Analysis Overview
SHA256
faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253
Threat Level: Known bad
The file faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253 was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Sets file to hidden
UPX packed file
ASPack v2.12-2.42
Checks computer location settings
Loads dropped DLL
Launches sc.exe
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Kills process with taskkill
Runs .reg file with regedit
Suspicious behavior: SetClipboardViewer
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-07 21:16
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-07 21:16
Reported
2022-05-07 21:47
Platform
win7-20220414-en
Max time kernel
201s
Max time network
266s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\App\rutserv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe
"C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\App\install.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib -r -a -s -h "C:\ProgramData\App\install.bat" /S /D
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\System Corporation Update" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\ProgramData\App\rutserv.exe
rutserv.exe /silentinstall
C:\ProgramData\App\rutserv.exe
rutserv.exe /firewall
C:\ProgramData\App\rutserv.exe
rutserv.exe /start
C:\ProgramData\App\rutserv.exe
C:\ProgramData\App\rutserv.exe
C:\ProgramData\App\rfusclient.exe
C:\ProgramData\App\rfusclient.exe
C:\ProgramData\App\rfusclient.exe
C:\ProgramData\App\rfusclient.exe /tray
C:\Windows\SysWOW64\sc.exe
sc config RManService start= auto
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\ProgramData\App" /S /D
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\ProgramData\App\rutserv.exe" /S /D
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\ProgramData\App\vp8encoder.dll" /S /D
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\ProgramData\App\vp8decoder.dll" /S /D
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\ProgramData\App\rfusclient.exe" /S /D
C:\ProgramData\App\rfusclient.exe
C:\ProgramData\App\rfusclient.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/1776-54-0x0000000075721000-0x0000000075723000-memory.dmp
memory/1776-55-0x0000000000400000-0x0000000001208000-memory.dmp
memory/1776-56-0x0000000000400000-0x0000000001208000-memory.dmp
memory/1776-57-0x0000000000400000-0x0000000001208000-memory.dmp
memory/1776-58-0x0000000000400000-0x0000000001208000-memory.dmp
memory/940-59-0x0000000000000000-mapping.dmp
C:\ProgramData\App\install.bat
| MD5 | 6ec51eea8e8ca78d0086df72e0b10228 |
| SHA1 | b7c5a2e76841bb1100a846490f79b5de5f90f128 |
| SHA256 | 6d13d9ad28789125fb70e0fdbfa7ee0e1a1c99c7161c0cbeddeb25eb1d7f1498 |
| SHA512 | 6cfefcedd2433afed69f02abc4d2259fd124730ddcb74444d41c1be827bc385ff89e1d8c4646615c73d0d2fa6681045100d2da3f03320628894310e4a7e6a105 |
memory/1132-61-0x0000000000000000-mapping.dmp
memory/1360-62-0x0000000000000000-mapping.dmp
memory/980-63-0x0000000000000000-mapping.dmp
memory/732-64-0x0000000000000000-mapping.dmp
memory/1872-65-0x0000000000000000-mapping.dmp
memory/272-66-0x0000000000000000-mapping.dmp
memory/680-67-0x0000000000000000-mapping.dmp
memory/1728-68-0x0000000000000000-mapping.dmp
memory/1480-69-0x0000000000000000-mapping.dmp
memory/300-70-0x0000000000000000-mapping.dmp
C:\ProgramData\App\regedit.reg
| MD5 | 64c927360c077b3e766b1a4a9bdf8f3a |
| SHA1 | 0bb94ae83d4d4223f5908269a1ab6fdf79405a66 |
| SHA256 | f8abc166a4efc51f2c6066d7f989c34eb1bdfe95adda8a6c3766e8a956ab6fb9 |
| SHA512 | 3cf275d0c741615b75197dc257d4b1d851ade9fa848eae64eeeb4412d431bd43c3fac21aa1ade8941f1b6d2d765d2413f97e2fd209b141dc2fe721f5fae97cd1 |
memory/1632-73-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
memory/644-76-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
memory/652-79-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
C:\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
memory/1292-82-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
C:\ProgramData\App\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\ProgramData\App\rfusclient.exe
| MD5 | 5dd41537431207d6f0c8d7574b345edd |
| SHA1 | 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545 |
| SHA256 | 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e |
| SHA512 | b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4 |
C:\ProgramData\App\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
\ProgramData\App\rfusclient.exe
| MD5 | 5dd41537431207d6f0c8d7574b345edd |
| SHA1 | 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545 |
| SHA256 | 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e |
| SHA512 | b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4 |
C:\ProgramData\App\rfusclient.exe
| MD5 | 5dd41537431207d6f0c8d7574b345edd |
| SHA1 | 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545 |
| SHA256 | 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e |
| SHA512 | b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4 |
C:\ProgramData\App\rfusclient.exe
| MD5 | 5dd41537431207d6f0c8d7574b345edd |
| SHA1 | 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545 |
| SHA256 | 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e |
| SHA512 | b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4 |
memory/1360-94-0x0000000000000000-mapping.dmp
memory/1664-91-0x0000000000000000-mapping.dmp
memory/976-97-0x0000000000000000-mapping.dmp
memory/1724-98-0x0000000000000000-mapping.dmp
memory/1424-100-0x0000000000000000-mapping.dmp
memory/1896-101-0x0000000000000000-mapping.dmp
memory/1060-102-0x0000000000000000-mapping.dmp
memory/1840-99-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rfusclient.exe
| MD5 | 5dd41537431207d6f0c8d7574b345edd |
| SHA1 | 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545 |
| SHA256 | 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e |
| SHA512 | b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4 |
memory/1936-103-0x0000000000000000-mapping.dmp
memory/1776-106-0x0000000000400000-0x0000000001208000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-07 21:16
Reported
2022-05-07 21:44
Platform
win10v2004-20220414-en
Max time kernel
197s
Max time network
203s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\App\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\App\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe
"C:\Users\Admin\AppData\Local\Temp\faf7b36afcd23116c4c15910fad9f3516d15bbfd32d5abb6349f1a433a19c253.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\App\install.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib -r -a -s -h "C:\ProgramData\App\install.bat" /S /D
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\System Corporation Update" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\ProgramData\App\rutserv.exe
rutserv.exe /silentinstall
C:\ProgramData\App\rutserv.exe
rutserv.exe /firewall
C:\ProgramData\App\rutserv.exe
rutserv.exe /start
C:\ProgramData\App\rutserv.exe
C:\ProgramData\App\rutserv.exe
C:\ProgramData\App\rfusclient.exe
C:\ProgramData\App\rfusclient.exe /tray
C:\ProgramData\App\rfusclient.exe
C:\ProgramData\App\rfusclient.exe
C:\Windows\SysWOW64\sc.exe
sc config RManService start= auto
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\ProgramData\App" /S /D
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\ProgramData\App\rutserv.exe" /S /D
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\ProgramData\App\rfusclient.exe" /S /D
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\ProgramData\App\vp8decoder.dll" /S /D
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\ProgramData\App\vp8encoder.dll" /S /D
C:\ProgramData\App\rfusclient.exe
C:\ProgramData\App\rfusclient.exe /tray
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc config RManService start= auto
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc config RManService start= auto
C:\Windows\SysWOW64\sc.exe
sc config RManService start= auto
C:\Windows\SysWOW64\sc.exe
sc config RManService start= auto
Network
| Country | Destination | Domain | Proto |
| US | 20.42.65.85:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | unayt.ru | udp |
| RU | 91.227.18.139:80 | unayt.ru | tcp |
Files
memory/2168-130-0x0000000000400000-0x0000000001208000-memory.dmp
memory/2168-131-0x0000000000400000-0x0000000001208000-memory.dmp
memory/2168-132-0x0000000000400000-0x0000000001208000-memory.dmp
memory/2168-133-0x0000000000400000-0x0000000001208000-memory.dmp
memory/3552-134-0x0000000000000000-mapping.dmp
C:\ProgramData\App\install.bat
| MD5 | 6ec51eea8e8ca78d0086df72e0b10228 |
| SHA1 | b7c5a2e76841bb1100a846490f79b5de5f90f128 |
| SHA256 | 6d13d9ad28789125fb70e0fdbfa7ee0e1a1c99c7161c0cbeddeb25eb1d7f1498 |
| SHA512 | 6cfefcedd2433afed69f02abc4d2259fd124730ddcb74444d41c1be827bc385ff89e1d8c4646615c73d0d2fa6681045100d2da3f03320628894310e4a7e6a105 |
memory/4536-136-0x0000000000000000-mapping.dmp
memory/3496-137-0x0000000000000000-mapping.dmp
memory/4652-138-0x0000000000000000-mapping.dmp
memory/4472-139-0x0000000000000000-mapping.dmp
memory/4316-140-0x0000000000000000-mapping.dmp
memory/1860-141-0x0000000000000000-mapping.dmp
memory/3584-142-0x0000000000000000-mapping.dmp
memory/3864-143-0x0000000000000000-mapping.dmp
memory/3048-144-0x0000000000000000-mapping.dmp
memory/4544-145-0x0000000000000000-mapping.dmp
C:\ProgramData\App\regedit.reg
| MD5 | 64c927360c077b3e766b1a4a9bdf8f3a |
| SHA1 | 0bb94ae83d4d4223f5908269a1ab6fdf79405a66 |
| SHA256 | f8abc166a4efc51f2c6066d7f989c34eb1bdfe95adda8a6c3766e8a956ab6fb9 |
| SHA512 | 3cf275d0c741615b75197dc257d4b1d851ade9fa848eae64eeeb4412d431bd43c3fac21aa1ade8941f1b6d2d765d2413f97e2fd209b141dc2fe721f5fae97cd1 |
memory/4768-147-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
memory/3992-148-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
memory/4092-151-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
memory/4432-153-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
C:\ProgramData\App\rutserv.exe
| MD5 | ba2fb371384526b0f7fd3d6372560bce |
| SHA1 | 52f8bdd1486b4cdda984909d07d4bd4d32e4b8b2 |
| SHA256 | 6dc1a8ff4f5eb116a4a492a6fd3ff9273480cc98813cfb4ba7d75b4facc12987 |
| SHA512 | a8a77097d7e59aac2309dfd6216529dec4174ab266c7751ac0cc10bd71b09a5241420efae0e17455667e28a9f289de79098e2add051bdd2184d2fc39ac79fe0e |
C:\ProgramData\App\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\ProgramData\App\rfusclient.exe
| MD5 | 5dd41537431207d6f0c8d7574b345edd |
| SHA1 | 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545 |
| SHA256 | 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e |
| SHA512 | b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4 |
C:\ProgramData\App\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
memory/4576-159-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rfusclient.exe
| MD5 | 5dd41537431207d6f0c8d7574b345edd |
| SHA1 | 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545 |
| SHA256 | 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e |
| SHA512 | b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4 |
C:\ProgramData\App\rfusclient.exe
| MD5 | 5dd41537431207d6f0c8d7574b345edd |
| SHA1 | 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545 |
| SHA256 | 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e |
| SHA512 | b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4 |
memory/4512-160-0x0000000000000000-mapping.dmp
memory/3168-163-0x0000000000000000-mapping.dmp
memory/3844-164-0x0000000000000000-mapping.dmp
memory/2072-165-0x0000000000000000-mapping.dmp
memory/2080-166-0x0000000000000000-mapping.dmp
memory/3536-167-0x0000000000000000-mapping.dmp
memory/1984-168-0x0000000000000000-mapping.dmp
memory/3924-169-0x0000000000000000-mapping.dmp
C:\ProgramData\App\rfusclient.exe
| MD5 | 5dd41537431207d6f0c8d7574b345edd |
| SHA1 | 2b3f1085e6a91e4afa454d8e21a9f6f8d1987545 |
| SHA256 | 8f0a55d2cdd377c51902cbadaf372cd3a84afc393445eb3931ac53f43822886e |
| SHA512 | b0ce40603e781aa767fa9640e157f384dc74d4434c0ab27998373c91241355f87744c06d3b89f2bd7336e9dc3f266fce5fbdce06828e2ca33902e5e09669bae4 |
memory/1476-171-0x0000000000000000-mapping.dmp
memory/384-172-0x0000000000000000-mapping.dmp
memory/3956-173-0x0000000000000000-mapping.dmp
memory/1904-174-0x0000000000000000-mapping.dmp
memory/2168-175-0x0000000000400000-0x0000000001208000-memory.dmp