Overview

overview

10

Static

static

10

c37cff684b...5c.exe

windows7_x64

10

c37cff684b...5c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294202s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    14-03-2022 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c37cff684ba63f59498e020cc4159f59292d8c2a63db49b08aab9ed8dec2925c.exe

  • Size

    5.5MB

  • MD5

    2e356b8bcb247bfba23ca1da76886c09

  • SHA1

    383859206d7b8ccd502b93a3b2499ef232d25c40

  • SHA256

    c37cff684ba63f59498e020cc4159f59292d8c2a63db49b08aab9ed8dec2925c

  • SHA512

    ce4316399fd550ce8495dd25e7eb1d1901d9b24d6b5464b7b33f5fd5560d33995c62934050cb8667ac464d1699a3591aa7f928331b791cc8b89c15feb05741b1

Score
10/10
rmsaspackv2rattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Nirsoft 4 IoCs
  • ASPack v2.12-2.42 14 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 9 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 7 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: SetClipboardViewer 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c37cff684ba63f59498e020cc4159f59292d8c2a63db49b08aab9ed8dec2925c.exe
    "C:\Users\Admin\AppData\Local\Temp\c37cff684ba63f59498e020cc4159f59292d8c2a63db49b08aab9ed8dec2925c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\PANTERA.exe
      "C:\Users\Admin\AppData\Local\Temp\PANTERA.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Program Files (x86)\System\install.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:620
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im rutserv.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:272
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im rfusclient.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1504
          • C:\Windows\SysWOW64\reg.exe
            reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
            5⤵
              PID:1464
            • C:\Windows\SysWOW64\regedit.exe
              regedit /s "regedit.reg"
              5⤵
              • Runs .reg file with regedit
              PID:1696
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              5⤵
              • Delays execution with timeout.exe
              PID:1164
            • C:\Program Files (x86)\System\rutserv.exe
              rutserv.exe /silentinstall
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1468
            • C:\Program Files (x86)\System\rutserv.exe
              rutserv.exe /firewall
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1128
            • C:\Program Files (x86)\System\rutserv.exe
              rutserv.exe /start
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:884
            • C:\Windows\SysWOW64\sc.exe
              sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
              5⤵
                PID:1968
              • C:\Windows\SysWOW64\sc.exe
                sc config RManService obj= LocalSystem type= interact type= own
                5⤵
                  PID:1816
                • C:\Windows\SysWOW64\sc.exe
                  sc config RManService DisplayName= "Windows_Defender v6.3"
                  5⤵
                    PID:1164
            • C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe
              "C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              PID:764
          • C:\Program Files (x86)\System\rutserv.exe
            "C:\Program Files (x86)\System\rutserv.exe"
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1708
            • C:\Program Files (x86)\System\rfusclient.exe
              "C:\Program Files (x86)\System\rfusclient.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: SetClipboardViewer
              PID:1640
              • C:\Program Files (x86)\System\rfusclient.exe
                "C:\Program Files (x86)\System\rfusclient.exe" /tray
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: SetClipboardViewer
                PID:1596
            • C:\Program Files (x86)\System\rfusclient.exe
              "C:\Program Files (x86)\System\rfusclient.exe" /tray
              2⤵
              • Executes dropped EXE
              PID:1944

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/764-131-0x000000001ADE7000-0x000000001AE06000-memory.dmp

            Filesize

            124KB

            Download

          • memory/764-132-0x000000001ADE2000-0x000000001ADE3000-memory.dmp

            Filesize

            4KB

            Download

          • memory/764-69-0x000000001ADE0000-0x000000001ADE2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/764-66-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/764-62-0x00000000012D0000-0x00000000013CC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/884-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/884-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/884-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/884-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/884-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/884-114-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1128-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1128-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1128-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1128-88-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1128-89-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1128-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1468-79-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1468-84-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1468-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1468-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1468-82-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1468-83-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1596-138-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1596-136-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1596-141-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1596-140-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1596-139-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1596-137-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1640-143-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1708-108-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1708-106-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1708-107-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1708-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1708-142-0x0000000002A30000-0x0000000002FE6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1708-105-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1808-54-0x0000000076AC1000-0x0000000076AC3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1944-128-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1944-127-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1944-124-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1944-122-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1944-119-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download