Malware Analysis Report

2024-11-13 16:20

Sample ID 220524-sbmwwafce8
Target cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29
SHA256 cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29
Tags
rms aspackv2 rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29

Threat Level: Known bad

The file cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29 was found to be: Known bad.

Malicious Activity Summary

rms aspackv2 rat trojan upx

RMS

ACProtect 1.3x - 1.4x DLL software

ASPack v2.12-2.42

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: SetClipboardViewer

Modifies registry class

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-24 14:57

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-24 14:57

Reported

2022-05-24 15:32

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\install.vbs C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\install.bat C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\regedit.reg C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\__tmp_rar_sfx_access_check_240559703 C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\regedit.reg C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\rutserv.exe C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\rutserv.exe C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\install.vbs C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\install.bat C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe C:\Windows\SysWOW64\WScript.exe
PID 2404 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe C:\Windows\SysWOW64\WScript.exe
PID 2404 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe C:\Windows\SysWOW64\WScript.exe
PID 3764 wrote to memory of 3980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 3980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 3980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3980 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3980 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3980 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3980 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3980 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3980 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3980 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3980 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3980 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3980 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3980 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3980 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 3980 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 3980 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 3980 wrote to memory of 4208 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 3980 wrote to memory of 4208 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 3980 wrote to memory of 4208 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 3980 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 3980 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 3980 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 1564 wrote to memory of 4200 N/A C:\Program Files (x86)\rutserv.exe C:\Program Files (x86)\rfusclient.exe
PID 1564 wrote to memory of 4200 N/A C:\Program Files (x86)\rutserv.exe C:\Program Files (x86)\rfusclient.exe
PID 1564 wrote to memory of 4200 N/A C:\Program Files (x86)\rutserv.exe C:\Program Files (x86)\rfusclient.exe
PID 1564 wrote to memory of 2016 N/A C:\Program Files (x86)\rutserv.exe C:\Program Files (x86)\rfusclient.exe
PID 1564 wrote to memory of 2016 N/A C:\Program Files (x86)\rutserv.exe C:\Program Files (x86)\rfusclient.exe
PID 1564 wrote to memory of 2016 N/A C:\Program Files (x86)\rutserv.exe C:\Program Files (x86)\rfusclient.exe
PID 4200 wrote to memory of 4240 N/A C:\Program Files (x86)\rfusclient.exe C:\Program Files (x86)\rfusclient.exe
PID 4200 wrote to memory of 4240 N/A C:\Program Files (x86)\rfusclient.exe C:\Program Files (x86)\rfusclient.exe
PID 4200 wrote to memory of 4240 N/A C:\Program Files (x86)\rfusclient.exe C:\Program Files (x86)\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe

"C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\install.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\install.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\rutserv.exe

"C:\Program Files (x86)\rutserv.exe"

C:\Program Files (x86)\rfusclient.exe

"C:\Program Files (x86)\rfusclient.exe" /tray

C:\Program Files (x86)\rfusclient.exe

"C:\Program Files (x86)\rfusclient.exe"

C:\Program Files (x86)\rfusclient.exe

"C:\Program Files (x86)\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
NL 8.238.23.254:80 tcp
US 20.189.173.6:443 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp

Files

memory/3764-130-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\install.vbs

MD5 65fc32766a238ff3e95984e325357dbb
SHA1 3ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256 a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

C:\Program Files (x86)\install.bat

MD5 99db27d776e103cad354b531ee1f20b9
SHA1 0b82d146df8528f66d1d14756f211fd3a8b1b91a
SHA256 240020a1a1941d1455135b5cb134e502a13b148be16cbb1552482aa03c29f8f3
SHA512 bc2ed33495c0a752397b2f1b9b7ba65f94ea5be82dde74c618342c83b68f1b92a4783b672cd427843533799e1af0875e0fd000b12236852e9e2fa93005d7ac69

memory/3980-133-0x0000000000000000-mapping.dmp

memory/4408-134-0x0000000000000000-mapping.dmp

memory/4016-135-0x0000000000000000-mapping.dmp

memory/2420-136-0x0000000000000000-mapping.dmp

memory/4752-137-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\regedit.reg

MD5 fd7cf7462771593575da369c77ca2f19
SHA1 f5c3eff1fe65506378341522880a6975e731ae95
SHA256 7c7df6c5b6c080718f585dfa9d1d2b5b1ee6b02908d59fe5c4a6e8f4d1b98e18
SHA512 9fb1168f5576b592c576cd0cf10ca23387ef37ee59a675d9e6d55e93a3d2511b7a3d1c3bfb03b88fe9682a49a3df93c4abf31a0b53c5011d6461267a71f4b486

memory/2440-139-0x0000000000000000-mapping.dmp

memory/4268-140-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4268-143-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4268-144-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4268-145-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4268-146-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4268-147-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4268-148-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4208-149-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4208-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4208-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4208-153-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4208-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4208-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4208-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/836-157-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/836-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/836-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/836-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/836-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/836-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1564-165-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1564-166-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1564-167-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1564-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1564-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Program Files (x86)\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

memory/836-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4200-174-0x0000000000000000-mapping.dmp

memory/2016-175-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/2016-178-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2016-179-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4200-181-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4200-182-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2016-180-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2016-183-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4200-184-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2016-185-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4200-186-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4200-187-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4240-188-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/4240-190-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4240-191-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4240-192-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4240-193-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4240-194-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4240-195-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2016-196-0x0000000000400000-0x00000000009B6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-24 14:57

Reported

2022-05-24 15:35

Platform

win7-20220414-en

Max time kernel

35s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe"

Signatures

RMS

trojan rat rms

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\rutserv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\rutserv.exe C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\regedit.reg C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\install.vbs C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\regedit.reg C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\install.vbs C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\__tmp_rar_sfx_access_check_7108887 C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\install.bat C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\install.bat C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File created C:\Program Files (x86)\rutserv.exe C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A
File opened for modification C:\Program Files (x86)\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe C:\Windows\SysWOW64\WScript.exe
PID 1364 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe C:\Windows\SysWOW64\WScript.exe
PID 1364 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe C:\Windows\SysWOW64\WScript.exe
PID 1364 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe C:\Windows\SysWOW64\WScript.exe
PID 1364 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe C:\Windows\SysWOW64\WScript.exe
PID 1364 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe C:\Windows\SysWOW64\WScript.exe
PID 1364 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe C:\Windows\SysWOW64\WScript.exe
PID 1728 wrote to memory of 1284 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1284 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1284 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1284 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1284 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1284 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1284 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1284 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1284 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1284 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1284 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1284 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1284 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1284 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1284 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1284 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1284 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1284 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1284 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1284 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1284 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1284 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1284 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1284 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1284 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1284 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1284 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1284 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 1284 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 1284 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 1284 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 1284 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 1284 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe
PID 1284 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rutserv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe

"C:\Users\Admin\AppData\Local\Temp\cb37229f83a7f00da748cddb5fa77777c20dca45f3d92db247521af009307e29.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\install.vbs"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\install.bat" "

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\rutserv.exe

"C:\Program Files (x86)\rutserv.exe"

C:\Program Files (x86)\rfusclient.exe

"C:\Program Files (x86)\rfusclient.exe" /tray

C:\Program Files (x86)\rfusclient.exe

"C:\Program Files (x86)\rfusclient.exe"

C:\Program Files (x86)\rfusclient.exe

"C:\Program Files (x86)\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1364-54-0x0000000076461000-0x0000000076463000-memory.dmp

memory/1728-55-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\install.vbs

C:\Program Files (x86)\install.bat

memory/364-61-0x0000000000000000-mapping.dmp

memory/1284-59-0x0000000000000000-mapping.dmp

memory/1764-63-0x0000000000000000-mapping.dmp

memory/1048-65-0x0000000000000000-mapping.dmp

memory/1572-67-0x0000000000000000-mapping.dmp

memory/1384-70-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\regedit.reg

memory/1528-74-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\rutserv.exe

C:\Program Files (x86)\rutserv.exe

\Program Files (x86)\rutserv.exe

memory/1528-78-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1528-79-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1528-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1528-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1528-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\rutserv.exe

memory/2040-84-0x0000000000000000-mapping.dmp

\Program Files (x86)\rutserv.exe

memory/2040-87-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2040-88-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2040-89-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2040-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2040-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1528-82-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\rutserv.exe

memory/1260-94-0x0000000000000000-mapping.dmp

\Program Files (x86)\rutserv.exe

memory/1260-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1260-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1260-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\rutserv.exe

memory/1260-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1260-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2012-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2012-105-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2012-108-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2012-107-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\rfusclient.exe

C:\Program Files (x86)\vp8encoder.dll

C:\Program Files (x86)\vp8decoder.dll

\Program Files (x86)\rfusclient.exe

memory/2044-114-0x0000000000000000-mapping.dmp

memory/1372-113-0x0000000000000000-mapping.dmp

memory/1260-119-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\rfusclient.exe

C:\Program Files (x86)\rfusclient.exe

memory/2012-106-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2040-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1372-120-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1372-121-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-124-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-122-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1372-123-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-126-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1372-125-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-128-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-129-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1372-127-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/620-130-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\rfusclient.exe

memory/620-134-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/620-135-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/620-137-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/620-138-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/620-136-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/620-133-0x0000000000400000-0x00000000009B6000-memory.dmp