Analysis Overview
SHA256
9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882
Threat Level: Known bad
The file 9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882 was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Runs .reg file with regedit
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-13 11:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-13 11:57
Reported
2022-02-13 12:00
Platform
win7-en-20211208
Max time kernel
152s
Max time network
126s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Monitor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Monitor = "C:\\Windows\\System32\\Monitor.exe -autorun" | C:\Windows\SysWOW64\regedit.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Monitor.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Logs\rom_log_2022.html | C:\Windows\SysWOW64\RManServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\RManServer.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Monitor.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\RManServer.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe
"C:\Users\Admin\AppData\Local\Temp\9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\Remote Manipulator System - Server.bat" "
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\RManServer.exe
"C:\Windows\System32\RManServer.exe" /silentinstall
C:\Windows\SysWOW64\RManServer.exe
"C:\Windows\System32\RManServer.exe" /firewall
C:\Windows\SysWOW64\regedit.exe
regedit /s "settings.reg"
C:\Windows\SysWOW64\regedit.exe
regedit /s "Autorun.reg"
C:\Windows\SysWOW64\Monitor.exe
"C:\Windows\System32\Monitor.exe" /start
C:\Windows\SysWOW64\RManServer.exe
"C:\Windows\System32\RManServer.exe" /start
C:\Windows\SysWOW64\RManServer.exe
C:\Windows\SysWOW64\RManServer.exe
C:\Windows\SysWOW64\RManFUSClient.exe
"C:\Windows\SysWOW64\RManFUSClient.exe"
C:\Windows\SysWOW64\RManFUSClient.exe
C:\Windows\SysWOW64\RManFUSClient.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | req.webservis.ru | udp |
| RU | 195.16.42.43:80 | req.webservis.ru | tcp |
Files
memory/1916-54-0x0000000075F21000-0x0000000075F23000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\Remote Manipulator System - Server.bat
| MD5 | b8ca6a242f139d9fc202031e001b2c38 |
| SHA1 | 9f944dc9596d64ac4cf1cda3095ee49bf46a40e1 |
| SHA256 | 37e4a95c6e490627c070d3363f263d391740c8e5ac819c834588ac800e79d817 |
| SHA512 | 0ac5b24778a58679af6210992a78c1d37e8f307a61a283809d356705dd3018ea6c9d65b78d266246ccedccab3e218eec0817e9561e82ef70384cae843a209699 |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\dsfOggMux.dll
| MD5 | 65889701199e41ae2abee652a232af6e |
| SHA1 | 3f76c39fde130b550013a4f13bfea2862b5628cf |
| SHA256 | ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e |
| SHA512 | edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5 |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\dsfTheoraEncoder.dll
| MD5 | 5f2fc8a0d96a1e796a4daae9465f5dd6 |
| SHA1 | 224f13f3cbaa441c0cb6d6300715fda7136408ea |
| SHA256 | f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f |
| SHA512 | da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\dsfVorbisEncoder.dll
| MD5 | 086a9fd9179aad7911561eeff08cf7e2 |
| SHA1 | d390c28376e08769a06a4a8b46609b3a668f728b |
| SHA256 | 2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282 |
| SHA512 | a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193 |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\HookDrv.dll
| MD5 | 895d68b21984db50bfbffc88d289f5da |
| SHA1 | 2cc6625e1fcdeac9dceb6a0f381f52ba574365a8 |
| SHA256 | d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d |
| SHA512 | 7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\Monitor.exe
| MD5 | 34091d46829a8474956451e03ac8bec0 |
| SHA1 | e625b1e5154f9946e5434879253fada3b4a55530 |
| SHA256 | df9d397b2b3201072a4fff263b094852c4fd41ab174a2ad7ae8e4f98cf273d6c |
| SHA512 | 4cbe1ca0b0895a67a520a5478204dd849c0544b0d8cda28014b36262a2ec28e8c2daca1688edb8465e7bd49ace274d6c0711d64f557310c2b7cd9710372b2b79 |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\Microsoft.VC80.CRT.manifest
| MD5 | d34b3da03c59f38a510eaa8ccc151ec7 |
| SHA1 | 41b978588a9902f5e14b2b693973cb210ed900b2 |
| SHA256 | a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc |
| SHA512 | 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7 |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\msvcp80.dll
| MD5 | 8c53ccd787c381cd535d8dcca12584d8 |
| SHA1 | bc7ce60270a58450596aa3e3e5d0a99f731333d9 |
| SHA256 | 384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528 |
| SHA512 | e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755 |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\msvcr80.dll
| MD5 | 1169436ee42f860c7db37a4692b38f0e |
| SHA1 | 4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3 |
| SHA256 | 9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46 |
| SHA512 | e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0 |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\PushSource.ax
| MD5 | fb755251b8b9ac0f35494854f21ccdbf |
| SHA1 | 32de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb |
| SHA256 | ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5 |
| SHA512 | a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215 |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\RManFUSClient.exe
| MD5 | 0af0dfc7b2d726e2c698909d678f267c |
| SHA1 | 36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f |
| SHA256 | 046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c |
| SHA512 | 739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14 |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\RManIpcServer.dll
| MD5 | 7d94872e3bbf6b60aec6bfe03f2423d7 |
| SHA1 | 67dd0a451e5a5247d077ffe347f404a0334b2d10 |
| SHA256 | a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7 |
| SHA512 | 25835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
memory/1372-72-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Windows\SysWOW64\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
memory/1552-77-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\settings.reg
| MD5 | 4b3e03d85e20ed8800047413f3546caa |
| SHA1 | 2cccd97b59c9f63019d8db1a229ab6ebe25dba78 |
| SHA256 | f0535a9f2f48b59c3745350608551164f3ad0d3d82a7a4cd89facae2d98c1c4c |
| SHA512 | 3bf439390338642fa9420f57ea0d6f66ff9d20285c2fbbef7d817c1073f7e34a451c9308833a821dcf72d4a392dad335f07dbd385665448c4800718779549fbc |
C:\Users\Admin\AppData\Local\Temp\DBDE.tmp\Autorun.reg
| MD5 | 838adedefbfc54ea749dbb3cbf889e04 |
| SHA1 | 3ab9a263996437a5c9b9a62fa7562c34ee9d730b |
| SHA256 | 996b4bed9fefd6a4310292f294d54879dbf9e523f143f94837503710ba7fb542 |
| SHA512 | 71b5ed6a702628b6b70aca5c7932882922c5630c2a8aa58a1a7896517281efb8b39a997f3bbb6b8e7c2d9bd9a3826538568c07ab1ed2d6ccbde5e00c3db2790a |
\Windows\SysWOW64\Monitor.exe
| MD5 | 34091d46829a8474956451e03ac8bec0 |
| SHA1 | e625b1e5154f9946e5434879253fada3b4a55530 |
| SHA256 | df9d397b2b3201072a4fff263b094852c4fd41ab174a2ad7ae8e4f98cf273d6c |
| SHA512 | 4cbe1ca0b0895a67a520a5478204dd849c0544b0d8cda28014b36262a2ec28e8c2daca1688edb8465e7bd49ace274d6c0711d64f557310c2b7cd9710372b2b79 |
\Windows\SysWOW64\Monitor.exe
| MD5 | 34091d46829a8474956451e03ac8bec0 |
| SHA1 | e625b1e5154f9946e5434879253fada3b4a55530 |
| SHA256 | df9d397b2b3201072a4fff263b094852c4fd41ab174a2ad7ae8e4f98cf273d6c |
| SHA512 | 4cbe1ca0b0895a67a520a5478204dd849c0544b0d8cda28014b36262a2ec28e8c2daca1688edb8465e7bd49ace274d6c0711d64f557310c2b7cd9710372b2b79 |
C:\Windows\SysWOW64\Monitor.exe
| MD5 | 34091d46829a8474956451e03ac8bec0 |
| SHA1 | e625b1e5154f9946e5434879253fada3b4a55530 |
| SHA256 | df9d397b2b3201072a4fff263b094852c4fd41ab174a2ad7ae8e4f98cf273d6c |
| SHA512 | 4cbe1ca0b0895a67a520a5478204dd849c0544b0d8cda28014b36262a2ec28e8c2daca1688edb8465e7bd49ace274d6c0711d64f557310c2b7cd9710372b2b79 |
memory/1056-85-0x00000000001B0000-0x00000000001B1000-memory.dmp
\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 0af0dfc7b2d726e2c698909d678f267c |
| SHA1 | 36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f |
| SHA256 | 046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c |
| SHA512 | 739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14 |
memory/860-93-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1680-92-0x0000000000230000-0x0000000000231000-memory.dmp
\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 0af0dfc7b2d726e2c698909d678f267c |
| SHA1 | 36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f |
| SHA256 | 046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c |
| SHA512 | 739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14 |
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 0af0dfc7b2d726e2c698909d678f267c |
| SHA1 | 36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f |
| SHA256 | 046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c |
| SHA512 | 739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14 |
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 0af0dfc7b2d726e2c698909d678f267c |
| SHA1 | 36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f |
| SHA256 | 046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c |
| SHA512 | 739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14 |
\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 0af0dfc7b2d726e2c698909d678f267c |
| SHA1 | 36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f |
| SHA256 | 046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c |
| SHA512 | 739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14 |
memory/1348-101-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1696-100-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-13 11:57
Reported
2022-02-13 12:00
Platform
win10v2004-en-20220112
Max time kernel
164s
Max time network
167s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Monitor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monitor = "C:\\Windows\\System32\\Monitor.exe -autorun" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\regedit.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManServer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\RManServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Logs\rom_log_2022.html | C:\Windows\SysWOW64\RManServer.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RManFUSClient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Monitor.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManWLN.dll | C:\Windows\SysWOW64\RManServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\RManIpcServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Monitor.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4292" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.333340" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3972" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132894035028049370" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.540523" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.081833" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092" | C:\Windows\System32\svchost.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManServer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RManFUSClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe
"C:\Users\Admin\AppData\Local\Temp\9992114ca431bbcc576a1eebaaa878554ee85c4669e63e92adea8cc925fc9882.exe"
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AD01.tmp\Remote Manipulator System - Server.bat" "
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\RManServer.exe
"C:\Windows\System32\RManServer.exe" /silentinstall
C:\Windows\SysWOW64\RManServer.exe
"C:\Windows\System32\RManServer.exe" /firewall
C:\Windows\SysWOW64\regedit.exe
regedit /s "settings.reg"
C:\Windows\SysWOW64\regedit.exe
regedit /s "Autorun.reg"
C:\Windows\SysWOW64\Monitor.exe
"C:\Windows\System32\Monitor.exe" /start
C:\Windows\SysWOW64\RManServer.exe
"C:\Windows\System32\RManServer.exe" /start
C:\Windows\SysWOW64\RManServer.exe
C:\Windows\SysWOW64\RManServer.exe
C:\Windows\SysWOW64\RManFUSClient.exe
"C:\Windows\SysWOW64\RManFUSClient.exe"
C:\Windows\SysWOW64\RManFUSClient.exe
C:\Windows\SysWOW64\RManFUSClient.exe /tray
Network
| Country | Destination | Domain | Proto |
| NL | 92.123.77.43:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| IE | 51.104.167.255:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | req.webservis.ru | udp |
| RU | 195.16.42.43:80 | req.webservis.ru | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\Remote Manipulator System - Server.bat
| MD5 | b8ca6a242f139d9fc202031e001b2c38 |
| SHA1 | 9f944dc9596d64ac4cf1cda3095ee49bf46a40e1 |
| SHA256 | 37e4a95c6e490627c070d3363f263d391740c8e5ac819c834588ac800e79d817 |
| SHA512 | 0ac5b24778a58679af6210992a78c1d37e8f307a61a283809d356705dd3018ea6c9d65b78d266246ccedccab3e218eec0817e9561e82ef70384cae843a209699 |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\dsfOggMux.dll
| MD5 | 65889701199e41ae2abee652a232af6e |
| SHA1 | 3f76c39fde130b550013a4f13bfea2862b5628cf |
| SHA256 | ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e |
| SHA512 | edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5 |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\dsfVorbisEncoder.dll
| MD5 | 086a9fd9179aad7911561eeff08cf7e2 |
| SHA1 | d390c28376e08769a06a4a8b46609b3a668f728b |
| SHA256 | 2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282 |
| SHA512 | a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193 |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\Microsoft.VC80.CRT.manifest
| MD5 | d34b3da03c59f38a510eaa8ccc151ec7 |
| SHA1 | 41b978588a9902f5e14b2b693973cb210ed900b2 |
| SHA256 | a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc |
| SHA512 | 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7 |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\Monitor.exe
| MD5 | 34091d46829a8474956451e03ac8bec0 |
| SHA1 | e625b1e5154f9946e5434879253fada3b4a55530 |
| SHA256 | df9d397b2b3201072a4fff263b094852c4fd41ab174a2ad7ae8e4f98cf273d6c |
| SHA512 | 4cbe1ca0b0895a67a520a5478204dd849c0544b0d8cda28014b36262a2ec28e8c2daca1688edb8465e7bd49ace274d6c0711d64f557310c2b7cd9710372b2b79 |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\msvcp80.dll
| MD5 | 8c53ccd787c381cd535d8dcca12584d8 |
| SHA1 | bc7ce60270a58450596aa3e3e5d0a99f731333d9 |
| SHA256 | 384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528 |
| SHA512 | e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755 |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\HookDrv.dll
| MD5 | 895d68b21984db50bfbffc88d289f5da |
| SHA1 | 2cc6625e1fcdeac9dceb6a0f381f52ba574365a8 |
| SHA256 | d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d |
| SHA512 | 7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\dsfTheoraEncoder.dll
| MD5 | 5f2fc8a0d96a1e796a4daae9465f5dd6 |
| SHA1 | 224f13f3cbaa441c0cb6d6300715fda7136408ea |
| SHA256 | f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f |
| SHA512 | da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\msvcr80.dll
| MD5 | 1169436ee42f860c7db37a4692b38f0e |
| SHA1 | 4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3 |
| SHA256 | 9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46 |
| SHA512 | e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0 |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\PushSource.ax
| MD5 | fb755251b8b9ac0f35494854f21ccdbf |
| SHA1 | 32de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb |
| SHA256 | ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5 |
| SHA512 | a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215 |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\RManFUSClient.exe
| MD5 | 0af0dfc7b2d726e2c698909d678f267c |
| SHA1 | 36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f |
| SHA256 | 046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c |
| SHA512 | 739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14 |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\RManIpcServer.dll
| MD5 | 7d94872e3bbf6b60aec6bfe03f2423d7 |
| SHA1 | 67dd0a451e5a5247d077ffe347f404a0334b2d10 |
| SHA256 | a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7 |
| SHA512 | 25835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
memory/1940-146-0x0000000000990000-0x0000000000991000-memory.dmp
C:\Windows\SysWOW64\RManWLN.dll
| MD5 | 4ed36e9479243d9426b196f306d21d04 |
| SHA1 | e102a9b2a8101b1105f6e3996df3ce6af17f31f4 |
| SHA256 | f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d |
| SHA512 | 46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
memory/2988-149-0x00000000023F0000-0x00000000023F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\settings.reg
| MD5 | 4b3e03d85e20ed8800047413f3546caa |
| SHA1 | 2cccd97b59c9f63019d8db1a229ab6ebe25dba78 |
| SHA256 | f0535a9f2f48b59c3745350608551164f3ad0d3d82a7a4cd89facae2d98c1c4c |
| SHA512 | 3bf439390338642fa9420f57ea0d6f66ff9d20285c2fbbef7d817c1073f7e34a451c9308833a821dcf72d4a392dad335f07dbd385665448c4800718779549fbc |
C:\Users\Admin\AppData\Local\Temp\AD01.tmp\Autorun.reg
| MD5 | 838adedefbfc54ea749dbb3cbf889e04 |
| SHA1 | 3ab9a263996437a5c9b9a62fa7562c34ee9d730b |
| SHA256 | 996b4bed9fefd6a4310292f294d54879dbf9e523f143f94837503710ba7fb542 |
| SHA512 | 71b5ed6a702628b6b70aca5c7932882922c5630c2a8aa58a1a7896517281efb8b39a997f3bbb6b8e7c2d9bd9a3826538568c07ab1ed2d6ccbde5e00c3db2790a |
C:\Windows\SysWOW64\Monitor.exe
| MD5 | 34091d46829a8474956451e03ac8bec0 |
| SHA1 | e625b1e5154f9946e5434879253fada3b4a55530 |
| SHA256 | df9d397b2b3201072a4fff263b094852c4fd41ab174a2ad7ae8e4f98cf273d6c |
| SHA512 | 4cbe1ca0b0895a67a520a5478204dd849c0544b0d8cda28014b36262a2ec28e8c2daca1688edb8465e7bd49ace274d6c0711d64f557310c2b7cd9710372b2b79 |
C:\Windows\SysWOW64\Monitor.exe
| MD5 | 34091d46829a8474956451e03ac8bec0 |
| SHA1 | e625b1e5154f9946e5434879253fada3b4a55530 |
| SHA256 | df9d397b2b3201072a4fff263b094852c4fd41ab174a2ad7ae8e4f98cf273d6c |
| SHA512 | 4cbe1ca0b0895a67a520a5478204dd849c0544b0d8cda28014b36262a2ec28e8c2daca1688edb8465e7bd49ace274d6c0711d64f557310c2b7cd9710372b2b79 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
C:\Windows\SysWOW64\RManServer.exe
| MD5 | 275ceaf3c7e10e65bf581d5476e78dba |
| SHA1 | 2f1964303f7ff832758b488612b3f91e88e9affb |
| SHA256 | e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318 |
| SHA512 | a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83 |
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 0af0dfc7b2d726e2c698909d678f267c |
| SHA1 | 36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f |
| SHA256 | 046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c |
| SHA512 | 739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14 |
memory/1416-158-0x0000000002540000-0x0000000002541000-memory.dmp
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 0af0dfc7b2d726e2c698909d678f267c |
| SHA1 | 36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f |
| SHA256 | 046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c |
| SHA512 | 739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14 |
memory/2232-159-0x0000000000810000-0x0000000000811000-memory.dmp
memory/1864-160-0x00000000026F0000-0x00000000026F1000-memory.dmp
C:\Windows\SysWOW64\RManFUSClient.exe
| MD5 | 0af0dfc7b2d726e2c698909d678f267c |
| SHA1 | 36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f |
| SHA256 | 046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c |
| SHA512 | 739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14 |
memory/2888-162-0x00000000008F0000-0x00000000008F1000-memory.dmp