Analysis Overview
SHA256
96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92
Threat Level: Known bad
The file 96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92 was found to be: Known bad.
Malicious Activity Summary
RMS
Sets file to hidden
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Enumerates physical storage devices
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs .reg file with regedit
Delays execution with timeout.exe
Modifies registry class
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-29 04:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-29 04:38
Reported
2022-01-29 09:11
Platform
win7-en-20211208
Max time kernel
152s
Max time network
143s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
Sets file to hidden
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System64\svshost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System64\svshost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System64\svshost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System64\svshost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System64\svshost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
"C:\Users\Admin\AppData\Local\Temp\96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System64\install.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\System64\install.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svnhost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemsmss.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svshost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im upgradewin.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im updated.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemswin.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systems.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systeminfo.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\System Corporation Update" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\System64\svshost.exe
svshost.exe /silentinstall
C:\Windows\System64\svshost.exe
svshost.exe /firewall
C:\Windows\System64\svshost.exe
svshost.exe /start
C:\Windows\System64\svshost.exe
C:\Windows\System64\svshost.exe
C:\Windows\System64\upgradewin.exe
C:\Windows\System64\upgradewin.exe
C:\Windows\System64\upgradewin.exe
C:\Windows\System64\upgradewin.exe /tray
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Windows\System64" /S /D
C:\Windows\System64\upgradewin.exe
C:\Windows\System64\upgradewin.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/1452-54-0x0000000075D61000-0x0000000075D63000-memory.dmp
C:\Windows\System64\install.vbs
| MD5 | 65fc32766a238ff3e95984e325357dbb |
| SHA1 | 3ac16a2648410be8aa75f3e2817fbf69bb0e8922 |
| SHA256 | a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420 |
| SHA512 | 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608 |
C:\Windows\System64\install.bat
| MD5 | e595f1eed00fef50a90ede49468cbe60 |
| SHA1 | 62d19a693bc252b889d684a147cf0206f77e7576 |
| SHA256 | 55faa864b3d8af8ee2560acc9bc002b296b375b209056d16fe9aa057859205c1 |
| SHA512 | 4c3a0d3275c2d809da77d7ce6aa560dd9827023de653a4bca6dbbb276fd1c1f9166537054bbdc7a02c2950488d7e658d989f0c76245f60e163ba917dc83f6a7b |
C:\Windows\System64\regedit.reg
| MD5 | b5da186c88f3e629882a94768910ac4a |
| SHA1 | 8fa7b238cf4f08dc04ed54334bf1e6834781733e |
| SHA256 | f2cfedc94567c049ae83f884d54c8b6e2758372adee9e9e50e16d76add165000 |
| SHA512 | 0829d0f16e689897737f0c57055723bece8a943ee394a785c38ae18903bcf2bbd254132b078f88724a03c319f57b072d9b8a546bbb85778b01865aaadc4cba0e |
\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/1528-79-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/1608-83-0x00000000002C0000-0x00000000002C1000-memory.dmp
\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/528-90-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/524-89-0x00000000001D0000-0x00000000001D1000-memory.dmp
C:\Windows\System64\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
C:\Windows\System64\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
C:\Windows\System64\webmvorbisencoder.dll
| MD5 | 12eba58e4c0450ccb2d9fdce22255d09 |
| SHA1 | 1f88ce0834e0bcf0f61ed0557204ef05dd577b1e |
| SHA256 | c80464f71b46411b01962b6095acd6eb2ed09ad8d6eb0a67840826a6297823b2 |
| SHA512 | 08f999aeb55968de3dacb560a25174e5a1c29eb2ea95a6fc8f770c10369263e2f8cea525f93c89a0e03954ff1221b4486641fc9a892d53a8857e9cf441ec05d4 |
C:\Windows\System64\webmvorbisdecoder.dll
| MD5 | ec59d88c3ebda7c2ce36dcdbe4c67e5b |
| SHA1 | 8b01a5730ebda5729a57d97abec1de00c7cf0218 |
| SHA256 | 54b661f2d55f5cafccd7aca334efb89e908b3f19e3e35c9aa661221b31ec60e3 |
| SHA512 | 46963b390affcb1f6e5d42ae4f4a67a453d9048e8f8b825bb543a1c2031f1ece07d2f295d30eff51a6624bf096e0d10f8ba8d6516b28e63926f214eb7d7e5b84 |
C:\Windows\System64\webmmux.dll
| MD5 | 9581f7064028a782182e8a4411e9afa5 |
| SHA1 | 9356d9f62fc38a1150c3cad556b2a531cd7d430b |
| SHA256 | 320a23db8d34bd2628078903d4496d4b9320d50c13d11283f77a8c3b9ec36698 |
| SHA512 | 01c5a711bd0d7cea5cae906c163b7a98c3b09b8ce5a5b52f096d806e20d7f28fe3e174eb6ba8ff630b870b1cea3d9d72905227a989d70e312d79b55644e6442c |
C:\Windows\System64\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\Windows\System64\RWLN.dll
| MD5 | eba6316a7d073079954d638b335d9165 |
| SHA1 | 4b75e9ae790f51077850b1da60136a182fc06425 |
| SHA256 | 00e0bffd66abca71e488aa52d2672fd90d17eb25a162e3f7af46856faed2e742 |
| SHA512 | 65159606e8f771edf6fb56efa6c660a173456662e8d0e92bbefde765666be685766dd9e7aa8cf8f4c0a0de741392be6a711bee9f215042d715af85bcbe4f2f6a |
C:\Windows\System64\RIPCServer.dll
| MD5 | 500b5d9c3c0ff50c9bafdccb8ee049bc |
| SHA1 | fce3d53df1dff631e69af83420b4bf8b1c632972 |
| SHA256 | c0a5b0f80e85c2e2078feca245bfc78518988b059ea711f65b5060d4f3471838 |
| SHA512 | a624bfd524d44365a583a1ea860fcbde4188a3731e026ba23a3118857461bf8298e90ef51a23f438f9241cc5a2c5c472f47c75c8e312eb68664680c9feefbfb9 |
C:\Windows\System64\Russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
C:\Windows\System64\English.lg
| MD5 | bc25377ade68750b834c81fa71c233b8 |
| SHA1 | 84dbb465dd2125f47668e2508e18af9bd6db2fd8 |
| SHA256 | 9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3 |
| SHA512 | 205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5 |
\Windows\System64\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
\Windows\System64\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
C:\Windows\System64\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
C:\Windows\System64\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
memory/1144-109-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1160-108-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Windows\System64\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
memory/1496-112-0x00000000001C0000-0x00000000001C1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-29 04:38
Reported
2022-01-29 09:11
Platform
win10-en-20211208
Max time kernel
153s
Max time network
153s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
Sets file to hidden
Drops file in Windows directory
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System64\upgradewin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System64\svshost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System64\svshost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System64\svshost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System64\svshost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System64\svshost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
| N/A | N/A | C:\Windows\System64\svshost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
"C:\Users\Admin\AppData\Local\Temp\96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System64\install.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\System64\install.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svnhost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemsmss.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svshost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im upgradewin.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im updated.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemswin.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systems.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systeminfo.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\System Corporation Update" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\System64\svshost.exe
svshost.exe /silentinstall
C:\Windows\System64\svshost.exe
svshost.exe /firewall
C:\Windows\System64\svshost.exe
svshost.exe /start
C:\Windows\System64\svshost.exe
C:\Windows\System64\svshost.exe
C:\Windows\System64\upgradewin.exe
C:\Windows\System64\upgradewin.exe /tray
C:\Windows\System64\upgradewin.exe
C:\Windows\System64\upgradewin.exe
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Windows\System64" /S /D
C:\Windows\System64\upgradewin.exe
C:\Windows\System64\upgradewin.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
C:\Windows\System64\install.vbs
| MD5 | 65fc32766a238ff3e95984e325357dbb |
| SHA1 | 3ac16a2648410be8aa75f3e2817fbf69bb0e8922 |
| SHA256 | a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420 |
| SHA512 | 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608 |
C:\Windows\System64\install.bat
| MD5 | e595f1eed00fef50a90ede49468cbe60 |
| SHA1 | 62d19a693bc252b889d684a147cf0206f77e7576 |
| SHA256 | 55faa864b3d8af8ee2560acc9bc002b296b375b209056d16fe9aa057859205c1 |
| SHA512 | 4c3a0d3275c2d809da77d7ce6aa560dd9827023de653a4bca6dbbb276fd1c1f9166537054bbdc7a02c2950488d7e658d989f0c76245f60e163ba917dc83f6a7b |
C:\Windows\System64\regedit.reg
| MD5 | b5da186c88f3e629882a94768910ac4a |
| SHA1 | 8fa7b238cf4f08dc04ed54334bf1e6834781733e |
| SHA256 | f2cfedc94567c049ae83f884d54c8b6e2758372adee9e9e50e16d76add165000 |
| SHA512 | 0829d0f16e689897737f0c57055723bece8a943ee394a785c38ae18903bcf2bbd254132b078f88724a03c319f57b072d9b8a546bbb85778b01865aaadc4cba0e |
C:\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/2064-261-0x0000000000B90000-0x0000000000B91000-memory.dmp
C:\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/2400-263-0x0000000000C00000-0x0000000000C01000-memory.dmp
C:\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Windows\System64\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/1688-266-0x0000000000C10000-0x0000000000C11000-memory.dmp
memory/2116-267-0x00000000001D0000-0x00000000001F3000-memory.dmp
C:\Windows\System64\English.lg
| MD5 | bc25377ade68750b834c81fa71c233b8 |
| SHA1 | 84dbb465dd2125f47668e2508e18af9bd6db2fd8 |
| SHA256 | 9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3 |
| SHA512 | 205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5 |
C:\Windows\System64\Russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
C:\Windows\System64\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
C:\Windows\System64\webmvorbisencoder.dll
| MD5 | 12eba58e4c0450ccb2d9fdce22255d09 |
| SHA1 | 1f88ce0834e0bcf0f61ed0557204ef05dd577b1e |
| SHA256 | c80464f71b46411b01962b6095acd6eb2ed09ad8d6eb0a67840826a6297823b2 |
| SHA512 | 08f999aeb55968de3dacb560a25174e5a1c29eb2ea95a6fc8f770c10369263e2f8cea525f93c89a0e03954ff1221b4486641fc9a892d53a8857e9cf441ec05d4 |
C:\Windows\System64\webmvorbisdecoder.dll
| MD5 | ec59d88c3ebda7c2ce36dcdbe4c67e5b |
| SHA1 | 8b01a5730ebda5729a57d97abec1de00c7cf0218 |
| SHA256 | 54b661f2d55f5cafccd7aca334efb89e908b3f19e3e35c9aa661221b31ec60e3 |
| SHA512 | 46963b390affcb1f6e5d42ae4f4a67a453d9048e8f8b825bb543a1c2031f1ece07d2f295d30eff51a6624bf096e0d10f8ba8d6516b28e63926f214eb7d7e5b84 |
C:\Windows\System64\webmmux.dll
| MD5 | 9581f7064028a782182e8a4411e9afa5 |
| SHA1 | 9356d9f62fc38a1150c3cad556b2a531cd7d430b |
| SHA256 | 320a23db8d34bd2628078903d4496d4b9320d50c13d11283f77a8c3b9ec36698 |
| SHA512 | 01c5a711bd0d7cea5cae906c163b7a98c3b09b8ce5a5b52f096d806e20d7f28fe3e174eb6ba8ff630b870b1cea3d9d72905227a989d70e312d79b55644e6442c |
C:\Windows\System64\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
C:\Windows\System64\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\Windows\System64\RWLN.dll
| MD5 | eba6316a7d073079954d638b335d9165 |
| SHA1 | 4b75e9ae790f51077850b1da60136a182fc06425 |
| SHA256 | 00e0bffd66abca71e488aa52d2672fd90d17eb25a162e3f7af46856faed2e742 |
| SHA512 | 65159606e8f771edf6fb56efa6c660a173456662e8d0e92bbefde765666be685766dd9e7aa8cf8f4c0a0de741392be6a711bee9f215042d715af85bcbe4f2f6a |
C:\Windows\System64\RIPCServer.dll
| MD5 | 500b5d9c3c0ff50c9bafdccb8ee049bc |
| SHA1 | fce3d53df1dff631e69af83420b4bf8b1c632972 |
| SHA256 | c0a5b0f80e85c2e2078feca245bfc78518988b059ea711f65b5060d4f3471838 |
| SHA512 | a624bfd524d44365a583a1ea860fcbde4188a3731e026ba23a3118857461bf8298e90ef51a23f438f9241cc5a2c5c472f47c75c8e312eb68664680c9feefbfb9 |
C:\Windows\System64\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
C:\Windows\System64\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
memory/1472-280-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
memory/3820-281-0x00000000009C0000-0x00000000009C1000-memory.dmp
C:\Windows\System64\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
memory/1376-283-0x0000000000B10000-0x0000000000B11000-memory.dmp