Overview

overview

10

Static

static

b70329c243...f6.exe

windows7_x64

10

b70329c243...f6.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    4294214s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    14-03-2022 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b70329c243528e0b6c689b3979bd5921eba413d80f713f529daaad5a02ce8cf6.exe

  • Size

    4.7MB

  • MD5

    07df176023a74870f154494e50cf1a4c

  • SHA1

    2ccd182a1b76b64e93d8fe1bb76c9d7956651a87

  • SHA256

    b70329c243528e0b6c689b3979bd5921eba413d80f713f529daaad5a02ce8cf6

  • SHA512

    e8b00a91a0e9b69988c7673c32a97cc05569862f406f526e13aaa808686c44a866ceded9e56d8bc7bd96739ac9c7f2ceec1e9e88ac16fe5104faeefb10cc0bab

Score
10/10
rmscollectiondiscoveryevasionratspywarestealertrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Executes dropped EXE 11 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 23 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b70329c243528e0b6c689b3979bd5921eba413d80f713f529daaad5a02ce8cf6.exe
    "C:\Users\Admin\AppData\Local\Temp\b70329c243528e0b6c689b3979bd5921eba413d80f713f529daaad5a02ce8cf6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Users\Admin\AppData\Local\Temp\##HACK##.exe
      "C:\Users\Admin\AppData\Local\Temp\##HACK##.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\vipcatalog\start.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Windows\System32\vipcatalog\install.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1416
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im rutserv.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1292
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im rfusclient.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:820
          • C:\Windows\SysWOW64\reg.exe
            reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
            5⤵
              PID:1960
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\Windows\System32\vipcatalog"
              5⤵
              • Drops file in System32 directory
              • Views/modifies file attributes
              PID:948
            • C:\Windows\SysWOW64\vipcatalog\rutserv.exe
              "rutserv.exe" /silentinstall
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:364
            • C:\Windows\SysWOW64\regedit.exe
              regedit /s regedit.reg
              5⤵
              • Runs .reg file with regedit
              PID:1584
            • C:\Windows\SysWOW64\vipcatalog\rutserv.exe
              "rutserv.exe" /start
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1876
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              5⤵
              • Delays execution with timeout.exe
              PID:1636
        • C:\Windows\SysWOW64\vipcatalog\WmiPrvSE.exe
          "C:\Windows\System32\vipcatalog\WmiPrvSE.exe"
          3⤵
          • Executes dropped EXE
          PID:1284
      • C:\Users\Admin\AppData\Local\Temp\mpv.exe
        C:\Users\Admin\AppData\Local\Temp\mpv.exe /stext C:\Users\Admin\AppData\Local\Temp\mpvp.txt
        2⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook accounts
        PID:1804
      • C:\Users\Admin\AppData\Local\Temp\WBP.exe
        C:\Users\Admin\AppData\Local\Temp\WBP.exe /stext C:\Users\Admin\AppData\Local\Temp\WBVP.txt
        2⤵
        • Executes dropped EXE
        PID:1800
      • C:\Users\Admin\AppData\Local\Temp\mespv.exe
        C:\Users\Admin\AppData\Local\Temp\mespv.exe /stext C:\Users\Admin\AppData\Local\Temp\mespvp.txt
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:900
      • C:\Users\Admin\AppData\Local\Temp\pv.exe
        C:\Users\Admin\AppData\Local\Temp\pv.exe /stext C:\Users\Admin\AppData\Local\Temp\pvp.txt
        2⤵
        • Executes dropped EXE
        PID:1964
    • C:\Windows\SysWOW64\vipcatalog\rutserv.exe
      C:\Windows\SysWOW64\vipcatalog\rutserv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1956
      • C:\Windows\SysWOW64\vipcatalog\rfusclient.exe
        C:\Windows\SysWOW64\vipcatalog\rfusclient.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:808
      • C:\Windows\SysWOW64\vipcatalog\rfusclient.exe
        C:\Windows\SysWOW64\vipcatalog\rfusclient.exe /tray
        2⤵
        • Executes dropped EXE
        PID:1460

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/276-59-0x00000000768A1000-0x00000000768A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/364-90-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/808-110-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1084-57-0x0000000000B96000-0x0000000000BB5000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1084-55-0x0000000000B90000-0x0000000000B92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1084-56-0x000007FEEE320000-0x000007FEEF3B6000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1084-54-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1284-71-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1460-111-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1876-98-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1956-99-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download