Analysis
-
max time kernel
111s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
17-03-2022 01:27
General
-
Target
install.bat
-
Size
1KB
-
MD5
125b0e626d1babc93c042cf84dd33c05
-
SHA1
d5f01d546be84337306306f71e6bc612442481d8
-
SHA256
8df26877285b0fb8dd52db09da874c24c02e9f1a4d6794752d6ac556e4f927b3
-
SHA512
e6213ef36cc70cc257b671f9dbf590c96e5bcd02196b1de90b2b7be019035f2a859c98003be963983a0f86cf6695aed1db3a3e26b22c1f49bca79d1af9cc6ca5
Score
10/10
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\install.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib "C:\Program Files (x86)\System" +H +S /S /D2⤵
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib "C:\Program Files (x86)\System\*.*" +H +S /S /D2⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im rutserv.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exeTaskkill /f /im rutserv.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im rfusclient.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exeTaskkill /f /im rfusclient.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f2⤵
-
-
C:\Windows\regedit.exeregedit /s "regedit.reg"2⤵
- Runs .reg file with regedit
-
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exerutserv.exe /silentinstall2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exerutserv.exe /firewall2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exerutserv.exe /start2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10002⤵
-
-
C:\Windows\system32\sc.exesc config RManService obj= LocalSystem type= interact type= own2⤵
-
-
C:\Windows\system32\sc.exesc config RManService DisplayName= "Windows_Defender v6.3"2⤵
-
-
C:\Windows\system32\timeout.exetimeout 1202⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
10.2MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
10.2MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB