Analysis
-
max time kernel
197s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-05-2022 21:16
General
-
Target
faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe
-
Size
6.1MB
-
MD5
271d2687fb8b495544eb73d3219acfc4
-
SHA1
80d3310c738fa942853762aa312cdf1c9aeb887b
-
SHA256
faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253
-
SHA512
e16ec9a444e0c78b2c9fa7342af011615531025c87180e5ad3122f07d1783433301e6d34549ef09011c1044d733063eb3b85928f3ed48fa725aa52ec6c25a849
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Executes dropped EXE 7 IoCs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 6 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe"C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\App\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -a -s -h "C:\ProgramData\App\install.bat" /S /D3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\System Corporation Update" /f3⤵
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"3⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\App\rutserv.exerutserv.exe /silentinstall3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\App\rutserv.exerutserv.exe /firewall3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\App\rutserv.exerutserv.exe /start3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\sc.exesc config RManService start= auto3⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\ProgramData\App" /S /D3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\ProgramData\App\rutserv.exe" /S /D3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\ProgramData\App\rfusclient.exe" /S /D3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\ProgramData\App\vp8decoder.dll" /S /D3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\ProgramData\App\vp8encoder.dll" /S /D3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config RManService start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService start= auto3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config RManService start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config RManService start= auto3⤵
-
-
-
C:\ProgramData\App\rutserv.exeC:\ProgramData\App\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\App\rfusclient.exeC:\ProgramData\App\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
-
C:\ProgramData\App\rfusclient.exeC:\ProgramData\App\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\App\rfusclient.exeC:\ProgramData\App\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
857B
MD56ec51eea8e8ca78d0086df72e0b10228
SHA1b7c5a2e76841bb1100a846490f79b5de5f90f128
SHA2566d13d9ad28789125fb70e0fdbfa7ee0e1a1c99c7161c0cbeddeb25eb1d7f1498
SHA5126cfefcedd2433afed69f02abc4d2259fd124730ddcb74444d41c1be827bc385ff89e1d8c4646615c73d0d2fa6681045100d2da3f03320628894310e4a7e6a105
-
Filesize
11KB
MD564c927360c077b3e766b1a4a9bdf8f3a
SHA10bb94ae83d4d4223f5908269a1ab6fdf79405a66
SHA256f8abc166a4efc51f2c6066d7f989c34eb1bdfe95adda8a6c3766e8a956ab6fb9
SHA5123cf275d0c741615b75197dc257d4b1d851ade9fa848eae64eeeb4412d431bd43c3fac21aa1ade8941f1b6d2d765d2413f97e2fd209b141dc2fe721f5fae97cd1
-
Filesize
1.8MB
MD55dd41537431207d6f0c8d7574b345edd
SHA12b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA2568f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4
-
Filesize
1.8MB
MD55dd41537431207d6f0c8d7574b345edd
SHA12b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA2568f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4
-
Filesize
1.8MB
MD55dd41537431207d6f0c8d7574b345edd
SHA12b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA2568f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4
-
Filesize
1.8MB
MD55dd41537431207d6f0c8d7574b345edd
SHA12b3f1085e6a91e4afa454d8e21a9f6f8d1987545
SHA2568f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e
SHA512b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4
-
Filesize
2.0MB
MD5ba2fb371384526b0f7fd3d6372560bce
SHA152f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA2566dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e
-
Filesize
2.0MB
MD5ba2fb371384526b0f7fd3d6372560bce
SHA152f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA2566dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e
-
Filesize
2.0MB
MD5ba2fb371384526b0f7fd3d6372560bce
SHA152f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA2566dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e
-
Filesize
2.0MB
MD5ba2fb371384526b0f7fd3d6372560bce
SHA152f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA2566dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e
-
Filesize
2.0MB
MD5ba2fb371384526b0f7fd3d6372560bce
SHA152f8bdd1486b4cdda984909d07d4bd4d32e4b8b2
SHA2566dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987
SHA512a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e
-
Filesize
378KB
MD5d43fa82fab5337ce20ad14650085c5d9
SHA1678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d
-
Filesize
1.6MB
MD5dab4646806dfca6d0e0b4d80fa9209d6
SHA18244dfe22ec2090eee89dad103e6b2002059d16a
SHA256cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB
-
Filesize
14.0MB