Malware Analysis Report

2024-11-30 19:50

Sample ID 220129-gr7qfaefe2
Target 7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2
SHA256 7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2
Tags
rms evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2

Threat Level: Known bad

The file 7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2 was found to be: Known bad.

Malicious Activity Summary

rms evasion rat trojan

RMS

Sets file to hidden

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Enumerates physical storage devices

Delays execution with timeout.exe

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs .reg file with regedit

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: SetClipboardViewer

Modifies registry class

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-29 06:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-29 06:03

Reported

2022-01-29 10:09

Platform

win7-en-20211208

Max time kernel

156s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\System64\svshost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System64\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\webmvorbisencoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\svshost.exe C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\regedit.reg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\install.vbs C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\RWLN.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\EULA.rtf C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\RIPCServer.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\RIPCServer.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\Russian.lg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\upgradewin.exe C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\upgradewin.exe C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64 C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\__tmp_rar_sfx_access_check_259407167 C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\install.bat C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\Russian.lg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\RWLN.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\webmmux.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\webmvorbisdecoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\webmvorbisencoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\English.lg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\EULA.rtf C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\install.vbs C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\webmmux.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\webmvorbisdecoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\English.lg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\install.bat C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\svshost.exe C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\regedit.reg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\System64\upgradewin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System64\svshost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System64\svshost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System64\svshost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System64\svshost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System64\svshost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System64\svshost.exe N/A
N/A N/A C:\Windows\System64\svshost.exe N/A
N/A N/A C:\Windows\System64\svshost.exe N/A
N/A N/A C:\Windows\System64\svshost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe C:\Windows\SysWOW64\WScript.exe
PID 1116 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe C:\Windows\SysWOW64\WScript.exe
PID 1116 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe C:\Windows\SysWOW64\WScript.exe
PID 1116 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe C:\Windows\SysWOW64\WScript.exe
PID 1116 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe C:\Windows\SysWOW64\WScript.exe
PID 1116 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe C:\Windows\SysWOW64\WScript.exe
PID 1116 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe C:\Windows\SysWOW64\WScript.exe
PID 792 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 1408 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1408 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe

"C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\System64\install.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\System64\install.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im svnhost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemsmss.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im svshost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im upgradewin.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im updated.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemswin.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systems.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systeminfo.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\System Corporation Update" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\System64\svshost.exe

svshost.exe /silentinstall

C:\Windows\System64\svshost.exe

svshost.exe /firewall

C:\Windows\System64\svshost.exe

svshost.exe /start

C:\Windows\System64\svshost.exe

C:\Windows\System64\svshost.exe

C:\Windows\System64\upgradewin.exe

C:\Windows\System64\upgradewin.exe

C:\Windows\System64\upgradewin.exe

C:\Windows\System64\upgradewin.exe /tray

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Windows\System64" /S /D

C:\Windows\System64\upgradewin.exe

C:\Windows\System64\upgradewin.exe /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1116-55-0x0000000076511000-0x0000000076513000-memory.dmp

C:\Windows\System64\install.vbs

MD5 65fc32766a238ff3e95984e325357dbb
SHA1 3ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256 a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

C:\Windows\System64\install.bat

MD5 e595f1eed00fef50a90ede49468cbe60
SHA1 62d19a693bc252b889d684a147cf0206f77e7576
SHA256 55faa864b3d8af8ee2560acc9bc002b296b375b209056d16fe9aa057859205c1
SHA512 4c3a0d3275c2d809da77d7ce6aa560dd9827023de653a4bca6dbbb276fd1c1f9166537054bbdc7a02c2950488d7e658d989f0c76245f60e163ba917dc83f6a7b

C:\Windows\System64\regedit.reg

MD5 2c8dc387f30300d5ab6faec764b2f408
SHA1 fe57f24687a3911fad7ca390d2f05211ba8e129a
SHA256 c6a1d35ee09c92efcea048139ae23e71d77923db4a93571e53c519ed9119edc2
SHA512 d396731a3620e48562e0582bb5a811cfa69e854138390841c0ecaadd1df2059eb92209cdf62ce73d7f57ab4ca1916dc4c90fca6ba618302c1f4cbf5324c85585

\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

C:\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

C:\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

C:\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

memory/1684-82-0x00000000001E0000-0x00000000001E1000-memory.dmp

\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

C:\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

C:\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

memory/1404-89-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1984-88-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Windows\System64\webmmux.dll

MD5 9581f7064028a782182e8a4411e9afa5
SHA1 9356d9f62fc38a1150c3cad556b2a531cd7d430b
SHA256 320a23db8d34bd2628078903d4496d4b9320d50c13d11283f77a8c3b9ec36698
SHA512 01c5a711bd0d7cea5cae906c163b7a98c3b09b8ce5a5b52f096d806e20d7f28fe3e174eb6ba8ff630b870b1cea3d9d72905227a989d70e312d79b55644e6442c

C:\Windows\System64\upgradewin.exe

MD5 d8aa01236323dab4facb72d3af631203
SHA1 01f18748f9c95121e22df54b192b383baff6b802
SHA256 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512 e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

C:\Windows\System64\webmvorbisencoder.dll

MD5 12eba58e4c0450ccb2d9fdce22255d09
SHA1 1f88ce0834e0bcf0f61ed0557204ef05dd577b1e
SHA256 c80464f71b46411b01962b6095acd6eb2ed09ad8d6eb0a67840826a6297823b2
SHA512 08f999aeb55968de3dacb560a25174e5a1c29eb2ea95a6fc8f770c10369263e2f8cea525f93c89a0e03954ff1221b4486641fc9a892d53a8857e9cf441ec05d4

C:\Windows\System64\webmvorbisdecoder.dll

MD5 ec59d88c3ebda7c2ce36dcdbe4c67e5b
SHA1 8b01a5730ebda5729a57d97abec1de00c7cf0218
SHA256 54b661f2d55f5cafccd7aca334efb89e908b3f19e3e35c9aa661221b31ec60e3
SHA512 46963b390affcb1f6e5d42ae4f4a67a453d9048e8f8b825bb543a1c2031f1ece07d2f295d30eff51a6624bf096e0d10f8ba8d6516b28e63926f214eb7d7e5b84

C:\Windows\System64\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Windows\System64\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Windows\System64\RWLN.dll

MD5 eba6316a7d073079954d638b335d9165
SHA1 4b75e9ae790f51077850b1da60136a182fc06425
SHA256 00e0bffd66abca71e488aa52d2672fd90d17eb25a162e3f7af46856faed2e742
SHA512 65159606e8f771edf6fb56efa6c660a173456662e8d0e92bbefde765666be685766dd9e7aa8cf8f4c0a0de741392be6a711bee9f215042d715af85bcbe4f2f6a

C:\Windows\System64\RIPCServer.dll

MD5 500b5d9c3c0ff50c9bafdccb8ee049bc
SHA1 fce3d53df1dff631e69af83420b4bf8b1c632972
SHA256 c0a5b0f80e85c2e2078feca245bfc78518988b059ea711f65b5060d4f3471838
SHA512 a624bfd524d44365a583a1ea860fcbde4188a3731e026ba23a3118857461bf8298e90ef51a23f438f9241cc5a2c5c472f47c75c8e312eb68664680c9feefbfb9

C:\Windows\System64\Russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

C:\Windows\System64\English.lg

MD5 bc25377ade68750b834c81fa71c233b8
SHA1 84dbb465dd2125f47668e2508e18af9bd6db2fd8
SHA256 9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3
SHA512 205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

\Windows\System64\upgradewin.exe

MD5 d8aa01236323dab4facb72d3af631203
SHA1 01f18748f9c95121e22df54b192b383baff6b802
SHA256 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512 e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

C:\Windows\System64\upgradewin.exe

MD5 d8aa01236323dab4facb72d3af631203
SHA1 01f18748f9c95121e22df54b192b383baff6b802
SHA256 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512 e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

C:\Windows\System64\upgradewin.exe

MD5 d8aa01236323dab4facb72d3af631203
SHA1 01f18748f9c95121e22df54b192b383baff6b802
SHA256 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512 e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

memory/1552-106-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2016-107-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\System64\upgradewin.exe

MD5 d8aa01236323dab4facb72d3af631203
SHA1 01f18748f9c95121e22df54b192b383baff6b802
SHA256 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512 e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-29 06:03

Reported

2022-01-29 10:09

Platform

win10-en-20211208

Max time kernel

174s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\System64\English.lg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\Russian.lg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\EULA.rtf C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\EULA.rtf C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\webmmux.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\upgradewin.exe C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\install.vbs C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\upgradewin.exe C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\svshost.exe C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\__tmp_rar_sfx_access_check_259400343 C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\RIPCServer.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\RWLN.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\RWLN.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\webmmux.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\webmvorbisdecoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\webmvorbisdecoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\regedit.reg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\regedit.reg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\webmvorbisencoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\RIPCServer.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\webmvorbisencoder.dll C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64 C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\install.bat C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\Russian.lg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\English.lg C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\install.bat C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File opened for modification C:\Windows\System64\install.vbs C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A
File created C:\Windows\System64\svshost.exe C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\System64\upgradewin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System64\svshost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System64\svshost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System64\svshost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System64\svshost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System64\svshost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System64\svshost.exe N/A
N/A N/A C:\Windows\System64\svshost.exe N/A
N/A N/A C:\Windows\System64\svshost.exe N/A
N/A N/A C:\Windows\System64\svshost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe C:\Windows\SysWOW64\WScript.exe
PID 3184 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe C:\Windows\SysWOW64\WScript.exe
PID 3184 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe C:\Windows\SysWOW64\WScript.exe
PID 3988 wrote to memory of 1084 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 1084 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 1084 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1084 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1084 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1084 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1084 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1084 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1084 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1084 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1084 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1084 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1084 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1084 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1084 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1084 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svshost.exe
PID 1084 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svshost.exe
PID 1084 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svshost.exe
PID 1084 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svshost.exe
PID 1084 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svshost.exe
PID 1084 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svshost.exe
PID 1084 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svshost.exe
PID 1084 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svshost.exe
PID 1084 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svshost.exe
PID 1424 wrote to memory of 1028 N/A C:\Windows\System64\svshost.exe C:\Windows\System64\upgradewin.exe
PID 1424 wrote to memory of 1028 N/A C:\Windows\System64\svshost.exe C:\Windows\System64\upgradewin.exe
PID 1424 wrote to memory of 1028 N/A C:\Windows\System64\svshost.exe C:\Windows\System64\upgradewin.exe
PID 1424 wrote to memory of 2160 N/A C:\Windows\System64\svshost.exe C:\Windows\System64\upgradewin.exe
PID 1424 wrote to memory of 2160 N/A C:\Windows\System64\svshost.exe C:\Windows\System64\upgradewin.exe
PID 1424 wrote to memory of 2160 N/A C:\Windows\System64\svshost.exe C:\Windows\System64\upgradewin.exe
PID 1084 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe

"C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\System64\install.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\System64\install.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im svnhost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemsmss.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im svshost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im upgradewin.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im updated.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemswin.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systems.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systeminfo.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\System Corporation Update" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\System64\svshost.exe

svshost.exe /silentinstall

C:\Windows\System64\svshost.exe

svshost.exe /firewall

C:\Windows\System64\svshost.exe

svshost.exe /start

C:\Windows\System64\svshost.exe

C:\Windows\System64\svshost.exe

C:\Windows\System64\upgradewin.exe

C:\Windows\System64\upgradewin.exe

C:\Windows\System64\upgradewin.exe

C:\Windows\System64\upgradewin.exe /tray

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Windows\System64" /S /D

C:\Windows\System64\upgradewin.exe

C:\Windows\System64\upgradewin.exe /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

C:\Windows\System64\install.vbs

MD5 65fc32766a238ff3e95984e325357dbb
SHA1 3ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256 a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

C:\Windows\System64\install.bat

MD5 e595f1eed00fef50a90ede49468cbe60
SHA1 62d19a693bc252b889d684a147cf0206f77e7576
SHA256 55faa864b3d8af8ee2560acc9bc002b296b375b209056d16fe9aa057859205c1
SHA512 4c3a0d3275c2d809da77d7ce6aa560dd9827023de653a4bca6dbbb276fd1c1f9166537054bbdc7a02c2950488d7e658d989f0c76245f60e163ba917dc83f6a7b

C:\Windows\System64\regedit.reg

MD5 2c8dc387f30300d5ab6faec764b2f408
SHA1 fe57f24687a3911fad7ca390d2f05211ba8e129a
SHA256 c6a1d35ee09c92efcea048139ae23e71d77923db4a93571e53c519ed9119edc2
SHA512 d396731a3620e48562e0582bb5a811cfa69e854138390841c0ecaadd1df2059eb92209cdf62ce73d7f57ab4ca1916dc4c90fca6ba618302c1f4cbf5324c85585

C:\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

C:\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

C:\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

C:\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

C:\Windows\System64\svshost.exe

MD5 8d071134c46b96619483975fc06a4c2a
SHA1 b6e20f7de308a6e6a9852965e25b581f34e8227b
SHA256 b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0
SHA512 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03

C:\Windows\System64\English.lg

MD5 bc25377ade68750b834c81fa71c233b8
SHA1 84dbb465dd2125f47668e2508e18af9bd6db2fd8
SHA256 9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3
SHA512 205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

memory/1424-213-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/856-212-0x0000000000B00000-0x0000000000B01000-memory.dmp

C:\Windows\System64\Russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

C:\Windows\System64\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Windows\System64\upgradewin.exe

MD5 d8aa01236323dab4facb72d3af631203
SHA1 01f18748f9c95121e22df54b192b383baff6b802
SHA256 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512 e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

C:\Windows\System64\webmvorbisencoder.dll

MD5 12eba58e4c0450ccb2d9fdce22255d09
SHA1 1f88ce0834e0bcf0f61ed0557204ef05dd577b1e
SHA256 c80464f71b46411b01962b6095acd6eb2ed09ad8d6eb0a67840826a6297823b2
SHA512 08f999aeb55968de3dacb560a25174e5a1c29eb2ea95a6fc8f770c10369263e2f8cea525f93c89a0e03954ff1221b4486641fc9a892d53a8857e9cf441ec05d4

C:\Windows\System64\webmvorbisdecoder.dll

MD5 ec59d88c3ebda7c2ce36dcdbe4c67e5b
SHA1 8b01a5730ebda5729a57d97abec1de00c7cf0218
SHA256 54b661f2d55f5cafccd7aca334efb89e908b3f19e3e35c9aa661221b31ec60e3
SHA512 46963b390affcb1f6e5d42ae4f4a67a453d9048e8f8b825bb543a1c2031f1ece07d2f295d30eff51a6624bf096e0d10f8ba8d6516b28e63926f214eb7d7e5b84

C:\Windows\System64\webmmux.dll

MD5 9581f7064028a782182e8a4411e9afa5
SHA1 9356d9f62fc38a1150c3cad556b2a531cd7d430b
SHA256 320a23db8d34bd2628078903d4496d4b9320d50c13d11283f77a8c3b9ec36698
SHA512 01c5a711bd0d7cea5cae906c163b7a98c3b09b8ce5a5b52f096d806e20d7f28fe3e174eb6ba8ff630b870b1cea3d9d72905227a989d70e312d79b55644e6442c

C:\Windows\System64\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Windows\System64\RWLN.dll

MD5 eba6316a7d073079954d638b335d9165
SHA1 4b75e9ae790f51077850b1da60136a182fc06425
SHA256 00e0bffd66abca71e488aa52d2672fd90d17eb25a162e3f7af46856faed2e742
SHA512 65159606e8f771edf6fb56efa6c660a173456662e8d0e92bbefde765666be685766dd9e7aa8cf8f4c0a0de741392be6a711bee9f215042d715af85bcbe4f2f6a

C:\Windows\System64\RIPCServer.dll

MD5 500b5d9c3c0ff50c9bafdccb8ee049bc
SHA1 fce3d53df1dff631e69af83420b4bf8b1c632972
SHA256 c0a5b0f80e85c2e2078feca245bfc78518988b059ea711f65b5060d4f3471838
SHA512 a624bfd524d44365a583a1ea860fcbde4188a3731e026ba23a3118857461bf8298e90ef51a23f438f9241cc5a2c5c472f47c75c8e312eb68664680c9feefbfb9

C:\Windows\System64\upgradewin.exe

MD5 d8aa01236323dab4facb72d3af631203
SHA1 01f18748f9c95121e22df54b192b383baff6b802
SHA256 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512 e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

C:\Windows\System64\upgradewin.exe

MD5 d8aa01236323dab4facb72d3af631203
SHA1 01f18748f9c95121e22df54b192b383baff6b802
SHA256 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512 e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a

memory/2160-225-0x0000000000A00000-0x0000000000A01000-memory.dmp

memory/1028-226-0x0000000002700000-0x0000000002701000-memory.dmp

C:\Windows\System64\upgradewin.exe

MD5 d8aa01236323dab4facb72d3af631203
SHA1 01f18748f9c95121e22df54b192b383baff6b802
SHA256 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df
SHA512 e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a