94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e

Analysis

max time kernel
25s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe
Size

4.1MB
MD5

31a8cb6a5c8db75522c9c470243c7fc8
SHA1

4a78c47ad57b2c74cba64f2eccc7e051e50c996f
SHA256

94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e
SHA512

86115245885a14200c788abb327740d143a3cd865a3d03f9cd0871a90a2dbd0f7734942abbc84fc1064eebf023e26eaff7109ad65301e61faf44ea4ca8c12d50

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4208	data.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4628	timeout.exe
4488	timeout.exe
4368	timeout.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2064	regedit.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4208	2588	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe	77
PID 2588 wrote to memory of 4208	2588	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe	77
PID 2588 wrote to memory of 4208	2588	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe	77

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1372	attrib.exe
2124	attrib.exe
1524	attrib.exe
1356	attrib.exe
1692	attrib.exe

C:\Users\Admin\AppData\Local\Temp\94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe
"C:\Users\Admin\AppData\Local\Temp\94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe"
  2⤵
  - Executes dropped EXE
  PID:4208
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"
    3⤵
    PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Log\Windows\hiscomponent\install.bat" "
      4⤵
      PID:4640
    - - C:\Remote Manipulator System\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        
        PID:860
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Remote Manipulator System\rutserv.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1524
    - - C:\Remote Manipulator System\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        
        PID:4320
    - - C:\Remote Manipulator System\rutserv.exe
        
        rutserv.exe /start
        5⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Remote Manipulator System\rfusclient.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1356
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:4628
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Remote Manipulator System\*.*"
        5⤵
        Views/modifies file attributes
        
        PID:1692

C:\Windows\SysWOW64\timeout.exe
timeout 1
1⤵
- Delays execution with timeout.exe
PID:4488

C:\Windows\SysWOW64\regedit.exe
regedit /s "Windows\hiscomponent\regedit.reg"
1⤵
- Runs .reg file with regedit
PID:2064

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Log"
1⤵
- Views/modifies file attributes
PID:1372

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Remote Manipulator System"
1⤵
- Views/modifies file attributes
PID:2124

C:\Windows\SysWOW64\timeout.exe
timeout 2
1⤵
- Delays execution with timeout.exe
PID:4368

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f
1⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
1⤵
PID:3960

C:\Remote Manipulator System\rutserv.exe
"C:\Remote Manipulator System\rutserv.exe"
1⤵
PID:4176
- C:\Remote Manipulator System\rfusclient.exe
  "C:\Remote Manipulator System\rfusclient.exe"
  2⤵
  PID:4364
- - C:\Remote Manipulator System\rfusclient.exe
    "C:\Remote Manipulator System\rfusclient.exe" /tray
    3⤵
    PID:4472
- C:\Remote Manipulator System\rfusclient.exe
  "C:\Remote Manipulator System\rfusclient.exe" /tray
  2⤵
  PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Log\Windows\hiscomponent\install.bat

Filesize
1KB

MD5
d150ad4601b180ae466174c36b3adbf9

SHA1
49f3844858bc5a396201b08ad1c3f9384d1c0e98

SHA256
00915d1b31a1fa86614412173e80560667396181092835c18584c9890d70343f

SHA512
fb01613b0e5eb7c9028cfeb8944517253b4c3378074fe8ad841e50f5b18f7bc3d052ad6d19be9907ef640d9e922bc8b84ff8f6020e17787d280678319555519e

Download Submit
C:\Log\Windows\hiscomponent\regedit.reg

Filesize
12KB

MD5
c7773a85904b375a8676fb4259901720

SHA1
1a813a9a67f48913cc50f94fb6a5a3d50102d955

SHA256
40dddf8a9940d97ed3ac63c34b5972cf72f9e3b52760eb65f5275ad91032c872

SHA512
70cd94604a63d36ea00bd255ebee30d43dfcd7056fb0cf6262eb9d0a38177fc83b6ffecc4635008b8d2b24c8afab6ed0f8e7244e3b6c951ba660b39f7cd4f8d5

Download Submit
C:\Log\install.vbs

Filesize
145B

MD5
bc5fa1fff095d50d252cb327ccd6661b

SHA1
8263ea4ab762f188df0f2902297cc46baf816c5c

SHA256
e8bd8b6ff5f0653e82c7239bfdb2894fbd509b45e581c2458bd84c2fd3d84886

SHA512
1eb5a0bc2b3c3ffa6f0967803239313110cd1c3293ecbb6a1f1c2d9d717a2f5aaf042dd28af8520ef63639f291e083c511527515489a45732e6191ad521f544d

Download Submit
C:\Log\rfusclient.exe

Filesize
88KB

MD5
a48e7997dd489633f7ead8443b61f09f

SHA1
419e1c2de95b85e26c9f3fbab033f424cdd885e7

SHA256
a88fd04db04968635b3b2e18220183decad842de73a992dc82ead3e4b68ab537

SHA512
bc859de92af3fe6bf8535343b8331a49d3af46e048627cbe0639dfbf7c02d0c21cc3d299d2d09e42f4a3155d36e3ca6386a95e45bbaa82243a5af6bf5e492933

Download Submit
C:\Log\rutserv.exe

Filesize
48KB

MD5
023b2d0a937c1cac211afd2f3534a751

SHA1
2cdae303816f5ae3bd44a363ba5f460c2bce26b4

SHA256
db153accd4a5879a0c9be24858ae5bc6a4ca660e7647a757ee8bd2491a8b5d60

SHA512
110e01e47d5e1ed8c353890c5e4bfa495d2d4f61ac1d85926cc2c043254fa6cf9352ac2ed5b5e956d07d3c231ee38819ed05e5b435ec734162f72f356f3b7d04

Download Submit
C:\Log\vp8decoder.dll

Filesize
64KB

MD5
b01cacfe8a0aab6443a4639c0572e7c2

SHA1
67a0e4969927496afaaab3ed86ddffdbd61f49b9

SHA256
be89f08f70f6d7720c6ba3c5d6aa1248e67352bca9d1d2e51e616b5e60f8fd8f

SHA512
462cfca837d17ec594941e3bf50cefbb3131dc644870a45db01c0a1f47eaaec8324b4d39d23c97c43005f8fffab6ef7a91b78ac6e8727779c9f3a16cf868b83b

Download Submit
C:\Log\vp8encoder.dll

Filesize
46KB

MD5
2b7edfea84045ad990a73ab4883feb50

SHA1
ac832590d7da1ff9fc7dfe22e2a766f069a275de

SHA256
7ecbc5177332fe8321e7a1ab495436b2a7d567113e46a235c1ed86585651e746

SHA512
db144bcce634d4f53ed94ab3115aadd36ad2e50d220fb99a14e0d0e0a2128fe9e895f56b8f9c38272209bf0feacb3dd5ef38a72d43d49d802775fba2584d587a

Download Submit
C:\Remote Manipulator System\rfusclient.exe

Filesize
58KB

MD5
d4e42743266946ab0ad1de2af828dfae

SHA1
9d759da9c2d70e85ebfb45dc814dd73d521ac47a

SHA256
1d3cdb38442018c9f7740e96b7c8a942f8d699717da5d5c1458b932f6753a27b

SHA512
acd577caddcd95eb38f740f947945730fe9af7ed4a5633c59d0ebba01f242ebc94f3066bbd73a82bdcc550e14e086b8d7196e174712e9b3d69194513a3b5397e

Download Submit
C:\Remote Manipulator System\rfusclient.exe

Filesize
37KB

MD5
b5b02952b8b9adf57b45aa9f920bde45

SHA1
74da15679b171c2930743fccfd4f752530afc695

SHA256
f23e1ce1bda1e6c408ab9a200f7b8cc5bad61c6cb2bbb67d1e125283ef8836d3

SHA512
d93890026e6b832e9b2d7aea52f795723221c0e5fe9db9cc01586ec357d7cbcea6bbf1867a10dd45e850ed6dcbf0ef21a76cd2accc4a8106858026a64ec9c79e

Download Submit
C:\Remote Manipulator System\rfusclient.exe

Filesize
78KB

MD5
8f7236fd4efb70c1b525bce9fd34fc3c

SHA1
52b4dd7cecd5a5de6c55921f4a594fb0cd07ef34

SHA256
7531d037abf1d19a586f5c88d080b24d26cc1cc57e15e0bb865058b144828d3f

SHA512
583db2ffcfc7bc27d40ddf33179b39fbb6767949fe99fe36ca60f616dbfa45a33dae1f0aef8311f8d64022aa6ee3d44c097185d3ea501ab9c2e677f59971dfe1

Download Submit
C:\Remote Manipulator System\rfusclient.exe

Filesize
27KB

MD5
dc45e8c9b4e3a9291f2c7991e658295d

SHA1
608804ebc265e25f2f914ce383a3a6514e39e353

SHA256
e4f32fdae7f1b2b6f93298b9e92609c53eb40df3152e83ad9d7d3d86f885e6e9

SHA512
e8b5203e410e212e137fcac503dc8f1fe7607f798064f75ffe621eccd9f928e1d5e54b3690d6422cbf8454133ed9bc5408900c94aa753af70a4cf876d0e243f6

Download Submit
C:\Remote Manipulator System\rutserv.exe

Filesize
112KB

MD5
69bba0ab026fb67da494932c3b529186

SHA1
d8eb1115547b87d7cf94cdb3680c17e6ab78daf1

SHA256
616c06d8a9e92dfb77fd35150e2433cc322e1a6dc73cc6df3bd5fd1092806e19

SHA512
ec02e8599cab3b78a0fa5a1df044ef5b6892b428de0e315f15cbf0f1491e297dc9555175c1a342d0ee276c847c581c6dd44824c2932d2fc196b8c401ab6cda2a

Download Submit
C:\Remote Manipulator System\rutserv.exe

Filesize
14KB

MD5
1d30e208ea741cf8a7dbc3b06da93864

SHA1
0430d3a81a1b829361bfea9c0ce94f46c64b04c2

SHA256
eb98531c649ec940e101aa1c483907f3a71093ae9274a195810354fc5e5ea64f

SHA512
edbc67a0e48c73910f71e98a25cae7067fc9b6f1176d27a083ec87fb2ae24acc3a51ec60d2e6ce9692a70b82cdf467036123a02b6e1e400e35987e03c159d770

Download Submit
C:\Remote Manipulator System\rutserv.exe

Filesize
25KB

MD5
6b677092af4632cee37905d72ab8dcb1

SHA1
b48eba9ff3191433d16f0fefcd833d870eafc5a6

SHA256
2ce9b1d065e6750de6d683f49dc37e25e8bebb893c9c95ff25ce0868d43fc0d0

SHA512
61a6d4040b4a49fb5568255aac37e21867bb201de1f6ebffe34a64814dcad5acdbc79baaeb7496cfc329b4a7e6b23791b17471a43f2d15629d7429d06373ac3d

Download Submit
C:\Remote Manipulator System\rutserv.exe

Filesize
15KB

MD5
9eb5141c5e55d3f1f8eeefbd18c9767f

SHA1
3c8a3ee298f6fb754833222c0e355d96fb6de23d

SHA256
47c5e1241c82e7d9c8f17c8dcd707643469d947085ba48e3de4e90bb35fd9451

SHA512
f6f3dfaa84d90cda41d586ab601c8ae7e9e7d3515bc4ce74ff4cb389fb7ce51c425cbafa9f0bccfe7e53628bb36cf33986c1e405feefbedb11a847d044c28014

Download Submit
C:\Remote Manipulator System\rutserv.exe

Filesize
65KB

MD5
8a19cc8d130b2054467186e3df0ee0fe

SHA1
f443b8da81af3627ad62cf358f1b725174c6e58d

SHA256
d2e37be58c0d82e447d9ea3457fe00354633e9910a535be2cb3a4d5a0f626d41

SHA512
842792dce14da35c73ceadfbf74ba26229b1ef2d1977c084c763333e68ae184e4d7f144e4434b2124d4ca44e7606c9395ba54c520306a50fb411379db21b4aef

Download Submit
C:\Remote Manipulator System\vp8decoder.dll

Filesize
75KB

MD5
58c55af79fac777a06e8377cd61fcb01

SHA1
a260cd14ac088006a81891e2b5dd784fd89bc8dc

SHA256
8257a37612eed34e72f124db3ed334587f77fb654f9b658af0adfb7215ec2023

SHA512
58a7366eeb495df9c4504f969b766ccbda76546f747632c933b34ab7d002fa868f553699a2e0e90e20bd69c358b70aa9b049f587f7141b92efc7fcb4f67ec076

Download Submit
C:\Remote Manipulator System\vp8encoder.dll

Filesize
7KB

MD5
7e5a964bfbb45c6fcc22015620248bf3

SHA1
392dbd7b3c8373f5173497e27a15c45ec627ad0e

SHA256
47b967e7b054042068596f00dfa723125c508e63c34440ac3201d78bbdd12df3

SHA512
cab7b9ba9635dd4a8d6db4aa493824084c7c5f4365692b3a5fa1ca100de93eff575fc37c540c75850974f6f04e53087f0705d540d234479a7c49f594c0ad341b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

Filesize
25KB

MD5
14e3dd2761614c32ac2998e754aae758

SHA1
d68b1d10f66a9744e145948e0c558e2fb1886f18

SHA256
21815f131f173046133c4509d972fc54e1ccc3828322198de2575b972be9b098

SHA512
483027cf8cca2f5f767e89c0379ad56ac700535484cab91ce4bdf0bc7f7b75f113d9f7c7eadc8492cbb4a4890659bc4fb08889bfea665c72b4ce6fe646ce8778

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

Filesize
56KB

MD5
462d6f65591b42c8a99adb69e7990dcc

SHA1
f99b0904f27f60cb00c7550eb8a7f9618df8618e

SHA256
3eba14717aad4e330212045690aeed46693a57bd9a03db6ad3cb1d2d2bde4394

SHA512
eb6ef39985effae3f9ac6105cd054696f42d98d9614aba57c23865050e9325d8ea98119c27899ed1c7a01687106427166018c1acda0f81ad216bd699ebf0e236

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads