Overview

overview

10

Static

static

1557efb233...c7.exe

windows7_x64

10

1557efb233...c7.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-03-2022 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1557efb23313df99eac4a653a3337f07e7f88ba91273510c1a790fa334e03cc7.exe

  • Size

    8.1MB

  • MD5

    b1ba94ac9a71583453f1278327233414

  • SHA1

    f0bf96a6e4356d0b99769f6d59d9fdc0d7f442fc

  • SHA256

    1557efb23313df99eac4a653a3337f07e7f88ba91273510c1a790fa334e03cc7

  • SHA512

    3943bb6bc415adb72539171620cd0ef8cd8912cfc1951786b16c038af5b11729ea7444be0f93d86475e2b57428f2167c84b16b228644f82ff2582614bc361f4f

Score
10/10
rmsaspackv2evasionpersistencerattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 16 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 10 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 19 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 28 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1557efb23313df99eac4a653a3337f07e7f88ba91273510c1a790fa334e03cc7.exe
    "C:\Users\Admin\AppData\Local\Temp\1557efb23313df99eac4a653a3337f07e7f88ba91273510c1a790fa334e03cc7.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Users\Admin\AppData\Local\Temp\windows32.exe
          "C:\Users\Admin\AppData\Local\Temp\windows32.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Program Files\System\install.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1560
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Program Files\System\install.bat" "
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1924
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Program Files\System" +H +S /S /D
                7⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:552
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Program Files\System\*.*" +H +S /S /D
                7⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:888
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im rutserv.exe
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1212
              • C:\Windows\SysWOW64\taskkill.exe
                Taskkill /f /im rutserv.exe
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1328
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im rfusclient.exe
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1472
              • C:\Windows\SysWOW64\taskkill.exe
                Taskkill /f /im rfusclient.exe
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:540
              • C:\Windows\SysWOW64\reg.exe
                reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
                7⤵
                  PID:1164
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s "regedit.reg"
                  7⤵
                  • Runs .reg file with regedit
                  PID:816
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  7⤵
                  • Delays execution with timeout.exe
                  PID:1416
                • C:\Program Files\System\rutserv.exe
                  rutserv.exe /silentinstall
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1404
                • C:\Program Files\System\rutserv.exe
                  rutserv.exe /firewall
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:1904
                • C:\Program Files\System\rutserv.exe
                  rutserv.exe /start
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1448
                • C:\Windows\SysWOW64\sc.exe
                  sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
                  7⤵
                    PID:1164
                  • C:\Windows\SysWOW64\sc.exe
                    sc config RManService obj= LocalSystem type= interact type= own
                    7⤵
                      PID:596
                    • C:\Windows\SysWOW64\sc.exe
                      sc config RManService DisplayName= "Windows_Defender v6.3"
                      7⤵
                        PID:972
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout 120
                        7⤵
                        • Delays execution with timeout.exe
                        PID:1820
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
            1⤵
            • Suspicious use of FindShellTrayWindow
            PID:2028
          • C:\Program Files\System\rutserv.exe
            "C:\Program Files\System\rutserv.exe"
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:552
            • C:\Program Files\System\rfusclient.exe
              "C:\Program Files\System\rfusclient.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1328
              • C:\Program Files\System\rfusclient.exe
                "C:\Program Files\System\rfusclient.exe" /tray
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: SetClipboardViewer
                PID:736
            • C:\Program Files\System\rfusclient.exe
              "C:\Program Files\System\rfusclient.exe" /tray
              2⤵
              • Executes dropped EXE
              PID:540

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/552-136-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/552-140-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/552-138-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/552-137-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/552-139-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/736-169-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/736-168-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/736-167-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/736-166-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/736-165-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/736-164-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1096-88-0x0000000003060000-0x0000000003062000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1096-83-0x0000000002F20000-0x0000000003B6A000-memory.dmp

            Filesize

            12.3MB

            Download

          • memory/1328-147-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1328-146-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1328-145-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1328-151-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1328-152-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1404-111-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1404-114-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1404-110-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1404-113-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1404-109-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1404-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-129-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-133-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-131-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-130-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-132-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-144-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1724-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1904-123-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1904-124-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1904-119-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1904-122-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1904-121-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1904-120-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1924-170-0x0000000002410000-0x0000000002AC9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/2028-89-0x00000000000B0000-0x00000000000B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2028-90-0x00000000001E0000-0x00000000001E1000-memory.dmp

            Filesize

            4KB

            Download