Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-04-2022 14:32

General

  • Target

    9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe

  • Size

    4.1MB

  • MD5

    cf430d5f775e4a32801e55af43db9bbb

  • SHA1

    f2faf3d9fbbfbaf5296da25af0c7b37ff26a858c

  • SHA256

    9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379

  • SHA512

    aa49f98c13ff17f0b2060f02cfe5d33518679bacb39bab7ddd20c9c4d3a302b941a39505db19dc96c46f71da74832bb57f6e783dbc687da2d2caf841643d90bb

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Executes dropped EXE 8 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: SetClipboardViewer 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe
    "C:\Users\Admin\AppData\Local\Temp\9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Microsoft Games\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Program Files\Microsoft Games\pr.exe
        pr stx.exe -p123 -dC:\Program Files\Microsoft Games
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Program\install.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1420
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Program\install.bat" "
            5⤵
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:3448
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im rutserv.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3988
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im rfusclient.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4520
            • C:\Windows\SysWOW64\reg.exe
              reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
              6⤵
                PID:3644
              • C:\Windows\SysWOW64\regedit.exe
                regedit /s "regedit.reg"
                6⤵
                • Runs .reg file with regedit
                PID:4356
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                6⤵
                • Delays execution with timeout.exe
                PID:3516
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                6⤵
                • Delays execution with timeout.exe
                PID:5072
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h "C:\Program Files\Server\*.*"
                6⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:1404
              • C:\Program Files\Server\rutserv.exe
                rutserv.exe /silentinstall
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:4192
              • C:\Program Files\Server\rutserv.exe
                rutserv.exe /firewall
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:1128
              • C:\Program Files\Server\rutserv.exe
                rutserv.exe /start
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:1272
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                6⤵
                • Delays execution with timeout.exe
                PID:4400
    • C:\Program Files\Server\rutserv.exe
      "C:\Program Files\Server\rutserv.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Program Files\Server\rfusclient.exe
        "C:\Program Files\Server\rfusclient.exe" /tray
        2⤵
        • Executes dropped EXE
        PID:3672
      • C:\Program Files\Server\rfusclient.exe
        "C:\Program Files\Server\rfusclient.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: SetClipboardViewer
        • Suspicious use of WriteProcessMemory
        PID:4756
        • C:\Program Files\Server\rfusclient.exe
          "C:\Program Files\Server\rfusclient.exe" /tray
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: SetClipboardViewer
          PID:4560

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Games\1.bat

      Filesize

      51B

      MD5

      a13092696a05b6b80083e042102f8e27

      SHA1

      e47d31664f0ae6263ea3ca439c8dfcfebecb167d

      SHA256

      d2ba7625bce55b56654bed236a8d8fcb8a1c028bea4a2b7b6e93b3fbd002631b

      SHA512

      540a15faa82081e0c68345f86fc30e39bb99ed550eeb34aba3b0b556e90093c257a735e34b26c7cb48193e4c1bc1f0e4ede857508b0d90600cf6cf4d67c6b62b

    • C:\Program Files\Microsoft Games\pr.exe

      Filesize

      3.9MB

      MD5

      a7106656ff2c7f40df421e52ff887e01

      SHA1

      735932c2ce630e8fd65ed8eb475bcaa24b70d979

      SHA256

      7216b1f398d9a277db705515ad260d766b9c5719f726987080cf8454fa4e6315

      SHA512

      a9f56fd5f7550465e1059c28dace97101e6af9235b236cf3de85770ab214159cb6e6f2b6e0e2f1c5eb92555a3dd5a0e3e31521bcf98e4b21bc1f0903207287b0

    • C:\Program Files\Microsoft Games\pr.exe

      Filesize

      3.9MB

      MD5

      a7106656ff2c7f40df421e52ff887e01

      SHA1

      735932c2ce630e8fd65ed8eb475bcaa24b70d979

      SHA256

      7216b1f398d9a277db705515ad260d766b9c5719f726987080cf8454fa4e6315

      SHA512

      a9f56fd5f7550465e1059c28dace97101e6af9235b236cf3de85770ab214159cb6e6f2b6e0e2f1c5eb92555a3dd5a0e3e31521bcf98e4b21bc1f0903207287b0

    • C:\Program Files\Server\rfusclient.exe

      Filesize

      1.5MB

      MD5

      8b9cd29aa7c2ea3cfaa1080ada962d5a

      SHA1

      7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

      SHA256

      15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

      SHA512

      29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

    • C:\Program Files\Server\rfusclient.exe

      Filesize

      1.5MB

      MD5

      8b9cd29aa7c2ea3cfaa1080ada962d5a

      SHA1

      7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

      SHA256

      15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

      SHA512

      29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

    • C:\Program Files\Server\rfusclient.exe

      Filesize

      1.5MB

      MD5

      8b9cd29aa7c2ea3cfaa1080ada962d5a

      SHA1

      7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

      SHA256

      15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

      SHA512

      29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

    • C:\Program Files\Server\rfusclient.exe

      Filesize

      1.5MB

      MD5

      8b9cd29aa7c2ea3cfaa1080ada962d5a

      SHA1

      7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

      SHA256

      15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

      SHA512

      29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

    • C:\Program Files\Server\rutserv.exe

      Filesize

      1.7MB

      MD5

      3d378bcfec79805a04de89d6a2d917b4

      SHA1

      e47758259358246a8989c6e79a433a91830deb79

      SHA256

      7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

      SHA512

      4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

    • C:\Program Files\Server\rutserv.exe

      Filesize

      1.7MB

      MD5

      3d378bcfec79805a04de89d6a2d917b4

      SHA1

      e47758259358246a8989c6e79a433a91830deb79

      SHA256

      7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

      SHA512

      4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

    • C:\Program Files\Server\rutserv.exe

      Filesize

      1.7MB

      MD5

      3d378bcfec79805a04de89d6a2d917b4

      SHA1

      e47758259358246a8989c6e79a433a91830deb79

      SHA256

      7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

      SHA512

      4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

    • C:\Program Files\Server\rutserv.exe

      Filesize

      1.7MB

      MD5

      3d378bcfec79805a04de89d6a2d917b4

      SHA1

      e47758259358246a8989c6e79a433a91830deb79

      SHA256

      7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

      SHA512

      4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

    • C:\Program Files\Server\rutserv.exe

      Filesize

      1.7MB

      MD5

      3d378bcfec79805a04de89d6a2d917b4

      SHA1

      e47758259358246a8989c6e79a433a91830deb79

      SHA256

      7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

      SHA512

      4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

    • C:\Program Files\Server\vp8decoder.dll

      Filesize

      378KB

      MD5

      d43fa82fab5337ce20ad14650085c5d9

      SHA1

      678aa092075ff65b6815ffc2d8fdc23af8425981

      SHA256

      c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

      SHA512

      103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

    • C:\Program Files\Server\vp8encoder.dll

      Filesize

      1.6MB

      MD5

      dab4646806dfca6d0e0b4d80fa9209d6

      SHA1

      8244dfe22ec2090eee89dad103e6b2002059d16a

      SHA256

      cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

      SHA512

      aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

    • C:\Program\install.bat

      Filesize

      624B

      MD5

      4c20504c645f84bce230745131dc1919

      SHA1

      8c18cede047b4e810090e55187dc776548821d82

      SHA256

      7cd4f05d659e3ceeb104907a47ea875fc5bf0a32aad02f5a4f38b1b725b688c6

      SHA512

      58286ef8df7249d3fc6d76c3e163ff3e709b10c31de893da16787b9a685f66475e876af40972c530bf8e2671fdcb66f3f92083cec128694df8906b0b92bb3eb7

    • C:\Program\install.vbs

      Filesize

      86B

      MD5

      53b4089b17b50772970facafacef3941

      SHA1

      8f69320a1a627488d8d7adc5daef8ee7d0a70ff9

      SHA256

      3211edb49cce04b4611d91ac235966d542678e4434ca1c2b236975c990b0935c

      SHA512

      e0da4f4f4d7a29c62746942488f73e09b9f484be781366f94e7f981ee431a4c013dc4b479ff1525831922ec162e0fdc235dd919ab96fdc4fdd3de55b5ad6d531

    • C:\Program\regedit.reg

      Filesize

      11KB

      MD5

      6751ac3d0065b80ca2b9629974cc5850

      SHA1

      33306bdf0a65933634bd3a1652bb846de83f6688

      SHA256

      834c8ee696b6a27095481d0212d9dffd2cf292132a088882f9af4454af4001b9

      SHA512

      af160339c2c8d177456909d800eed1c16b5b1a94a02ebd2a69f5c24eaa77576f8a79d647d54c25e6a74190e78cf03e14832a33536ea7461326d3c740b202bf2f

    • C:\Program\rfusclient.exe

      Filesize

      1.5MB

      MD5

      8b9cd29aa7c2ea3cfaa1080ada962d5a

      SHA1

      7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

      SHA256

      15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

      SHA512

      29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

    • C:\Program\rutserv.exe

      Filesize

      1.7MB

      MD5

      3d378bcfec79805a04de89d6a2d917b4

      SHA1

      e47758259358246a8989c6e79a433a91830deb79

      SHA256

      7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

      SHA512

      4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

    • C:\Program\vp8decoder.dll

      Filesize

      378KB

      MD5

      d43fa82fab5337ce20ad14650085c5d9

      SHA1

      678aa092075ff65b6815ffc2d8fdc23af8425981

      SHA256

      c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

      SHA512

      103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

    • C:\Program\vp8encoder.dll

      Filesize

      1.6MB

      MD5

      dab4646806dfca6d0e0b4d80fa9209d6

      SHA1

      8244dfe22ec2090eee89dad103e6b2002059d16a

      SHA256

      cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

      SHA512

      aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

    • memory/1128-157-0x0000000000000000-mapping.dmp

    • memory/1272-159-0x0000000000000000-mapping.dmp

    • memory/1404-150-0x0000000000000000-mapping.dmp

    • memory/1420-135-0x0000000000000000-mapping.dmp

    • memory/3356-130-0x0000000000000000-mapping.dmp

    • memory/3448-138-0x0000000000000000-mapping.dmp

    • memory/3516-144-0x0000000000000000-mapping.dmp

    • memory/3644-141-0x0000000000000000-mapping.dmp

    • memory/3672-162-0x0000000000000000-mapping.dmp

    • memory/3988-139-0x0000000000000000-mapping.dmp

    • memory/4192-155-0x0000000000000000-mapping.dmp

    • memory/4356-142-0x0000000000000000-mapping.dmp

    • memory/4400-166-0x0000000000000000-mapping.dmp

    • memory/4520-140-0x0000000000000000-mapping.dmp

    • memory/4560-167-0x0000000000000000-mapping.dmp

    • memory/4636-132-0x0000000000000000-mapping.dmp

    • memory/4756-163-0x0000000000000000-mapping.dmp

    • memory/5072-145-0x0000000000000000-mapping.dmp