Analysis Overview
SHA256
a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf
Threat Level: Known bad
The file a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf was found to be: Known bad.
Malicious Activity Summary
RMS
xmrig
Executes dropped EXE
Sets file to hidden
UPX packed file
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
NSIS installer
Runs .reg file with regedit
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Delays execution with timeout.exe
Modifies Internet Explorer settings
Suspicious behavior: SetClipboardViewer
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-05 04:13
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 04:13
Reported
2022-02-05 04:15
Platform
win7-en-20211208
Max time kernel
155s
Max time network
140s
Command Line
Signatures
RMS
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Load.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\System64\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\System64\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\svchost.exe | N/A |
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System64\vp8encoder.dll | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| File created | C:\Windows\System64\vp8decoder.dll | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| File created | C:\Windows\System64\install.bat | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| File opened for modification | C:\Windows\System64\install.bat | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\svchost.exe | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| File created | C:\Windows\setlib.ini | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| File created | C:\Windows\System64\rfusclient.exe | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| File created | C:\Windows\System64\rutserv.exe | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| File created | C:\Windows\System64\regedit.reg | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| File created | C:\Windows\service.bat | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rfusclient.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System64\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System64\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System64\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System64\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System64\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System64\rutserv.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\System64\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe
"C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe"
C:\Users\Admin\AppData\Roaming\1337\Loader.exe
"C:\Users\Admin\AppData\Roaming\1337\Loader.exe"
C:\Users\Admin\AppData\Roaming\1337\Load.exe
"C:\Users\Admin\AppData\Roaming\1337\Load.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\System64\install.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib -r -a -s -h "C:\Windows\System64\install.bat" /S /D
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\System Corporation Update" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\System64\rutserv.exe
rutserv.exe /silentinstall
C:\Windows\System64\rutserv.exe
rutserv.exe /firewall
C:\Windows\System64\rutserv.exe
rutserv.exe /start
C:\Windows\System64\rutserv.exe
C:\Windows\System64\rutserv.exe
C:\Windows\System64\rfusclient.exe
C:\Windows\System64\rfusclient.exe /tray
C:\Windows\System64\rfusclient.exe
C:\Windows\System64\rfusclient.exe
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Windows\System64" /S /D
C:\Windows\System64\rfusclient.exe
C:\Windows\System64\rfusclient.exe /tray
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\service.bat" "
C:\Windows\svchost.exe
svchost.exe /install /silent
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Windows\svchost.exe" /S /D
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| US | 8.8.8.8:53 | q987356n.beget.tech | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | black-rad.pro | udp |
Files
memory/2028-55-0x0000000075F81000-0x0000000075F83000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsvD1FF.tmp\System.dll
| MD5 | 2ae993a2ffec0c137eb51c8832691bcb |
| SHA1 | 98e0b37b7c14890f8a599f35678af5e9435906e1 |
| SHA256 | 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59 |
| SHA512 | 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9 |
\Users\Admin\AppData\Roaming\1337\Loader.exe
| MD5 | b8084e3ba8602e452d411537b31dd169 |
| SHA1 | a12b7cc1dbcf959652fc42c41a2fd349c2356a87 |
| SHA256 | 704054f5f86c584a5d584833a61bcb2ef664b17ee006562776b9180dafd47449 |
| SHA512 | 03b1130de382665c288f1d6f7195cebae34721d3856a8a15afff7907c8885c5b2b37214de6f0211d2da6c701796b37847142ac497ee862368bd753dce2ee6bc8 |
C:\Users\Admin\AppData\Roaming\1337\Loader.exe
| MD5 | b8084e3ba8602e452d411537b31dd169 |
| SHA1 | a12b7cc1dbcf959652fc42c41a2fd349c2356a87 |
| SHA256 | 704054f5f86c584a5d584833a61bcb2ef664b17ee006562776b9180dafd47449 |
| SHA512 | 03b1130de382665c288f1d6f7195cebae34721d3856a8a15afff7907c8885c5b2b37214de6f0211d2da6c701796b37847142ac497ee862368bd753dce2ee6bc8 |
C:\Users\Admin\AppData\Roaming\1337\Load.exe
| MD5 | 1c47d7d816551d92af16aa0e0f922993 |
| SHA1 | 974302d5218652ed856fbcc94249bc877789d695 |
| SHA256 | a986dd387c5820015c5700741762ed0d6e4d6b4e382229de60f6dae6b0d5c55e |
| SHA512 | b910c88b94fbb19927e503b26790dc88c79c78a6a7bf7ba656533350ed0280d32b96270eb670bb4286353d8d7c7a4626b65ff58fbc789e336f13c80e631ba968 |
\Users\Admin\AppData\Roaming\1337\Load.exe
| MD5 | 1c47d7d816551d92af16aa0e0f922993 |
| SHA1 | 974302d5218652ed856fbcc94249bc877789d695 |
| SHA256 | a986dd387c5820015c5700741762ed0d6e4d6b4e382229de60f6dae6b0d5c55e |
| SHA512 | b910c88b94fbb19927e503b26790dc88c79c78a6a7bf7ba656533350ed0280d32b96270eb670bb4286353d8d7c7a4626b65ff58fbc789e336f13c80e631ba968 |
memory/1448-62-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Windows\System64\install.bat
| MD5 | 940aac6e154cb26c1d45a64b4e129de9 |
| SHA1 | 9e3e2e12d5b8dcc1003995292c4ca78b3e6edd13 |
| SHA256 | 0b3c7828ce5900d2f81cc3c2f6b1aa66f271f7a18521912d351e09a2f2930e56 |
| SHA512 | cd0194f1ae468698be3a1995a06948d0185d91eca33a7a8294394460b2283a6d5cb68c3a79f263f53a4a0554dd386e2048923559ba539aa11fc1d6f734e4cecf |
C:\Windows\System64\regedit.reg
| MD5 | 339f2194944f1eb4a55459aceb825996 |
| SHA1 | 07ee1c55d1c51334fe8813367c3bf38c6db51d25 |
| SHA256 | 94791ccd31afd67abe9b49c46c2ef51761acfa894dc5d4344c3e8ebaa1efa703 |
| SHA512 | 145ae3cd113e84a4a34efc32ea1ba755af02d9924856a23456f30427a3d9c97d8f2d1fb4aa8abb0457f53f7c0585e5bb56a91f1aea67e04239ec0acb6b7564a8 |
\Windows\System64\rutserv.exe
| MD5 | 8f6e38cc55206473121c8bf63fcbcf2d |
| SHA1 | 35504ce4bc1cea9e737a3be108cd428ab2251e1d |
| SHA256 | fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57 |
| SHA512 | 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9 |
C:\Windows\System64\rutserv.exe
| MD5 | 8f6e38cc55206473121c8bf63fcbcf2d |
| SHA1 | 35504ce4bc1cea9e737a3be108cd428ab2251e1d |
| SHA256 | fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57 |
| SHA512 | 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9 |
C:\Windows\System64\rutserv.exe
| MD5 | 8f6e38cc55206473121c8bf63fcbcf2d |
| SHA1 | 35504ce4bc1cea9e737a3be108cd428ab2251e1d |
| SHA256 | fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57 |
| SHA512 | 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9 |
C:\Windows\System64\rutserv.exe
| MD5 | 8f6e38cc55206473121c8bf63fcbcf2d |
| SHA1 | 35504ce4bc1cea9e737a3be108cd428ab2251e1d |
| SHA256 | fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57 |
| SHA512 | 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9 |
C:\Windows\System64\rutserv.exe
| MD5 | 8f6e38cc55206473121c8bf63fcbcf2d |
| SHA1 | 35504ce4bc1cea9e737a3be108cd428ab2251e1d |
| SHA256 | fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57 |
| SHA512 | 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9 |
C:\Windows\System64\rutserv.exe
| MD5 | 8f6e38cc55206473121c8bf63fcbcf2d |
| SHA1 | 35504ce4bc1cea9e737a3be108cd428ab2251e1d |
| SHA256 | fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57 |
| SHA512 | 083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9 |
memory/1068-82-0x00000000003D0000-0x00000000003D1000-memory.dmp
C:\Windows\System64\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\Windows\System64\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
C:\Windows\System64\rfusclient.exe
| MD5 | 36a83be43ba5be7c718d59afd372f909 |
| SHA1 | a57510a3bb6a8ca6a8842d12230e090e304ce2f9 |
| SHA256 | ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb |
| SHA512 | 58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61 |
memory/1512-86-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Windows\System64\rfusclient.exe
| MD5 | 36a83be43ba5be7c718d59afd372f909 |
| SHA1 | a57510a3bb6a8ca6a8842d12230e090e304ce2f9 |
| SHA256 | ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb |
| SHA512 | 58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61 |
C:\Windows\System64\rfusclient.exe
| MD5 | 36a83be43ba5be7c718d59afd372f909 |
| SHA1 | a57510a3bb6a8ca6a8842d12230e090e304ce2f9 |
| SHA256 | ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb |
| SHA512 | 58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61 |
\Windows\System64\rfusclient.exe
| MD5 | 36a83be43ba5be7c718d59afd372f909 |
| SHA1 | a57510a3bb6a8ca6a8842d12230e090e304ce2f9 |
| SHA256 | ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb |
| SHA512 | 58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61 |
\Windows\System64\rfusclient.exe
| MD5 | 36a83be43ba5be7c718d59afd372f909 |
| SHA1 | a57510a3bb6a8ca6a8842d12230e090e304ce2f9 |
| SHA256 | ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb |
| SHA512 | 58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61 |
memory/1552-93-0x0000000000230000-0x0000000000231000-memory.dmp
memory/968-94-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Windows\System64\rfusclient.exe
| MD5 | 36a83be43ba5be7c718d59afd372f909 |
| SHA1 | a57510a3bb6a8ca6a8842d12230e090e304ce2f9 |
| SHA256 | ef61278f0da1c711b306b4146c74d6a34fa7305bff17c5bf06f0d03d0d3e50fb |
| SHA512 | 58936b68134b56a5a25f7f1ce83fc5e7833ccffdccefb217eb3445fffec6cd3205356ad788a8387bfb8373f59dce0aab14a4fc8ec29efc7d8d744f611565ed61 |
C:\Windows\service.bat
| MD5 | 9f4f4fe8749989ca547279e2d32b6452 |
| SHA1 | b4be558e8976fc290ed5e381a776fda4ab30b4a3 |
| SHA256 | fc82ca26ccffe60c0fa59c13919151bdc827ca14e6a0281b2b42f71ea5081c74 |
| SHA512 | 12d7ad18b6336ec52db1fe0a241a304a0056c0d530886d068b8edd2e9bbdcc281031ad13c030cc932d9adfee5026281ce3df09987a0fd400fb6a803dda957b43 |
C:\Windows\svchost.exe
| MD5 | 5211b98f95e21ff0b854f6cfbe34b65e |
| SHA1 | 5c3b778459a5535ad57bf8eb11a901ffa75a59e8 |
| SHA256 | 048c89bc823dfcd99d99c11dac87545bdebd14ae0aff351a6135affaa4df11b6 |
| SHA512 | 5c565741d7f0dabf430985e3fb02624bfa35303c84b188d7570685695d2366cd21776a06e18d998b2fc789d82ad60c60012d389e7708634efcf37168ce66e70a |
C:\Windows\svchost.exe
| MD5 | 5211b98f95e21ff0b854f6cfbe34b65e |
| SHA1 | 5c3b778459a5535ad57bf8eb11a901ffa75a59e8 |
| SHA256 | 048c89bc823dfcd99d99c11dac87545bdebd14ae0aff351a6135affaa4df11b6 |
| SHA512 | 5c565741d7f0dabf430985e3fb02624bfa35303c84b188d7570685695d2366cd21776a06e18d998b2fc789d82ad60c60012d389e7708634efcf37168ce66e70a |
memory/1616-101-0x00000000001C0000-0x00000000001C1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 04:13
Reported
2022-02-05 04:15
Platform
win10v2004-en-20220113
Max time kernel
10s
Max time network
42s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1337\Loader.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4072 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe | C:\Users\Admin\AppData\Roaming\1337\Loader.exe |
| PID 4072 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe | C:\Users\Admin\AppData\Roaming\1337\Loader.exe |
| PID 4072 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe | C:\Users\Admin\AppData\Roaming\1337\Loader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe
"C:\Users\Admin\AppData\Local\Temp\a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf.exe"
C:\Users\Admin\AppData\Roaming\1337\Loader.exe
"C:\Users\Admin\AppData\Roaming\1337\Loader.exe"
C:\Users\Admin\AppData\Roaming\1337\Load.exe
"C:\Users\Admin\AppData\Roaming\1337\Load.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsx5F17.tmp\System.dll
| MD5 | 2ae993a2ffec0c137eb51c8832691bcb |
| SHA1 | 98e0b37b7c14890f8a599f35678af5e9435906e1 |
| SHA256 | 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59 |
| SHA512 | 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9 |
C:\Users\Admin\AppData\Roaming\1337\Loader.exe
| MD5 | 9881401f60da04e992a013e4b1b2544d |
| SHA1 | 53f9f30621121117a031f9caa69e4d523cdd929d |
| SHA256 | be61b5bece03e6a80aaf3d0b8b361275297ae9075ae0136d515dcb21ee531914 |
| SHA512 | 0e8024aa5d2e3fc1504d3f8f3f092ce2fbdbe9b7821e6ace671649821035504a139d3964a53d5e04e4e05752a59dafcf8f3c75a283a53b7ed573a352784e0efc |
C:\Users\Admin\AppData\Roaming\1337\Loader.exe
| MD5 | d0e08bceeedd47b5ab8ae4e304e000a7 |
| SHA1 | 9d46d1a6ccc95741f1b5815aaab720810150d613 |
| SHA256 | 06b3df00dc4f41f12567271ceec207c36f8cb3905fddd9f6bade51e5f94bc7bc |
| SHA512 | 66087202622dff99a834dd21b0b0d27a23d9c84fa7b0467156cac9bcf81bb573375e5684733c2bf43590f06ea6ac5da81cc0ed91db0c72338bf4c5e028cd503f |
C:\Users\Admin\AppData\Roaming\1337\Load.exe
| MD5 | 63827ec192d04d9c3010da8f6e681d8b |
| SHA1 | b0d1b6ee8cbf429753a0061e84a29297a65beaab |
| SHA256 | 5e61daa5380c8c4225bdb66bcc4902c6c7c53de88590ad8bdd25a87462fbeeb7 |
| SHA512 | 00d915fdce05bfc5fbb2c9b60b97e84b6c519c969641ab8d018a3d324d18c9d0d18f986a3f2033910acdd84bbe446b9037a7a30b7bb32947d2f617e58ea6a0d2 |
C:\Users\Admin\AppData\Roaming\1337\Load.exe
| MD5 | 64aa6115725caca90151216c49568607 |
| SHA1 | 720fd1e4f3e467608326fa1b43cf89fe11778883 |
| SHA256 | 8d4fc4fc3d02752280a491f7ca03c18a8778ae013843967bc56df82826b84b33 |
| SHA512 | 2ed16a539107cd05315c8f7d73b0bbaa01356b7c30c3e2e3f8b58baa62902acf6878a68494d39e4951d443dc8e5cccb01b39d4def32346cf5021e6a4b3b74413 |