rms | 8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f

Analysis

max time kernel
169s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
07-02-2022 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
Size

4.0MB
MD5

c0b25d69677a37dd6e3c3da1648df172
SHA1

898be29187672e6d5b4d5c7096436d1d5ffc932d
SHA256

8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f
SHA512

56f87ffd550bc2e940c70ede56e27f357a31e00638d944d7f54ae7f9946e81c74d1ee80cc93343eab71044085e38224d7f2baa884a7ab36051c491277b5c48e7

Score

10^/10

rms aspackv2 discovery evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00020000000216cc-150.dat	acprotect
behavioral2/files/0x00020000000216cd-151.dat	acprotect

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000300000002158f-134.dat	aspack_v212_v242
behavioral2/files/0x000300000002158f-135.dat	aspack_v212_v242
behavioral2/files/0x000300000002158f-139.dat	aspack_v212_v242
behavioral2/files/0x000300000002158f-144.dat	aspack_v212_v242
behavioral2/files/0x000300000002158f-147.dat	aspack_v212_v242
behavioral2/files/0x000300000002142d-152.dat	aspack_v212_v242
behavioral2/files/0x000300000002142d-153.dat	aspack_v212_v242
behavioral2/files/0x000300000002142d-154.dat	aspack_v212_v242
behavioral2/files/0x000300000002142d-161.dat	aspack_v212_v242

Executes dropped EXE 8 IoCs

pid	Process
3100	javacoder.exe
1828	rutserv.exe
3232	rutserv.exe
2892	rutserv.exe
3288	rutserv.exe
1532	rfusclient.exe
2604	rfusclient.exe
1536	rfusclient.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00020000000216cc-150.dat	upx
behavioral2/files/0x00020000000216cd-151.dat	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	javacoder.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\java\vp8encoder.dll	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
File opened for modification	C:\Program Files\java\regedit.reg	attrib.exe
File opened for modification	C:\Program Files\java\vp8decoder.dll	attrib.exe
File opened for modification	C:\Program Files\java\vp8encoder.dll	attrib.exe
File opened for modification	C:\Program Files\java\rfusclient.exe	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
File opened for modification	C:\Program Files\java\rutserv.exe	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
File opened for modification	C:\Program Files\java\vp8decoder.dll	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Word\Word\Uninstall.exe	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
File opened for modification	C:\Program Files\java\javacoder.exe	attrib.exe
File opened for modification	C:\Program Files\java\rfusclient.exe	attrib.exe
File opened for modification	C:\Program Files\java\rutserv.exe	attrib.exe
File opened for modification	C:\Program Files\java\javacoder.exe	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
File opened for modification	C:\Program Files\java\regedit.reg	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
File created	C:\Program Files (x86)\Microsoft Word\Word\Uninstall.ini	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
File opened for modification	C:\Program Files\Java	attrib.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2976	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3328	taskkill.exe
3712	taskkill.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132889299803442648"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3920"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.295946"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006676"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4112"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2548	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1828	rutserv.exe
1828	rutserv.exe
1828	rutserv.exe
1828	rutserv.exe
1828	rutserv.exe
1828	rutserv.exe
3232	rutserv.exe
3232	rutserv.exe
2892	rutserv.exe
2892	rutserv.exe
3288	rutserv.exe
3288	rutserv.exe
3288	rutserv.exe
3288	rutserv.exe
3288	rutserv.exe
3288	rutserv.exe
2604	rfusclient.exe
2604	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1536	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	1828	rutserv.exe
Token: SeDebugPrivilege	2892	rutserv.exe
Token: SeTakeOwnershipPrivilege	3288	rutserv.exe
Token: SeTcbPrivilege	3288	rutserv.exe
Token: SeTcbPrivilege	3288	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1828	rutserv.exe
3232	rutserv.exe
2892	rutserv.exe
3288	rutserv.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3100	3944	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe	66
PID 3944 wrote to memory of 3100	3944	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe	66
PID 3944 wrote to memory of 3100	3944	8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe	66
PID 3100 wrote to memory of 3652	3100	javacoder.exe	67
PID 3100 wrote to memory of 3652	3100	javacoder.exe	67
PID 3652 wrote to memory of 3328	3652	cmd.exe	70
PID 3652 wrote to memory of 3328	3652	cmd.exe	70
PID 3652 wrote to memory of 3712	3652	cmd.exe	71
PID 3652 wrote to memory of 3712	3652	cmd.exe	71
PID 3652 wrote to memory of 3136	3652	cmd.exe	72
PID 3652 wrote to memory of 3136	3652	cmd.exe	72
PID 3652 wrote to memory of 2548	3652	cmd.exe	73
PID 3652 wrote to memory of 2548	3652	cmd.exe	73
PID 3652 wrote to memory of 2976	3652	cmd.exe	74
PID 3652 wrote to memory of 2976	3652	cmd.exe	74
PID 3652 wrote to memory of 1828	3652	cmd.exe	75
PID 3652 wrote to memory of 1828	3652	cmd.exe	75
PID 3652 wrote to memory of 1828	3652	cmd.exe	75
PID 3652 wrote to memory of 3232	3652	cmd.exe	76
PID 3652 wrote to memory of 3232	3652	cmd.exe	76
PID 3652 wrote to memory of 3232	3652	cmd.exe	76
PID 3652 wrote to memory of 2892	3652	cmd.exe	77
PID 3652 wrote to memory of 2892	3652	cmd.exe	77
PID 3652 wrote to memory of 2892	3652	cmd.exe	77
PID 3288 wrote to memory of 1532	3288	rutserv.exe	80
PID 3288 wrote to memory of 1532	3288	rutserv.exe	80
PID 3288 wrote to memory of 1532	3288	rutserv.exe	80
PID 3288 wrote to memory of 2604	3288	rutserv.exe	79
PID 3288 wrote to memory of 2604	3288	rutserv.exe	79
PID 3288 wrote to memory of 2604	3288	rutserv.exe	79
PID 3652 wrote to memory of 3708	3652	cmd.exe	81
PID 3652 wrote to memory of 3708	3652	cmd.exe	81
PID 3652 wrote to memory of 1204	3652	cmd.exe	82
PID 3652 wrote to memory of 1204	3652	cmd.exe	82
PID 2604 wrote to memory of 1536	2604	rfusclient.exe	83
PID 2604 wrote to memory of 1536	2604	rfusclient.exe	83
PID 2604 wrote to memory of 1536	2604	rfusclient.exe	83

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3708	attrib.exe
1204	attrib.exe

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1328

C:\Users\Admin\AppData\Local\Temp\8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe
"C:\Users\Admin\AppData\Local\Temp\8f114509f049f792d2e39ace4fc95be51e1a5a3b2995de11093810076db4240f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Program Files\java\javacoder.exe
  "C:\Program Files\java\javacoder.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B416.tmp\B417.bat "C:\Program Files\java\javacoder.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3328
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3712
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:3136
  - - C:\Windows\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:2548
  - - C:\Windows\system32\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:2976
  - - C:\Program Files\java\rutserv.exe
      rutserv.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1828
  - - C:\Program Files\java\rutserv.exe
      rutserv.exe /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3232
  - - C:\Program Files\java\rutserv.exe
      rutserv.exe /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2892
  - - C:\Windows\system32\attrib.exe
      attrib +s +h "C:\Program Files\java"
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:3708
  - - C:\Windows\system32\attrib.exe
      attrib +s +h "C:\Program Files\java\*.*"
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3296

C:\Program Files\java\rutserv.exe
"C:\Program Files\java\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Program Files\java\rfusclient.exe
  "C:\Program Files\java\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Program Files\java\rfusclient.exe
    "C:\Program Files\java\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1536
- C:\Program Files\java\rfusclient.exe
  "C:\Program Files\java\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-157-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1532-158-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1532-160-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1536-162-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1536-163-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1536-164-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1828-138-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1828-136-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1828-137-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2604-159-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2604-156-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2892-146-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2892-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2892-145-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3232-143-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3232-142-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/3232-141-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3232-140-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3288-149-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3288-148-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download