rms | 5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e

Analysis

max time kernel
164s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
13-02-2022 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe
Size

7.0MB
MD5

ee9eade49cd501f616896b006ccfefa0
SHA1

c0860e4a611694d9714eccf75146741090160603
SHA256

5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e
SHA512

82a639998dbca10ced823f932c313f860aa88725555ce799a474d48a8bd712742639782ed4ab89384a00639dae3632e15a41766dabf7a0f8990dea97eb3fee46

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 13 IoCs

pid	Process
2280	rutserv.exe
2540	ROMServer.exe
2852	ROMServer.exe
3656	rutserv.exe
2772	ROMServer.exe
1520	rutserv.exe
3188	ROMServer.exe
2268	rutserv.exe
3212	ROMFUSClient.exe
3300	rfusclient.exe
3224	rfusclient.exe
3852	ROMFUSClient.exe
2224	rfusclient.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Catroot\rfusclient.exe	attrib.exe
File created	C:\Program Files\Catroot\rfusclient.exe	cmd.exe
File created	C:\Program Files\Catroot\rutserv.exe	cmd.exe
File opened for modification	C:\Program Files\Catroot\vp8decoder.dll	cmd.exe
File created	C:\Program Files\Server\ROMServer.map	cmd.exe
File created	C:\Program Files\Server\Russian.lg	cmd.exe
File opened for modification	C:\Program Files\Server\ROMServer.map	attrib.exe
File opened for modification	C:\Program Files\Server\ROMServer.exe	attrib.exe
File opened for modification	C:\Program Files\Catroot\rutserv.exe	attrib.exe
File created	C:\Program Files\Server\ROMServer.exe	cmd.exe
File opened for modification	C:\Program Files\Catroot\rutserv.exe	cmd.exe
File created	C:\Program Files\Server\AledensoftIpcServer.dll	cmd.exe
File opened for modification	C:\Program Files\Server\Russian.lg	cmd.exe
File created	C:\Program Files\Server\English.lg	cmd.exe
File opened for modification	C:\Program Files\Server\English.lg	attrib.exe
File opened for modification	C:\Program Files\Catroot\vp8encoder.dll	attrib.exe
File opened for modification	C:\Program Files\Catroot\rfusclient.exe	cmd.exe
File created	C:\Program Files\Catroot\Logs\rms_log_2022-02.html	rutserv.exe
File opened for modification	C:\Program Files\Catroot\Logs\rms_log_2022-02.html	rutserv.exe
File created	C:\Program Files\Catroot\vp8decoder.dll	cmd.exe
File opened for modification	C:\Program Files\Server\ROMServer.map	cmd.exe
File created	C:\Program Files\Catroot\vp8encoder.dll	cmd.exe
File opened for modification	C:\Program Files\Catroot\vp8encoder.dll	cmd.exe
File opened for modification	C:\Program Files\Server\ROMFUSClient.exe	attrib.exe
File created	C:\Program Files\Server\ROMFUSClient.exe	cmd.exe
File opened for modification	C:\Program Files\Server\English.lg	cmd.exe
File opened for modification	C:\Program Files\Server\AledensoftIpcServer.dll	cmd.exe
File opened for modification	C:\Program Files\Catroot\vp8decoder.dll	attrib.exe
File opened for modification	C:\Program Files\Server\ROMFUSClient.exe	cmd.exe
File opened for modification	C:\Program Files\Server\AledensoftIpcServer.dll	attrib.exe
File opened for modification	C:\Program Files\Server\Russian.lg	attrib.exe
File opened for modification	C:\Program Files\Server\ROMServer.exe	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
3440	timeout.exe
1604	timeout.exe
3392	timeout.exe
3468	timeout.exe
648	timeout.exe
3504	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2224	taskkill.exe
3500	taskkill.exe
1808	taskkill.exe
3552	taskkill.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.521362"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "8.334818"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4288"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4064"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.069775"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3928"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132894098780556298"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3224	regedit.exe
2680	regedit.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2280	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
3656	rutserv.exe
3656	rutserv.exe
1520	rutserv.exe
1520	rutserv.exe
3188	ROMServer.exe
3188	ROMServer.exe
3188	ROMServer.exe
3188	ROMServer.exe
2268	rutserv.exe
2268	rutserv.exe
2268	rutserv.exe
2268	rutserv.exe
2268	rutserv.exe
2268	rutserv.exe
3212	ROMFUSClient.exe
3212	ROMFUSClient.exe
3224	rfusclient.exe
3224	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2224	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	2540	ROMServer.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeDebugPrivilege	2280	rutserv.exe
Token: SeDebugPrivilege	2772	ROMServer.exe
Token: SeDebugPrivilege	1520	rutserv.exe
Token: SeTakeOwnershipPrivilege	2268	rutserv.exe
Token: SeTcbPrivilege	2268	rutserv.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe
Token: SeBackupPrivilege	3572	TiWorker.exe
Token: SeRestorePrivilege	3572	TiWorker.exe
Token: SeSecurityPrivilege	3572	TiWorker.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2280	rutserv.exe
3656	rutserv.exe
1520	rutserv.exe
2268	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2752	2728	5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe	60
PID 2728 wrote to memory of 2752	2728	5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe	60
PID 2728 wrote to memory of 2752	2728	5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe	60
PID 2752 wrote to memory of 4016	2752	WScript.exe	64
PID 2752 wrote to memory of 4016	2752	WScript.exe	64
PID 2752 wrote to memory of 4016	2752	WScript.exe	64
PID 2752 wrote to memory of 1180	2752	WScript.exe	65
PID 2752 wrote to memory of 1180	2752	WScript.exe	65
PID 2752 wrote to memory of 1180	2752	WScript.exe	65
PID 1180 wrote to memory of 3500	1180	cmd.exe	69
PID 1180 wrote to memory of 3500	1180	cmd.exe	69
PID 1180 wrote to memory of 3500	1180	cmd.exe	69
PID 4016 wrote to memory of 2224	4016	cmd.exe	68
PID 4016 wrote to memory of 2224	4016	cmd.exe	68
PID 4016 wrote to memory of 2224	4016	cmd.exe	68
PID 4016 wrote to memory of 1808	4016	cmd.exe	71
PID 4016 wrote to memory of 1808	4016	cmd.exe	71
PID 1180 wrote to memory of 3552	1180	cmd.exe	72
PID 4016 wrote to memory of 1808	4016	cmd.exe	71
PID 1180 wrote to memory of 3552	1180	cmd.exe	72
PID 1180 wrote to memory of 3552	1180	cmd.exe	72
PID 1180 wrote to memory of 636	1180	cmd.exe	73
PID 1180 wrote to memory of 636	1180	cmd.exe	73
PID 1180 wrote to memory of 636	1180	cmd.exe	73
PID 4016 wrote to memory of 1772	4016	cmd.exe	74
PID 4016 wrote to memory of 1772	4016	cmd.exe	74
PID 4016 wrote to memory of 1772	4016	cmd.exe	74
PID 4016 wrote to memory of 2680	4016	cmd.exe	76
PID 4016 wrote to memory of 2680	4016	cmd.exe	76
PID 4016 wrote to memory of 2680	4016	cmd.exe	76
PID 1180 wrote to memory of 3224	1180	cmd.exe	75
PID 1180 wrote to memory of 3224	1180	cmd.exe	75
PID 1180 wrote to memory of 3224	1180	cmd.exe	75
PID 1180 wrote to memory of 1604	1180	cmd.exe	78
PID 1180 wrote to memory of 1604	1180	cmd.exe	78
PID 1180 wrote to memory of 1604	1180	cmd.exe	78
PID 4016 wrote to memory of 3440	4016	cmd.exe	77
PID 4016 wrote to memory of 3440	4016	cmd.exe	77
PID 4016 wrote to memory of 3440	4016	cmd.exe	77
PID 4016 wrote to memory of 3392	4016	cmd.exe	80
PID 4016 wrote to memory of 3392	4016	cmd.exe	80
PID 4016 wrote to memory of 3392	4016	cmd.exe	80
PID 1180 wrote to memory of 3468	1180	cmd.exe	81
PID 1180 wrote to memory of 3468	1180	cmd.exe	81
PID 1180 wrote to memory of 3468	1180	cmd.exe	81
PID 4016 wrote to memory of 4004	4016	cmd.exe	84
PID 4016 wrote to memory of 4004	4016	cmd.exe	84
PID 4016 wrote to memory of 4004	4016	cmd.exe	84
PID 1180 wrote to memory of 3992	1180	cmd.exe	85
PID 1180 wrote to memory of 3992	1180	cmd.exe	85
PID 1180 wrote to memory of 3992	1180	cmd.exe	85
PID 1180 wrote to memory of 2280	1180	cmd.exe	86
PID 1180 wrote to memory of 2280	1180	cmd.exe	86
PID 1180 wrote to memory of 2280	1180	cmd.exe	86
PID 4016 wrote to memory of 2540	4016	cmd.exe	88
PID 4016 wrote to memory of 2540	4016	cmd.exe	88
PID 4016 wrote to memory of 2540	4016	cmd.exe	88
PID 4016 wrote to memory of 2852	4016	cmd.exe	89
PID 4016 wrote to memory of 2852	4016	cmd.exe	89
PID 4016 wrote to memory of 2852	4016	cmd.exe	89
PID 1180 wrote to memory of 3656	1180	cmd.exe	91
PID 1180 wrote to memory of 3656	1180	cmd.exe	91
PID 1180 wrote to memory of 3656	1180	cmd.exe	91
PID 4016 wrote to memory of 2772	4016	cmd.exe	92

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4004	attrib.exe
3992	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe
"C:\Users\Admin\AppData\Local\Temp\5f7177a96a170ee2b2aa0f77d22d7a5b5daf0345708c59f62dd2ee62c6fad87e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Hex\install.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Hex\instal.bat" "
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ROMServer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ROMFUSClient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1808
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\LiteManager" /f
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:2680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:3440
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:3392
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Program Files\Server\*.*"
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:4004
  - - C:\Program Files\Server\ROMServer.exe
      ROMServer.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2540
  - - C:\Program Files\Server\ROMServer.exe
      ROMServer.exe /firewall
      4⤵
      Executes dropped EXE
      PID:2852
  - - C:\Program Files\Server\ROMServer.exe
      ROMServer.exe /start
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Hex\install.bat" "
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3552
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "reg.reg"
      4⤵
      Runs .reg file with regedit
      PID:3224
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:1604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:3468
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Program Files\Catroot\*.*"
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:3992
  - - C:\Program Files\Catroot\rutserv.exe
      rutserv.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2280
  - - C:\Program Files\Catroot\rutserv.exe
      rutserv.exe /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3656
  - - C:\Program Files\Catroot\rutserv.exe
      rutserv.exe /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1520
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3504

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3388

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Program Files\Server\ROMServer.exe
"C:\Program Files\Server\ROMServer.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3188
- C:\Program Files\Server\ROMFUSClient.exe
  "C:\Program Files\Server\ROMFUSClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Program Files\Server\ROMFUSClient.exe
  "C:\Program Files\Server\ROMFUSClient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:3852

C:\Program Files\Catroot\rutserv.exe
"C:\Program Files\Catroot\rutserv.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2268
- C:\Program Files\Catroot\rfusclient.exe
  "C:\Program Files\Catroot\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3224
- - C:\Program Files\Catroot\rfusclient.exe
    "C:\Program Files\Catroot\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2224
- C:\Program Files\Catroot\rfusclient.exe
  "C:\Program Files\Catroot\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:3300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-167-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2224-179-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2268-169-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/2280-158-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2772-166-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2852-159-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/3188-168-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/3212-174-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3224-177-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/3300-176-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/3656-161-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3852-175-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download