Analysis
-
max time kernel
152s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-02-2022 11:57
Static task
static1
Behavioral task
behavioral1
Sample
9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe
-
Size
10.2MB
-
MD5
e935690d76617f96a7d1f3cf8ea829fd
-
SHA1
11c701c219393d30351a7c3aadbbde3aeefb7d35
-
SHA256
9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882
-
SHA512
c606f2aed982bef5a200273a8b299bd996e0a4535b91cb4bb529080920ce78c7ed138e870bfdf1a57ed8cbbc05d5cdbe668ad1c3f98c42626303ae35671eb5d8
Score
10/10
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 1372 RManServer.exe 1552 RManServer.exe 1056 Monitor.exe 1680 RManServer.exe 860 RManServer.exe 1348 RManFUSClient.exe 1696 RManFUSClient.exe -
Loads dropped DLL 7 IoCs
pid Process 544 cmd.exe 544 cmd.exe 544 cmd.exe 544 cmd.exe 544 cmd.exe 860 RManServer.exe 860 RManServer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Monitor = "C:\\Windows\\System32\\Monitor.exe -autorun" regedit.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File created C:\Windows\SysWOW64\dsfOggMux.dll cmd.exe File created C:\Windows\SysWOW64\HookDrv.dll cmd.exe File opened for modification C:\Windows\SysWOW64\Monitor.exe cmd.exe File created C:\Windows\SysWOW64\Logs\rom_log_2022.html RManServer.exe File opened for modification C:\Windows\SysWOW64\RManServer.exe cmd.exe File created C:\Windows\SysWOW64\RManWLN.dll RManServer.exe File created C:\Windows\SysWOW64\dsfTheoraEncoder.dll cmd.exe File created C:\Windows\SysWOW64\Monitor.exe cmd.exe File opened for modification C:\Windows\SysWOW64\msvcp80.dll cmd.exe File created C:\Windows\SysWOW64\msvcr80.dll cmd.exe File created C:\Windows\SysWOW64\PushSource.ax cmd.exe File opened for modification C:\Windows\SysWOW64\RManIpcServer.dll cmd.exe File opened for modification C:\Windows\SysWOW64\dsfVorbisEncoder.dll cmd.exe File opened for modification C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest cmd.exe File created C:\Windows\SysWOW64\msvcp80.dll cmd.exe File opened for modification C:\Windows\SysWOW64\PushSource.ax cmd.exe File opened for modification C:\Windows\SysWOW64\RManFUSClient.exe cmd.exe File created C:\Windows\SysWOW64\RManIpcServer.dll cmd.exe File created C:\Windows\SysWOW64\RManServer.exe cmd.exe File opened for modification C:\Windows\SysWOW64\dsfOggMux.dll cmd.exe File created C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest cmd.exe File opened for modification C:\Windows\SysWOW64\RManWLN.dll cmd.exe File opened for modification C:\Windows\SysWOW64\HookDrv.dll cmd.exe File opened for modification C:\Windows\SysWOW64\dsfTheoraEncoder.dll cmd.exe File created C:\Windows\SysWOW64\RManFUSClient.exe cmd.exe File created C:\Windows\SysWOW64\RManWLN.dll cmd.exe File opened for modification C:\Windows\SysWOW64\RManWLN.dll RManServer.exe File created C:\Windows\SysWOW64\dsfVorbisEncoder.dll cmd.exe File opened for modification C:\Windows\SysWOW64\msvcr80.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs .reg file with regedit 2 IoCs
pid Process 1192 regedit.exe 1200 regedit.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 860 RManServer.exe 860 RManServer.exe 1348 RManFUSClient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1372 RManServer.exe Token: SeDebugPrivilege 1680 RManServer.exe Token: SeTakeOwnershipPrivilege 860 RManServer.exe Token: SeTcbPrivilege 860 RManServer.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1916 wrote to memory of 544 1916 9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe 27 PID 1916 wrote to memory of 544 1916 9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe 27 PID 1916 wrote to memory of 544 1916 9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe 27 PID 1916 wrote to memory of 544 1916 9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe 27 PID 544 wrote to memory of 784 544 cmd.exe 29 PID 544 wrote to memory of 784 544 cmd.exe 29 PID 544 wrote to memory of 784 544 cmd.exe 29 PID 544 wrote to memory of 784 544 cmd.exe 29 PID 544 wrote to memory of 1372 544 cmd.exe 30 PID 544 wrote to memory of 1372 544 cmd.exe 30 PID 544 wrote to memory of 1372 544 cmd.exe 30 PID 544 wrote to memory of 1372 544 cmd.exe 30 PID 544 wrote to memory of 1552 544 cmd.exe 31 PID 544 wrote to memory of 1552 544 cmd.exe 31 PID 544 wrote to memory of 1552 544 cmd.exe 31 PID 544 wrote to memory of 1552 544 cmd.exe 31 PID 544 wrote to memory of 1192 544 cmd.exe 32 PID 544 wrote to memory of 1192 544 cmd.exe 32 PID 544 wrote to memory of 1192 544 cmd.exe 32 PID 544 wrote to memory of 1192 544 cmd.exe 32 PID 544 wrote to memory of 1200 544 cmd.exe 33 PID 544 wrote to memory of 1200 544 cmd.exe 33 PID 544 wrote to memory of 1200 544 cmd.exe 33 PID 544 wrote to memory of 1200 544 cmd.exe 33 PID 544 wrote to memory of 1056 544 cmd.exe 34 PID 544 wrote to memory of 1056 544 cmd.exe 34 PID 544 wrote to memory of 1056 544 cmd.exe 34 PID 544 wrote to memory of 1056 544 cmd.exe 34 PID 544 wrote to memory of 1680 544 cmd.exe 35 PID 544 wrote to memory of 1680 544 cmd.exe 35 PID 544 wrote to memory of 1680 544 cmd.exe 35 PID 544 wrote to memory of 1680 544 cmd.exe 35 PID 860 wrote to memory of 1348 860 RManServer.exe 37 PID 860 wrote to memory of 1348 860 RManServer.exe 37 PID 860 wrote to memory of 1348 860 RManServer.exe 37 PID 860 wrote to memory of 1348 860 RManServer.exe 37 PID 860 wrote to memory of 1696 860 RManServer.exe 38 PID 860 wrote to memory of 1696 860 RManServer.exe 38 PID 860 wrote to memory of 1696 860 RManServer.exe 38 PID 860 wrote to memory of 1696 860 RManServer.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe"C:\Users\Admin\AppData\Local\Temp\9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\Remote Manipulator System - Server.bat" "2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f3⤵PID:784
-
-
C:\Windows\SysWOW64\RManServer.exe"C:\Windows\System32\RManServer.exe" /silentinstall3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\SysWOW64\RManServer.exe"C:\Windows\System32\RManServer.exe" /firewall3⤵
- Executes dropped EXE
PID:1552
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "settings.reg"3⤵
- Runs .reg file with regedit
PID:1192
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "Autorun.reg"3⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1200
-
-
C:\Windows\SysWOW64\Monitor.exe"C:\Windows\System32\Monitor.exe" /start3⤵
- Executes dropped EXE
PID:1056
-
-
C:\Windows\SysWOW64\RManServer.exe"C:\Windows\System32\RManServer.exe" /start3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
-
C:\Windows\SysWOW64\RManServer.exeC:\Windows\SysWOW64\RManServer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\RManFUSClient.exe"C:\Windows\SysWOW64\RManFUSClient.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Windows\SysWOW64\RManFUSClient.exeC:\Windows\SysWOW64\RManFUSClient.exe /tray2⤵
- Executes dropped EXE
PID:1696
-