Overview

overview

10

Static

static

d323807515...20.exe

windows7_x64

10

d323807515...20.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    4294218s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    19-03-2022 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d323807515f83943d6b6a268a39feef1b61b0c2db5de5e2bb6d2cb5ad78d5a20.exe

  • Size

    8.1MB

  • MD5

    89e13b57f61901ec9137dd7ed11dad01

  • SHA1

    62f2de5d10c001e69dcd8958eb52bec31caec16d

  • SHA256

    d323807515f83943d6b6a268a39feef1b61b0c2db5de5e2bb6d2cb5ad78d5a20

  • SHA512

    2feeb0463b386517dee8e7d3488f2cb89059b7c614e3abc8c02576bad2ac53e33619da139658d321869c62cd2184d14ba95a3cfa451eebde4547a0ba54ccd873

Score
10/10
rmsaspackv2evasionpersistencerattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 16 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 10 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 19 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 28 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d323807515f83943d6b6a268a39feef1b61b0c2db5de5e2bb6d2cb5ad78d5a20.exe
    "C:\Users\Admin\AppData\Local\Temp\d323807515f83943d6b6a268a39feef1b61b0c2db5de5e2bb6d2cb5ad78d5a20.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:452
        • C:\Users\Admin\AppData\Local\Temp\windows32.exe
          "C:\Users\Admin\AppData\Local\Temp\windows32.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:760
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Program Files\System\install.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:768
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Program Files\System\install.bat" "
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:548
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Program Files\System" +H +S /S /D
                7⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:1264
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Program Files\System\*.*" +H +S /S /D
                7⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:2028
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im rutserv.exe
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:108
              • C:\Windows\SysWOW64\taskkill.exe
                Taskkill /f /im rutserv.exe
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1172
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im rfusclient.exe
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1736
              • C:\Windows\SysWOW64\taskkill.exe
                Taskkill /f /im rfusclient.exe
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1860
              • C:\Windows\SysWOW64\reg.exe
                reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
                7⤵
                  PID:1464
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s "regedit.reg"
                  7⤵
                  • Runs .reg file with regedit
                  PID:576
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  7⤵
                  • Delays execution with timeout.exe
                  PID:1688
                • C:\Program Files\System\rutserv.exe
                  rutserv.exe /silentinstall
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1448
                • C:\Program Files\System\rutserv.exe
                  rutserv.exe /firewall
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:1820
                • C:\Program Files\System\rutserv.exe
                  rutserv.exe /start
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:600
                • C:\Windows\SysWOW64\sc.exe
                  sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
                  7⤵
                    PID:576
                  • C:\Windows\SysWOW64\sc.exe
                    sc config RManService obj= LocalSystem type= interact type= own
                    7⤵
                      PID:1824
                    • C:\Windows\SysWOW64\sc.exe
                      sc config RManService DisplayName= "Windows_Defender v6.3"
                      7⤵
                        PID:1484
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout 120
                        7⤵
                        • Delays execution with timeout.exe
                        PID:664
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
            1⤵
            • Suspicious use of FindShellTrayWindow
            PID:1460
          • C:\Program Files\System\rutserv.exe
            "C:\Program Files\System\rutserv.exe"
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1628
            • C:\Program Files\System\rfusclient.exe
              "C:\Program Files\System\rfusclient.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1148
              • C:\Program Files\System\rfusclient.exe
                "C:\Program Files\System\rfusclient.exe" /tray
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: SetClipboardViewer
                PID:808
            • C:\Program Files\System\rfusclient.exe
              "C:\Program Files\System\rfusclient.exe" /tray
              2⤵
              • Executes dropped EXE
              PID:568

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/452-83-0x00000000009B0000-0x00000000009B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/452-88-0x00000000026F0000-0x00000000026F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/568-152-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/568-150-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/568-156-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/568-155-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/568-154-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/600-149-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/600-133-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/600-132-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/600-131-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/600-130-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/600-129-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/808-168-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/808-167-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/808-165-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/808-166-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/808-163-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/808-164-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1148-153-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1148-151-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1148-148-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1148-145-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1148-144-0x0000000000400000-0x00000000009B6000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1448-113-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-109-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-110-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-111-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1448-114-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1460-89-0x00000000000B0000-0x00000000000B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1460-90-0x0000000000250000-0x0000000000251000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1628-139-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1628-138-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1628-137-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1628-136-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1628-140-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1820-121-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1820-119-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1820-120-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1820-122-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1820-123-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1820-124-0x0000000000400000-0x0000000000AB9000-memory.dmp

            Filesize

            6.7MB

            Download

          • memory/1980-54-0x00000000758A1000-0x00000000758A3000-memory.dmp

            Filesize

            8KB

            Download