Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 00:02
Static task
static1
Behavioral task
behavioral1
Sample
5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe
Resource
win7-20220414-en
General
-
Target
5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe
-
Size
16.9MB
-
MD5
09958baceb3f9d9e783b7dd9afb8848e
-
SHA1
a8fa4cd44b887af47d2963a0362efc91395a498f
-
SHA256
5762f57bdb828ca779acfdde7b4c986f2562696c87edf9b26f2985df9c287749
-
SHA512
3a5dace41fc7c231be0644cffdae20daea451e89fbba59eb9243aa437d6cd8ca0d0285d36cc31f26d3e81fd2197001a3623a5e35d8f98c1c3a76dbd80c4ab3f5
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
rfusclient.exerutserv.exerutserv.exerfusclient.exepid process 2040 rfusclient.exe 1736 rutserv.exe 436 rutserv.exe 1556 rfusclient.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rfusclient.exerutserv.exerfusclient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation rfusclient.exe Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation rutserv.exe Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation rfusclient.exe -
Loads dropped DLL 9 IoCs
Processes:
5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exerfusclient.exerutserv.exerutserv.exepid process 604 5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe 2040 rfusclient.exe 2040 rfusclient.exe 2040 rfusclient.exe 2040 rfusclient.exe 1736 rutserv.exe 1736 rutserv.exe 436 rutserv.exe 436 rutserv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 4 IoCs
Processes:
rutserv.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" rutserv.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\SysWOW64\ieframe.dll,-5723 = "The Internet" rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" rutserv.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rfusclient.exerutserv.exerutserv.exerfusclient.exepid process 2040 rfusclient.exe 2040 rfusclient.exe 1736 rutserv.exe 1736 rutserv.exe 1736 rutserv.exe 1736 rutserv.exe 1736 rutserv.exe 1736 rutserv.exe 436 rutserv.exe 436 rutserv.exe 436 rutserv.exe 436 rutserv.exe 436 rutserv.exe 436 rutserv.exe 1556 rfusclient.exe 1556 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 1736 rutserv.exe Token: SeTakeOwnershipPrivilege 436 rutserv.exe Token: SeTcbPrivilege 436 rutserv.exe Token: SeTcbPrivilege 436 rutserv.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
rfusclient.exepid process 1556 rfusclient.exe 1556 rfusclient.exe 1556 rfusclient.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
rfusclient.exepid process 1556 rfusclient.exe 1556 rfusclient.exe 1556 rfusclient.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
rutserv.exerutserv.exepid process 1736 rutserv.exe 1736 rutserv.exe 1736 rutserv.exe 1736 rutserv.exe 436 rutserv.exe 436 rutserv.exe 436 rutserv.exe 436 rutserv.exe 436 rutserv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exerfusclient.exerutserv.exedescription pid process target process PID 604 wrote to memory of 2040 604 5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe rfusclient.exe PID 604 wrote to memory of 2040 604 5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe rfusclient.exe PID 604 wrote to memory of 2040 604 5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe rfusclient.exe PID 604 wrote to memory of 2040 604 5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe rfusclient.exe PID 2040 wrote to memory of 1736 2040 rfusclient.exe rutserv.exe PID 2040 wrote to memory of 1736 2040 rfusclient.exe rutserv.exe PID 2040 wrote to memory of 1736 2040 rfusclient.exe rutserv.exe PID 2040 wrote to memory of 1736 2040 rfusclient.exe rutserv.exe PID 436 wrote to memory of 1556 436 rutserv.exe rfusclient.exe PID 436 wrote to memory of 1556 436 rutserv.exe rfusclient.exe PID 436 wrote to memory of 1556 436 rutserv.exe rfusclient.exe PID 436 wrote to memory of 1556 436 rutserv.exe rfusclient.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe"C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe" -run_agent2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe" -run_agent3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1736 -
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe" -run_agent -second4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe" /tray /user5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1556
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364B
MD520ac4d480454924d7398b2364bc5249c
SHA130bf0828a67845ff28278ec0b2618199082c3141
SHA256f57efe43c5ecb38018d497ae3eb107e687c8ac1a3a1da7ddbf11d461be42bb55
SHA51253ba4006cf4fbbe2b575b1cdff194de1798ded76faea23dc53d8cebab35e3d28e91e0225c055daba1b34168070c7ed21320fb866c50c0a4a80572901eb0d28a3
-
Filesize
51KB
MD54e84df6558c385bc781cddea34c9fba3
SHA16d63d87c19c11bdbfa484a5835ffffd7647296c8
SHA2560526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d
SHA512c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2
-
Filesize
1.3MB
MD55222eaf78313758b0520be16e3f8392e
SHA19c7cc8fb340618fef38422cf0c75c4c9bfb216e2
SHA2564771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5
SHA512459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812
-
Filesize
179KB
MD59ce69f005e39907bd768eeb9663198d2
SHA1d724211e737143e7425c31cb49ae431b80ae0647
SHA2566e5fc3669f51c3295348315c74e3a33a5eb641b461cbfa79c88a4cb5680ce398
SHA5125a25ea18be2c59a0bc3e75adfb65226be4e3c1af342e8a5c4f0263471e9c84a80a3c0c17264efc9bf6b80910f9bd83520eb9d264b40efe2cf6b8fdaf3e9d8201
-
Filesize
10.1MB
MD55a0e86599acf1fe7e52ccec970ba267d
SHA12cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10
-
Filesize
10.1MB
MD55a0e86599acf1fe7e52ccec970ba267d
SHA12cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10
-
Filesize
10.1MB
MD55a0e86599acf1fe7e52ccec970ba267d
SHA12cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10
-
Filesize
19.6MB
MD55f1953611f6c7f7abca398d6288c9397
SHA1e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA25654cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164
-
Filesize
19.6MB
MD55f1953611f6c7f7abca398d6288c9397
SHA1e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA25654cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164
-
Filesize
19.6MB
MD55f1953611f6c7f7abca398d6288c9397
SHA1e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA25654cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164
-
Filesize
11KB
MD5c27be7d68cfd0bd3171e1ef17810d5f9
SHA1586159af074333174d0a67279f1eb3984db2834d
SHA256bb4369c750741a04ca9db4e976e5c24ca6622db29932546d4cee307cd33cf4d7
SHA5122651b2ad8df8abb4021f0769644a28b118d9716065da96a3aeab25bda72cd0e19276cc8a45a932da8b76e2ca6621896f4b10cd49a1c0eefca69dab6d158c6455
-
Filesize
337KB
MD590a4b7fc6807693e68dd32b68614d989
SHA1785484ef531ca90f323d5b017fefcff05e68093a
SHA2564f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6
SHA51297b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c
-
Filesize
379KB
MD5e247666cdea63da5a95aebc135908207
SHA14642f6c3973c41b7d1c9a73111a26c2d7ac9c392
SHA256b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33
SHA51206da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54
-
Filesize
1.6MB
MD5d5c2a6ac30e76b7c9b55adf1fe5c1e4a
SHA13d841eb48d1a32b511611d4b9e6eed71e2c373ee
SHA25611c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428
SHA5123c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d
-
Filesize
259KB
MD549c51ace274d7db13caa533880869a4a
SHA1b539ed2f1a15e2d4e5c933611d736e0c317b8313
SHA2561d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b
SHA51213440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6
-
Filesize
364KB
MD5eda07083af5b6608cb5b7c305d787842
SHA1d1703c23522d285a3ccdaf7ba2eb837d40608867
SHA256c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d
SHA512be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401
-
Filesize
859KB
MD5642dc7e57f0c962b9db4c8fb346bc5a7
SHA1acee24383b846f7d12521228d69135e5704546f6
SHA25663b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede
SHA512fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae
-
Filesize
1.3MB
MD55222eaf78313758b0520be16e3f8392e
SHA19c7cc8fb340618fef38422cf0c75c4c9bfb216e2
SHA2564771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5
SHA512459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812
-
Filesize
1.3MB
MD55222eaf78313758b0520be16e3f8392e
SHA19c7cc8fb340618fef38422cf0c75c4c9bfb216e2
SHA2564771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5
SHA512459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812
-
Filesize
10.1MB
MD55a0e86599acf1fe7e52ccec970ba267d
SHA12cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10
-
Filesize
19.6MB
MD55f1953611f6c7f7abca398d6288c9397
SHA1e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA25654cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164
-
Filesize
19.6MB
MD55f1953611f6c7f7abca398d6288c9397
SHA1e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA25654cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164
-
Filesize
19.6MB
MD55f1953611f6c7f7abca398d6288c9397
SHA1e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA25654cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164
-
Filesize
19.6MB
MD55f1953611f6c7f7abca398d6288c9397
SHA1e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA25654cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164
-
Filesize
337KB
MD590a4b7fc6807693e68dd32b68614d989
SHA1785484ef531ca90f323d5b017fefcff05e68093a
SHA2564f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6
SHA51297b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c
-
Filesize
337KB
MD590a4b7fc6807693e68dd32b68614d989
SHA1785484ef531ca90f323d5b017fefcff05e68093a
SHA2564f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6
SHA51297b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c