | aa874c546973604d4670c2b61f8795fa |
| SHA1 | b42d0fea829be6df3c7b9879db8f1ad4a44f5062 |
| SHA256 | ddd8227a0456ece67005d4b40d0072bdf8df6238e840ab3166a7befafdc732c0 |
| SHA512 | a91ef2ae8ed8a7e60bb55d210c6b285626477747f7fc8031c244cea6955438835a19602c2091b73633b723777e0f93564e9b9cb1182486720a200f0a223bab6f |
C:\ProgramData\rutserv.exe
| MD5 | aa874c546973604d4670c2b61f8795fa |
| SHA1 | b42d0fea829be6df3c7b9879db8f1ad4a44f5062 |
| SHA256 | ddd8227a0456ece67005d4b40d0072bdf8df6238e840ab3166a7befafdc732c0 |
| SHA512 | a91ef2ae8ed8a7e60bb55d210c6b285626477747f7fc8031c244cea6955438835a19602c2091b73633b723777e0f93564e9b9cb1182486720a200f0a223bab6f |
C:\ProgramData\rutserv.exe
| MD5 | aa874c546973604d4670c2b61f8795fa |
| SHA1 | b42d0fea829be6df3c7b9879db8f1ad4a44f5062 |
| SHA256 | ddd8227a0456ece67005d4b40d0072bdf8df6238e840ab3166a7befafdc732c0 |
| SHA512 | a91ef2ae8ed8a7e60bb55d210c6b285626477747f7fc8031c244cea6955438835a19602c2091b73633b723777e0f93564e9b9cb1182486720a200f0a223bab6f |
memory/1260-75-0x0000000000270000-0x0000000000271000-memory.dmp
C:\ProgramData\rutserv.exe
| MD5 | aa874c546973604d4670c2b61f8795fa |
| SHA1 | b42d0fea829be6df3c7b9879db8f1ad4a44f5062 |
| SHA256 | ddd8227a0456ece67005d4b40d0072bdf8df6238e840ab3166a7befafdc732c0 |
| SHA512 | a91ef2ae8ed8a7e60bb55d210c6b285626477747f7fc8031c244cea6955438835a19602c2091b73633b723777e0f93564e9b9cb1182486720a200f0a223bab6f |
memory/1584-78-0x00000000003F0000-0x00000000003F1000-memory.dmp
C:\ProgramData\settings.dat
| MD5 | be09301b66f97da5e051366b58cf1492 |
| SHA1 | 7e5d26ff2a65384c590be4987b7be751306dcf7d |
| SHA256 | 7de440636eac686f90708af7a8ed8805f919b727e53e42493a5c89ec06af77ff |
| SHA512 | 09b9fc2eedad23adae6e67e89ef03c6c848dd5be6f36b34b97b8a8c0261e7ea696fd38bd62e7d25481a4fa121b520aa71eab8a1d5d489b08692a6fcebf8f65be |
memory/1584-81-0x00000000043A0000-0x00000000043A1000-memory.dmp
memory/1584-80-0x0000000004390000-0x0000000004391000-memory.dmp
memory/1584-83-0x0000000004E80000-0x0000000004E81000-memory.dmp
memory/1584-82-0x00000000043C0000-0x00000000043C1000-memory.dmp
memory/1584-84-0x0000000004F10000-0x0000000004F11000-memory.dmp
memory/1584-86-0x0000000005600000-0x0000000005601000-memory.dmp
memory/1584-85-0x00000000050E0000-0x00000000050E1000-memory.dmp
memory/1584-88-0x0000000005610000-0x0000000005611000-memory.dmp
memory/1584-87-0x0000000005570000-0x0000000005571000-memory.dmp
memory/1584-89-0x0000000005980000-0x0000000005981000-memory.dmp
memory/1584-91-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/1584-90-0x0000000005970000-0x0000000005971000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-28 20:02
Reported
2022-01-28 20:32
Platform
win10-en-20211208
Max time kernel
151s
Max time network
148s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\up.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation | C:\ProgramData\rutserv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "c:\\ProgramData\\rutserv.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\ProgramData\rutserv.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" | C:\ProgramData\rutserv.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\rutserv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f.exe
"C:\Users\Admin\AppData\Local\Temp\7e7da6cf2c261926d030c50a9060092b99b2fe47d2aece51f843c092fa0c7e4f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\up.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\up.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c install.cmd
C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe
"Total.exe" x -pcpnZZ69kP0EgpnhDnJFhEPDOj data.tmp -y
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys" /t REG_SZ /d "c:\ProgramData\rutserv.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\ProgramData\rutserv.exe
"C:\ProgramData\rutserv.exe"
C:\ProgramData\rutserv.exe
C:\ProgramData\rutserv.exe -second
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsxBE50.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Roaming\Microsoft\up.exe
| MD5 | 5647dcce04a40dacf9db63cb2555026b |
| SHA1 | 1c321b3a77bd2857963a5da4de73f8f17a6b35f4 |
| SHA256 | 21f50119664b2aefa863df7f9948eb3c3deea3cbc1c153a2af7339a6ffe9f031 |
| SHA512 | b73aadd60546e669961d1110d593b0cf832b6671836e26b6f23c9d2dbf81acb8d09f9ac94867d63f295e22d92de030d6ba2d5290bd095c473eecd02911f0d171 |
C:\Users\Admin\AppData\Roaming\Microsoft\up.exe
| MD5 | 5647dcce04a40dacf9db63cb2555026b |
| SHA1 | 1c321b3a77bd2857963a5da4de73f8f17a6b35f4 |
| SHA256 | 21f50119664b2aefa863df7f9948eb3c3deea3cbc1c153a2af7339a6ffe9f031 |
| SHA512 | b73aadd60546e669961d1110d593b0cf832b6671836e26b6f23c9d2dbf81acb8d09f9ac94867d63f295e22d92de030d6ba2d5290bd095c473eecd02911f0d171 |
C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd
| MD5 | 831c5c47f1c118e4ee286fa79a42f8fe |
| SHA1 | 0caccbcace73bae4423dd588adf1b0c5e0b442a2 |
| SHA256 | 45134c697df7a62c2410bdf8259a39d3488ac5b9590114adbad36821b42f334c |
| SHA512 | 653c409f6accc740c7d062686d56aaf5acbeb73a5469be0a293fe4073dc2c0e0c0cd5ec1e8e0fdec38f2947f81ce20c0af7b0519c83e71eabe74e0fe76a1f74e |
C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe
| MD5 | a51d90f2f9394f5ea0a3acae3bd2b219 |
| SHA1 | 20fea1314dbed552d5fedee096e2050369172ee1 |
| SHA256 | ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f |
| SHA512 | c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Total.exe
| MD5 | a51d90f2f9394f5ea0a3acae3bd2b219 |
| SHA1 | 20fea1314dbed552d5fedee096e2050369172ee1 |
| SHA256 | ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f |
| SHA512 | c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6 |
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
| MD5 | 04ad4b80880b32c94be8d0886482c774 |
| SHA1 | 344faf61c3eb76f4a2fb6452e83ed16c9cce73e0 |
| SHA256 | a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338 |
| SHA512 | 3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb |
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
| MD5 | 04ad4b80880b32c94be8d0886482c774 |
| SHA1 | 344faf61c3eb76f4a2fb6452e83ed16c9cce73e0 |
| SHA256 | a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338 |
| SHA512 | 3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb |
C:\Users\Admin\AppData\Roaming\Microsoft\data.tmp
| MD5 | 614d2963b1f06a95da48a5a034b20da7 |
| SHA1 | e4becf59bab88e7f4f89565ea2803d97c0b927cb |
| SHA256 | 6d0f1e3826f088b1cb5824a0fc27f32f2f9a25d77ab293ca3d6580612bb8c285 |
| SHA512 | 9279299743dc8b30534b33008e5b5efaabfb37094f932da922e93a919af0faed661de66f06d50e5479d65b359a277180f1afcc11d1de107399ae1dcf0bb2a7b1 |
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
| MD5 | aa874c546973604d4670c2b61f8795fa |
| SHA1 | b42d0fea829be6df3c7b9879db8f1ad4a44f5062 |
| SHA256 | ddd8227a0456ece67005d4b40d0072bdf8df6238e840ab3166a7befafdc732c0 |
| SHA512 | a91ef2ae8ed8a7e60bb55d210c6b285626477747f7fc8031c244cea6955438835a19602c2091b73633b723777e0f93564e9b9cb1182486720a200f0a223bab6f |
C:\Users\Admin\AppData\Roaming\Microsoft\settings.dat
| MD5 | be09301b66f97da5e051366b58cf1492 |
| SHA1 | 7e5d26ff2a65384c590be4987b7be751306dcf7d |
| SHA256 | 7de440636eac686f90708af7a8ed8805f919b727e53e42493a5c89ec06af77ff |
| SHA512 | 09b9fc2eedad23adae6e67e89ef03c6c848dd5be6f36b34b97b8a8c0261e7ea696fd38bd62e7d25481a4fa121b520aa71eab8a1d5d489b08692a6fcebf8f65be |
C:\ProgramData\rutserv.exe
| MD5 | aa874c546973604d4670c2b61f8795fa |
| SHA1 | b42d0fea829be6df3c7b9879db8f1ad4a44f5062 |
| SHA256 | ddd8227a0456ece67005d4b40d0072bdf8df6238e840ab3166a7befafdc732c0 |
| SHA512 | a91ef2ae8ed8a7e60bb55d210c6b285626477747f7fc8031c244cea6955438835a19602c2091b73633b723777e0f93564e9b9cb1182486720a200f0a223bab6f |
C:\ProgramData\rutserv.exe
| MD5 | aa874c546973604d4670c2b61f8795fa |
| SHA1 | b42d0fea829be6df3c7b9879db8f1ad4a44f5062 |
| SHA256 | ddd8227a0456ece67005d4b40d0072bdf8df6238e840ab3166a7befafdc732c0 |
| SHA512 | a91ef2ae8ed8a7e60bb55d210c6b285626477747f7fc8031c244cea6955438835a19602c2091b73633b723777e0f93564e9b9cb1182486720a200f0a223bab6f |
memory/3320-128-0x0000000001490000-0x0000000001491000-memory.dmp
C:\ProgramData\rutserv.exe
| MD5 | aa874c546973604d4670c2b61f8795fa |
| SHA1 | b42d0fea829be6df3c7b9879db8f1ad4a44f5062 |
| SHA256 | ddd8227a0456ece67005d4b40d0072bdf8df6238e840ab3166a7befafdc732c0 |
| SHA512 | a91ef2ae8ed8a7e60bb55d210c6b285626477747f7fc8031c244cea6955438835a19602c2091b73633b723777e0f93564e9b9cb1182486720a200f0a223bab6f |
C:\ProgramData\settings.dat
| MD5 | be09301b66f97da5e051366b58cf1492 |
| SHA1 | 7e5d26ff2a65384c590be4987b7be751306dcf7d |
| SHA256 | 7de440636eac686f90708af7a8ed8805f919b727e53e42493a5c89ec06af77ff |
| SHA512 | 09b9fc2eedad23adae6e67e89ef03c6c848dd5be6f36b34b97b8a8c0261e7ea696fd38bd62e7d25481a4fa121b520aa71eab8a1d5d489b08692a6fcebf8f65be |
memory/1212-131-0x0000000001350000-0x0000000001351000-memory.dmp
memory/1212-133-0x0000000004880000-0x0000000004881000-memory.dmp
memory/1212-134-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
memory/1212-132-0x0000000004660000-0x0000000004661000-memory.dmp
memory/1212-135-0x0000000005040000-0x0000000005041000-memory.dmp
memory/1212-137-0x0000000004F20000-0x0000000004F21000-memory.dmp
memory/1212-136-0x0000000005190000-0x0000000005191000-memory.dmp
memory/1212-139-0x0000000004FD0000-0x0000000004FD1000-memory.dmp
memory/1212-138-0x0000000004F80000-0x0000000004F81000-memory.dmp
memory/1212-140-0x0000000005020000-0x0000000005021000-memory.dmp
memory/1212-142-0x00000000070B0000-0x00000000070B1000-memory.dmp
memory/1212-141-0x0000000006F30000-0x0000000006F31000-memory.dmp
memory/1212-143-0x0000000007480000-0x0000000007551000-memory.dmp