rms | 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
Size

29.6MB
MD5

87e9ef77d9eae3a947a8922acf8179d4
SHA1

064167fa469d978df5fd2f1963d4bbb94c341e87
SHA256

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382
SHA512

4bbbe4f6fc0cf1fbe1ae30d3f1fe9356b5bdb08ef60dbecca42e32c3d6208b47db9c9087c1542f5f21c1f8a7a0e4951f2e7cc13f4fd336aed2fb3ca99cf487bf

Score

10^/10

rms evasion persistence rat spyware stealer trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4008 created 2880 4008 svchost.exe sysdisk.exe

description	pid	process	target process
PID 4008 created 2880	4008	svchost.exe	sysdisk.exe

UAC bypass 3 TTPs 8 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exeConhost.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 8 IoCs

Processes:

inerstelar.exekey.exermsbuild.exesysdisk.exesysdisk.exesvnhost.exemngrdevice.exewinsystem.exe

pid process

4364 inerstelar.exe
2536 key.exe
4488 rmsbuild.exe
2880 sysdisk.exe
3348 sysdisk.exe
2368 svnhost.exe
544 mngrdevice.exe
3320 winsystem.exe

pid	process
4364	inerstelar.exe
2536	key.exe
4488	rmsbuild.exe
2880	sysdisk.exe
3348	sysdisk.exe
2368	svnhost.exe
544	mngrdevice.exe
3320	winsystem.exe

Modifies Windows Firewall 1 TTPs 16 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
4244	netsh.exe
4324	netsh.exe
2260	netsh.exe
2672	netsh.exe
1236	netsh.exe
4580	netsh.exe
2128	netsh.exe
4952	netsh.exe
4220	netsh.exe
3188	netsh.exe
3532	netsh.exe
1060	netsh.exe
3868	netsh.exe
1096	netsh.exe
4704	netsh.exe
1708	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2368-178-0x0000000010000000-0x000000001005A000-memory.dmp	upx
behavioral2/memory/2368-179-0x0000000010000000-0x000000001005A000-memory.dmp	upx
behavioral2/memory/2368-180-0x0000000002F40000-0x0000000002F9A000-memory.dmp	upx
behavioral2/memory/2368-181-0x0000000002F40000-0x0000000002F9A000-memory.dmp	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exermsbuild.exesysdisk.exeinerstelar.exekey.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	rmsbuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	sysdisk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	inerstelar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	key.exe

Loads dropped DLL 2 IoCs

Processes:

svnhost.exe

pid process

2368 svnhost.exe
2368 svnhost.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2368	svnhost.exe
2368	svnhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mngrdevice.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Windows = "C:\\Windows\\keylog\\mngrdevice.exe"	mngrdevice.exe

Drops file in Windows directory 10 IoCs

Processes:

rmsbuild.exemngrdevice.exekey.exe

description	ioc	process
File created	C:\Windows\System64\sysdisk.exe	rmsbuild.exe
File created	C:\Windows\keylog\libeay32.dll	mngrdevice.exe
File created	C:\Windows\keylog\ssleay32.dll	mngrdevice.exe
File created	C:\Windows\System64\winsystem.exe	rmsbuild.exe
File created	C:\Windows\setlibrecini.ini	rmsbuild.exe
File created	C:\Windows\keylog\mngrdevice.exe	key.exe
File opened for modification	C:\Windows\keylog\mngrdevice.exe	key.exe
File created	C:\Windows\System64\vp8encoder.dll	rmsbuild.exe
File created	C:\Windows\System64\vp8decoder.dll	rmsbuild.exe
File created	C:\Windows\System64\service.bat	rmsbuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4144 systeminfo.exe

pid	process
4144	systeminfo.exe

Modifies registry class 2 IoCs

Processes:

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exeinerstelar.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	inerstelar.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

4456 reg.exe
2464 reg.exe
4900 reg.exe
216 reg.exe
4284 reg.exe
4056 reg.exe
1224 reg.exe
1608 reg.exe

pid	process
4456	reg.exe
2464	reg.exe
4900	reg.exe
216	reg.exe
4284	reg.exe
4056	reg.exe
1224	reg.exe
1608	reg.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exesysdisk.exesysdisk.exesvnhost.exe

pid	process
3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
2880	sysdisk.exe
2880	sysdisk.exe
2880	sysdisk.exe
2880	sysdisk.exe
2880	sysdisk.exe
2880	sysdisk.exe
3348	sysdisk.exe
3348	sysdisk.exe
3348	sysdisk.exe
3348	sysdisk.exe
2368	svnhost.exe
2368	svnhost.exe
2368	svnhost.exe
2368	svnhost.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesysdisk.exesvchost.exesysdisk.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	4588	powercfg.exe
Token: SeCreatePagefilePrivilege	4588	powercfg.exe
Token: SeShutdownPrivilege	4588	powercfg.exe
Token: SeCreatePagefilePrivilege	4588	powercfg.exe
Token: SeShutdownPrivilege	3272	powercfg.exe
Token: SeCreatePagefilePrivilege	3272	powercfg.exe
Token: SeShutdownPrivilege	3272	powercfg.exe
Token: SeCreatePagefilePrivilege	3272	powercfg.exe
Token: SeShutdownPrivilege	4636	powercfg.exe
Token: SeCreatePagefilePrivilege	4636	powercfg.exe
Token: SeShutdownPrivilege	4636	powercfg.exe
Token: SeCreatePagefilePrivilege	4636	powercfg.exe
Token: SeShutdownPrivilege	4084	powercfg.exe
Token: SeCreatePagefilePrivilege	4084	powercfg.exe
Token: SeShutdownPrivilege	4084	powercfg.exe
Token: SeCreatePagefilePrivilege	4084	powercfg.exe
Token: SeShutdownPrivilege	652	powercfg.exe
Token: SeCreatePagefilePrivilege	652	powercfg.exe
Token: SeShutdownPrivilege	652	powercfg.exe
Token: SeCreatePagefilePrivilege	652	powercfg.exe
Token: SeShutdownPrivilege	3916	powercfg.exe
Token: SeCreatePagefilePrivilege	3916	powercfg.exe
Token: SeShutdownPrivilege	3916	powercfg.exe
Token: SeCreatePagefilePrivilege	3916	powercfg.exe
Token: SeDebugPrivilege	2880	sysdisk.exe
Token: SeTcbPrivilege	4008	svchost.exe
Token: SeTcbPrivilege	4008	svchost.exe
Token: SeTakeOwnershipPrivilege	3348	sysdisk.exe
Token: SeTcbPrivilege	3348	sysdisk.exe
Token: SeTcbPrivilege	3348	sysdisk.exe
Token: SeShutdownPrivilege	4556	powercfg.exe
Token: SeCreatePagefilePrivilege	4556	powercfg.exe
Token: SeShutdownPrivilege	4556	powercfg.exe
Token: SeCreatePagefilePrivilege	4556	powercfg.exe
Token: SeShutdownPrivilege	224	powercfg.exe
Token: SeCreatePagefilePrivilege	224	powercfg.exe
Token: SeShutdownPrivilege	224	powercfg.exe
Token: SeCreatePagefilePrivilege	224	powercfg.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

key.exermsbuild.exesysdisk.exesysdisk.exemngrdevice.exe

pid	process
2536	key.exe
4488	rmsbuild.exe
4488	rmsbuild.exe
2880	sysdisk.exe
2880	sysdisk.exe
2880	sysdisk.exe
2880	sysdisk.exe
3348	sysdisk.exe
3348	sysdisk.exe
3348	sysdisk.exe
3348	sysdisk.exe
544	mngrdevice.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exeinerstelar.exekey.exe

description	pid	process	target process
PID 3932 wrote to memory of 1608	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 3932 wrote to memory of 1608	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 3932 wrote to memory of 1608	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 3932 wrote to memory of 4588	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 3932 wrote to memory of 4588	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 3932 wrote to memory of 4588	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 3932 wrote to memory of 2260	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 2260	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 2260	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 3868	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 3868	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 3868	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 4364	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	inerstelar.exe
PID 3932 wrote to memory of 4364	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	inerstelar.exe
PID 3932 wrote to memory of 4364	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	inerstelar.exe
PID 3932 wrote to memory of 4456	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 3932 wrote to memory of 4456	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 3932 wrote to memory of 4456	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 3932 wrote to memory of 3272	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 3932 wrote to memory of 3272	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 3932 wrote to memory of 3272	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 3932 wrote to memory of 1708	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 1708	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 1708	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 4580	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 4580	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 4580	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 4364 wrote to memory of 2128	4364	inerstelar.exe	netsh.exe
PID 4364 wrote to memory of 2128	4364	inerstelar.exe	netsh.exe
PID 4364 wrote to memory of 2128	4364	inerstelar.exe	netsh.exe
PID 3932 wrote to memory of 2536	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	key.exe
PID 3932 wrote to memory of 2536	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	key.exe
PID 3932 wrote to memory of 2536	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	key.exe
PID 4364 wrote to memory of 4220	4364	inerstelar.exe	netsh.exe
PID 4364 wrote to memory of 4220	4364	inerstelar.exe	netsh.exe
PID 4364 wrote to memory of 4220	4364	inerstelar.exe	netsh.exe
PID 4364 wrote to memory of 216	4364	inerstelar.exe	reg.exe
PID 4364 wrote to memory of 216	4364	inerstelar.exe	reg.exe
PID 4364 wrote to memory of 216	4364	inerstelar.exe	reg.exe
PID 3932 wrote to memory of 2464	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	Conhost.exe
PID 3932 wrote to memory of 2464	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	Conhost.exe
PID 3932 wrote to memory of 2464	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	Conhost.exe
PID 4364 wrote to memory of 4636	4364	inerstelar.exe	powercfg.exe
PID 4364 wrote to memory of 4636	4364	inerstelar.exe	powercfg.exe
PID 4364 wrote to memory of 4636	4364	inerstelar.exe	powercfg.exe
PID 3932 wrote to memory of 4084	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 3932 wrote to memory of 4084	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 3932 wrote to memory of 4084	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 3932 wrote to memory of 4952	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 4952	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 4952	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2536 wrote to memory of 2672	2536	key.exe	netsh.exe
PID 2536 wrote to memory of 2672	2536	key.exe	netsh.exe
PID 2536 wrote to memory of 2672	2536	key.exe	netsh.exe
PID 2536 wrote to memory of 4704	2536	key.exe	netsh.exe
PID 2536 wrote to memory of 4704	2536	key.exe	netsh.exe
PID 2536 wrote to memory of 4704	2536	key.exe	netsh.exe
PID 3932 wrote to memory of 1096	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 1096	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 3932 wrote to memory of 1096	3932	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2536 wrote to memory of 4900	2536	key.exe	reg.exe
PID 2536 wrote to memory of 4900	2536	key.exe	reg.exe
PID 2536 wrote to memory of 4900	2536	key.exe	reg.exe
PID 2536 wrote to memory of 652	2536	key.exe	powercfg.exe

C:\Users\Admin\AppData\Local\Temp\8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
"C:\Users\Admin\AppData\Local\Temp\8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
- Modifies registry key
PID:1608

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
2⤵
- Modifies Windows Firewall
PID:2260

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:3868

C:\Users\Admin\AppData\Local\Temp\inerstelar.exe
"C:\Users\Admin\AppData\Local\Temp\inerstelar.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:2128

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:216

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4220

C:\Users\Admin\AppData\Local\Temp\svnhost.exe
"C:\Users\Admin\AppData\Local\Temp\svnhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:3188

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:3532

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- UAC bypass
- Modifies registry key
PID:4056

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C systeminfo
4⤵
PID:364

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:4144

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C netsh wlan show networks mode=bssid
4⤵
PID:4560

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
- Modifies registry key
PID:4456

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:4580

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
2⤵
- Modifies Windows Firewall
PID:1708

C:\Users\Admin\AppData\Local\Temp\key.exe
"C:\Users\Admin\AppData\Local\Temp\key.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:4900

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4704

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows\keylog\mngrdevice.exe"
3⤵
PID:5012

C:\Windows\keylog\mngrdevice.exe
C:\Windows\keylog\mngrdevice.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
5⤵
- Modifies Windows Firewall
PID:4324

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- UAC bypass
PID:2464

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- UAC bypass
- Modifies registry key
PID:1224

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
5⤵
- Modifies Windows Firewall
PID:1060

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:2464

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
2⤵
- Modifies Windows Firewall
PID:4952

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:1096

C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe
"C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:1236

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4244

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:4284

C:\Windows\System64\sysdisk.exe
"C:\Windows\System64\sysdisk.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Windows\System64\sysdisk.exe
C:\Windows\System64\sysdisk.exe -second
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\System64\service.bat" "
3⤵
PID:4648

C:\Windows\System64\winsystem.exe
winsystem.exe /install /silent
4⤵
- Executes dropped EXE
PID:3320

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\inerstelar.exe
Filesize
5.0MB

MD5
3afea909809bf8dc784a478de7488b21

SHA1
16ad26d1a5097f15dcfa96fec1f96b67c1a595c4

SHA256
12c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928

SHA512
efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\inerstelar.exe
Filesize
5.0MB

MD5
3afea909809bf8dc784a478de7488b21

SHA1
16ad26d1a5097f15dcfa96fec1f96b67c1a595c4

SHA256
12c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928

SHA512
efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\key.exe
Filesize
6.0MB

MD5
1917fa3536d6eb098105b5a3e7f89a37

SHA1
defeddab06cb646c8cf837ebaf3f512872cd745c

SHA256
6dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7

SHA512
954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\key.exe
Filesize
6.0MB

MD5
1917fa3536d6eb098105b5a3e7f89a37

SHA1
defeddab06cb646c8cf837ebaf3f512872cd745c

SHA256
6dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7

SHA512
954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\libeay32.dll
Filesize
1.3MB

MD5
c39b8d8bd482b717ebdd17dcae374c9b

SHA1
abe57f749650fdebbaa6792e3676294c20db6abe

SHA256
0e8006f941ad484931369e96d4319e526e62c3e802b8917d2693074e2e0451af

SHA512
2c9f749541b1fa7d9ff2e4f4182ec81824c71c7306e95cf84f93a5b21dbd0fba40f3e0bb10782742f3b84aaee928bac65f75d3226ecb44e41c27fc6219679667

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe
Filesize
17.6MB

MD5
3c953c3b4bcb16d9bcadad3388e20711

SHA1
17576d534a1d00e57b711ade93b7c57a89e1b7ad

SHA256
e8751e712a4539d6b74905370c99eaac8450ce1da5bd7fbd7ad85243b029a5da

SHA512
66e639c137da983bd272f69c117c278fdece7255dd75b309897551e70964cc34bd4cbf36d51f79e73e343d72abe45661335fefefb95aac88fa3443ecf7535f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe
Filesize
17.6MB

MD5
3c953c3b4bcb16d9bcadad3388e20711

SHA1
17576d534a1d00e57b711ade93b7c57a89e1b7ad

SHA256
e8751e712a4539d6b74905370c99eaac8450ce1da5bd7fbd7ad85243b029a5da

SHA512
66e639c137da983bd272f69c117c278fdece7255dd75b309897551e70964cc34bd4cbf36d51f79e73e343d72abe45661335fefefb95aac88fa3443ecf7535f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssleay32.dll
Filesize
349KB

MD5
89172a85c3b07bff7541720d42d31bc6

SHA1
4685df166f9a64d02c86d7966d4d3a7fa18b3106

SHA256
9594efa47fa162756ad19c7fb7e7c7c09d97f505daf6280f6d9a130f76264350

SHA512
1e9f56f89f5f57be88b95836626ffafe54e58a41cb7c1851bb1933ca056e2c8aaf08aa6e7509e0b22f358c727c554c2a7a7cbe7da3d13dd0c42f9084413b468c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svnhost.exe
Filesize
5.0MB

MD5
3afea909809bf8dc784a478de7488b21

SHA1
16ad26d1a5097f15dcfa96fec1f96b67c1a595c4

SHA256
12c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928

SHA512
efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svnhost.exe
Filesize
5.0MB

MD5
3afea909809bf8dc784a478de7488b21

SHA1
16ad26d1a5097f15dcfa96fec1f96b67c1a595c4

SHA256
12c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928

SHA512
efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d

Download Submit
C:\Windows\System64\service.bat
Filesize
75B

MD5
3d8ae437e61d1bfa4d58eabc2050af96

SHA1
0d96b38ec1e6ad41920dbe82b461aa12b381ad19

SHA256
b25eec1f9965466a9a32a139dd1728703833610049eb138684588d7cb2fa53b5

SHA512
d558bf211cbb6bfc1533bca5f4ab342e6720b87d0c8e7d04a78018018a624b72eb21b7a3578cdf3782dfe48bda23fce468a754bc0978464c815c1dccb3918501

Download Submit
C:\Windows\System64\sysdisk.exe
Filesize
9.0MB

MD5
92aee365c9fab710fa68b362e5910264

SHA1
a145a246311bed3c4c5e14332618795a189e13a4

SHA256
0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713

SHA512
6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9

Download Submit
C:\Windows\System64\sysdisk.exe
Filesize
9.0MB

MD5
92aee365c9fab710fa68b362e5910264

SHA1
a145a246311bed3c4c5e14332618795a189e13a4

SHA256
0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713

SHA512
6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9

Download Submit
C:\Windows\System64\sysdisk.exe
Filesize
9.0MB

MD5
92aee365c9fab710fa68b362e5910264

SHA1
a145a246311bed3c4c5e14332618795a189e13a4

SHA256
0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713

SHA512
6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9

Download Submit
C:\Windows\System64\vp8decoder.dll
Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll
Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\System64\winsystem.exe
Filesize
685KB

MD5
d01414473916d6597cc43c82cf049b76

SHA1
1dbbc71286fc535d1c91c57b9641869545dfa3c9

SHA256
fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad

SHA512
5def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b

Download Submit
C:\Windows\System64\winsystem.exe
Filesize
685KB

MD5
d01414473916d6597cc43c82cf049b76

SHA1
1dbbc71286fc535d1c91c57b9641869545dfa3c9

SHA256
fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad

SHA512
5def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b

Download Submit
C:\Windows\keylog\mngrdevice.exe
Filesize
6.0MB

MD5
1917fa3536d6eb098105b5a3e7f89a37

SHA1
defeddab06cb646c8cf837ebaf3f512872cd745c

SHA256
6dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7

SHA512
954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19

Download Submit
C:\Windows\keylog\mngrdevice.exe
Filesize
6.0MB

MD5
1917fa3536d6eb098105b5a3e7f89a37

SHA1
defeddab06cb646c8cf837ebaf3f512872cd745c

SHA256
6dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7

SHA512
954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19

Download Submit
memory/216-146-0x0000000000000000-mapping.dmp

Download
memory/224-190-0x0000000000000000-mapping.dmp

Download
memory/364-182-0x0000000000000000-mapping.dmp

Download
memory/544-183-0x0000000000000000-mapping.dmp

Download
memory/652-155-0x0000000000000000-mapping.dmp

Download
memory/1060-188-0x0000000000000000-mapping.dmp

Download
memory/1096-153-0x0000000000000000-mapping.dmp

Download
memory/1224-189-0x0000000000000000-mapping.dmp

Download
memory/1236-159-0x0000000000000000-mapping.dmp

Download
memory/1608-130-0x0000000000000000-mapping.dmp

Download
memory/1708-139-0x0000000000000000-mapping.dmp

Download
memory/2128-141-0x0000000000000000-mapping.dmp

Download
memory/2260-132-0x0000000000000000-mapping.dmp

Download
memory/2368-178-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2368-180-0x0000000002F40000-0x0000000002F9A000-memory.dmp

Filesize
360KB

Download
memory/2368-168-0x0000000000000000-mapping.dmp

Download
memory/2368-181-0x0000000002F40000-0x0000000002F9A000-memory.dmp

Filesize
360KB

Download
memory/2368-179-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2464-147-0x0000000000000000-mapping.dmp

Download
memory/2536-142-0x0000000000000000-mapping.dmp

Download
memory/2672-151-0x0000000000000000-mapping.dmp

Download
memory/2880-163-0x0000000000000000-mapping.dmp

Download
memory/3188-171-0x0000000000000000-mapping.dmp

Download
memory/3272-138-0x0000000000000000-mapping.dmp

Download
memory/3320-193-0x0000000000000000-mapping.dmp

Download
memory/3348-166-0x0000000000000000-mapping.dmp

Download
memory/3532-172-0x0000000000000000-mapping.dmp

Download
memory/3868-133-0x0000000000000000-mapping.dmp

Download
memory/3916-162-0x0000000000000000-mapping.dmp

Download
memory/4056-173-0x0000000000000000-mapping.dmp

Download
memory/4084-149-0x0000000000000000-mapping.dmp

Download
memory/4144-187-0x0000000000000000-mapping.dmp

Download
memory/4220-143-0x0000000000000000-mapping.dmp

Download
memory/4244-160-0x0000000000000000-mapping.dmp

Download
memory/4284-161-0x0000000000000000-mapping.dmp

Download
memory/4324-186-0x0000000000000000-mapping.dmp

Download
memory/4364-134-0x0000000000000000-mapping.dmp

Download
memory/4456-137-0x0000000000000000-mapping.dmp

Download
memory/4488-156-0x0000000000000000-mapping.dmp

Download
memory/4556-176-0x0000000000000000-mapping.dmp

Download
memory/4560-196-0x0000000000000000-mapping.dmp

Download
memory/4580-140-0x0000000000000000-mapping.dmp

Download
memory/4588-131-0x0000000000000000-mapping.dmp

Download
memory/4636-148-0x0000000000000000-mapping.dmp

Download
memory/4648-191-0x0000000000000000-mapping.dmp

Download
memory/4704-152-0x0000000000000000-mapping.dmp

Download
memory/4900-154-0x0000000000000000-mapping.dmp

Download
memory/4952-150-0x0000000000000000-mapping.dmp

Download
memory/5012-177-0x0000000000000000-mapping.dmp

Download
memory/5108-197-0x0000000000000000-mapping.dmp

Download