Analysis
-
max time kernel
35s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 14:57
General
-
Target
cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe
-
Size
4.0MB
-
MD5
acf3ffe4ef28ee077026078d3aef11be
-
SHA1
3e349d572a82b1df3bd61970640aa50ef6bbed78
-
SHA256
cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29
-
SHA512
00715f0162e8490a743eb307be942373528347e5b9cdfa92b5ab63c16d03ebac2a3925b54e40ad3e7023b2b0b6f9ffb71f09d213b76b7fc7245bae24ebfd0b72
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 2 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe"C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\install.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"4⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
-
C:\Program Files (x86)\rutserv.exerutserv.exe /silentinstall4⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\rutserv.exerutserv.exe /firewall4⤵
-
-
C:\Program Files (x86)\rutserv.exerutserv.exe /start4⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\rutserv.exe"C:\Program Files (x86)\rutserv.exe"1⤵
-
C:\Program Files (x86)\rfusclient.exe"C:\Program Files (x86)\rfusclient.exe" /tray2⤵
-
-
C:\Program Files (x86)\rfusclient.exe"C:\Program Files (x86)\rfusclient.exe"2⤵
-
C:\Program Files (x86)\rfusclient.exe"C:\Program Files (x86)\rfusclient.exe" /tray3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
8KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB