Analysis Overview
SHA256
e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b
Threat Level: Known bad
The file e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Checks computer location settings
autoit_exe
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-13 09:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-13 09:14
Reported
2022-02-13 09:17
Platform
win7-en-20211208
Max time kernel
117s
Max time network
129s
Command Line
Signatures
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
"C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /TN "XPS Rasterization Service Component" /TR "C:\PROGRA~2\XPSRAS~1\xservice.exe" /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN "XPS Rasterization Service Component" /TR "C:\PROGRA~2\XPSRAS~1\xservice.exe" /RL HIGHEST
Network
Files
memory/828-54-0x0000000076071000-0x0000000076073000-memory.dmp
memory/828-55-0x0000000000C90000-0x0000000001256000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-13 09:14
Reported
2022-02-13 09:17
Platform
win10v2004-en-20220113
Max time kernel
151s
Max time network
154s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\XPSRAS~1\xservice.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe | N/A |
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\XPSRAS~1\xservice.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\XPSRAS~1\xservice.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
"C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /TN "XPS Rasterization Service Component" /TR "C:\PROGRA~2\XPSRAS~1\xservice.exe" /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN "XPS Rasterization Service Component" /TR "C:\PROGRA~2\XPSRAS~1\xservice.exe" /RL HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\PROGRA~2\XPSRAS~1\xservice.exe
"C:\PROGRA~2\XPSRAS~1\xservice.exe"
C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe
"C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe" -second
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp |
Files
memory/744-130-0x000001E09DB60000-0x000001E09DB70000-memory.dmp
memory/744-131-0x000001E09E120000-0x000001E09E130000-memory.dmp
memory/744-132-0x000001E0A0790000-0x000001E0A0794000-memory.dmp
C:\Program Files (x86)\XPS Rasterization Service Component\xservice.exe
| MD5 | dd2dec5219145756da3d5f4f3ed5546b |
| SHA1 | 6f0ce33a9027691a72eea2b3db2f6c05e8d8f88c |
| SHA256 | c1d1b72cf43bdc39d86f1d332db19982b00fab3e2f26bd804f9461e219c746b2 |
| SHA512 | 4a8798c07b111fc22f744af2e7ff8d07495fabed294fb0b8c01298577624af850da4f2d9a70272a87be1452052d4d17b3afb9f656eea412e426ac16d54f400fc |
C:\PROGRA~2\XPSRAS~1\xservice.exe
| MD5 | dd2dec5219145756da3d5f4f3ed5546b |
| SHA1 | 6f0ce33a9027691a72eea2b3db2f6c05e8d8f88c |
| SHA256 | c1d1b72cf43bdc39d86f1d332db19982b00fab3e2f26bd804f9461e219c746b2 |
| SHA512 | 4a8798c07b111fc22f744af2e7ff8d07495fabed294fb0b8c01298577624af850da4f2d9a70272a87be1452052d4d17b3afb9f656eea412e426ac16d54f400fc |
C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe
| MD5 | 36d0a93a5078ce916ec9917e1ce1ec1f |
| SHA1 | 42e4ae95a18bc877d86216fe3d5613d641aeacf2 |
| SHA256 | 4767744be35ec3f0496a038af54d078b94aeab8fa066c881158977acc51f8cab |
| SHA512 | c365f8aa3729e1f81b09252aeeee8a53db0581edb3efeebe4a4667d3bc72e41649b9eb70e5a5f732f9f43f73e7a683e78b07069ac30a341fc952a2c6974ec689 |
C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe
| MD5 | 36d0a93a5078ce916ec9917e1ce1ec1f |
| SHA1 | 42e4ae95a18bc877d86216fe3d5613d641aeacf2 |
| SHA256 | 4767744be35ec3f0496a038af54d078b94aeab8fa066c881158977acc51f8cab |
| SHA512 | c365f8aa3729e1f81b09252aeeee8a53db0581edb3efeebe4a4667d3bc72e41649b9eb70e5a5f732f9f43f73e7a683e78b07069ac30a341fc952a2c6974ec689 |
memory/2740-137-0x0000000000030000-0x0000000000034000-memory.dmp
memory/3928-139-0x0000000000870000-0x0000000000E36000-memory.dmp
memory/3928-138-0x00000000001F0000-0x00000000001F2000-memory.dmp
memory/2740-140-0x0000000000400000-0x0000000000B06000-memory.dmp
C:\Program Files (x86)\XPS Rasterization Service Component\vp8decoder.dll
| MD5 | 6b6b6f298f7af492b5091e63efd8ba3f |
| SHA1 | 8e8d2ee555b19583ebc6ff24caa73f7259f1ea09 |
| SHA256 | 25362800ce3851605ade851cf5f64f6bf4a8383a14e59b07612cfc113036d8bc |
| SHA512 | 3c50000a54f3377d7c2036a4efa8d5ec11773caa323e0a9c8b70807a630d23c487a74a6d360fd8f576b438d81c5141f50004d8ee238de97d8ec25dff65663c0a |
C:\Program Files (x86)\XPS Rasterization Service Component\vp8encoder.dll
| MD5 | 1e21d626fd92167d10c8f5c1369c7715 |
| SHA1 | da852f8396efebdfd23f22f96b2c38010c31cb5c |
| SHA256 | 60abd3c13650fbf49bad2e546ae0c59ddf5e61043310a62a881ba104f579aba9 |
| SHA512 | 58ff08b2d35e12848872ecd38838fd0b734a8240c521602511ba1a0d03b252cc791bf5b3c1c1aa5d9964f4660d46e4433512e5a4c42d8eb007fbf0b52f917183 |
C:\Program Files (x86)\XPS Rasterization Service Component\settings.dat
| MD5 | e145980b4449db3ca4be1fff14cc54dc |
| SHA1 | 135e538135be4a31a10eb39925e172de8c69a42c |
| SHA256 | 3ecdbe24e754a38ed11c5de74981c768df27e15705a9c7431c02895a85f1e109 |
| SHA512 | 1e27ef4e3e2e2ff8decd52b71a06b3c2a8f56062bc2b67110211df059c7f48a2079fd4ba2aae93f5634d5c32dc673710ebd9919d2937e5348ad57950d1e57537 |
memory/4460-145-0x00000000000A0000-0x0000000000213000-memory.dmp
memory/2740-146-0x0000000002860000-0x0000000002861000-memory.dmp
memory/4460-147-0x0000000001010000-0x0000000001012000-memory.dmp