Analysis
-
max time kernel
172s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
21-11-2022 23:21
General
-
Target
cbcb0b77f06312894dfb1209aa5d967c58d248ecf6090a4e0c187290c013cabb.exe
-
Size
4.2MB
-
MD5
f4b07754f4b0c67ab073b28476b809af
-
SHA1
5a4385db9a7a2878e7116f4e71ae2eeb7717bf9e
-
SHA256
cbcb0b77f06312894dfb1209aa5d967c58d248ecf6090a4e0c187290c013cabb
-
SHA512
ebc961fcfa90e4f96191759627f308ccf1a8471a70350f3526be7b4e223b46fca6bcd90e26e59cb7327124050f6fe43aac03b93c35cb7f3f8b9d806c05d662ef
-
SSDEEP
98304:RVZb+Ma7ksZGweOjnvbE7WSW1xTAvpB+sK5/FoUS9T:Nb+CurBjjE7WSWe+sKvpS9T
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 7 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 3 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbcb0b77f06312894dfb1209aa5d967c58d248ecf6090a4e0c187290c013cabb.exe"C:\Users\Admin\AppData\Local\Temp\cbcb0b77f06312894dfb1209aa5d967c58d248ecf6090a4e0c187290c013cabb.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exes\io.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\exes\setup.bat" "3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq wget.exe" /NH4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "wget.exe"4⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"4⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /v FUSClientPath /t REG_SZ /d "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe" /f4⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\*.*"4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\vp8decoder.dll"4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\vp8encoder.dll"4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exe"rutserv.exe" /silentinstall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exe"rutserv.exe" /firewall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00setup\services\RManService" /v DisplayName /t REG_SZ /d "Microsoft Corporation" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00setup\services\RManService" /v Description /t REG_SZ /d "Microsoft Windows" /f4⤵
-
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exerutserv.exe /start4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exeC:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exeC:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exeC:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exeC:\Windows\en-US\DRVSTORE\Dism\ru-RU\Security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178B
MD5b8dda233f9810dc7da01ab6bb0a7d34d
SHA1749d2f14ab86fdcd23ddbaad99c9b974c4ae6dd4
SHA2563f35efb7d0ed5d56700451431d4d3626ef1cebf7289dbf75cda7123f53e91746
SHA5126b47cee19f74a4f90d326cb88a27ab5bcf2f8e90c46490bcd23cd24f7aeb50649f8344a21d1da93c24b6af334fdf3a5fc45143ce137469edac84bead8bf5a95c
-
Filesize
113B
MD59a9ec59df719a15b2cadb19ecce9adfd
SHA1172b551d1d04c93c8bb52ead5a88b084e3c8f469
SHA2569413f4a4084d653e2acd3ea80282a261d8356f2605ae7a502ef364c54d4ab2d8
SHA5121f1f678802ad5d5b86824ae789d8ebc64abc8d84686118051f73cfb0f3c6ff41ef19478f4073040d864fc697fe047bf7cd715632eb9b1b1f4d6e4e5799907b20
-
Filesize
98KB
MD53234ca7ffaab06077240020bb183659f
SHA19614bb744a82156f461e4b685c0fe570b4776599
SHA256507af2772c7740f66fd15211f260f7f1989e433b31367587812fce3f67679c51
SHA5120878b6ef55b11ba632a544e01af4836b00d0b0e4eca7033549d9ac2ad2132a7cab275a4027f8f994fc5e0b99918a657faf2d7914c85d8530742f62d7b3ee06c9
-
Filesize
115B
MD51314d834dc9a58668956252e40c8af4d
SHA15d5062e6b06aad2c1f1e51e18e0e293dba1e1a66
SHA256fad0bbb55f7591b441b351fb693b128f2e384685bf576201d942c10e0047df4f
SHA51273e636d95414bec0c987ffbe431d16e95c8d95c72d9504880b4e9cdd1a1064bc6afc43974e281bd2c852fa0cc883d131ca5cb27ee3d4966b4c5b09343c52dcc9
-
Filesize
24KB
MD599d13bb2c0e01de7411739a3401b0a23
SHA19d07fcbcd60554cec1427e7cfbbf466ebdaaaa1f
SHA256bddce3bcce882e9695872650a9887a5fb877fc967044426d11fc048a5896d1ad
SHA512d75b278597e04da6b4f96a058eb8aba033d9ed70ad7b8334317cf3d5d081b45b5656a5faa6a09b5836277cd0d4ba45d39fc190d4ed04e72377c2ea7d8eaf1b85
-
Filesize
4.8MB
MD51040073244f599b73b3f383412aa9640
SHA13cd9b3baa4de24767a2918d03f455d58fa32ff44
SHA2561e35b3107c8d02bd7184cae941b75dfb7d5fb674da6f30c7ed2cad58c0de2987
SHA51287fc4d91d229390ff968e1ce1d4c508ffe4c564d8103dcb3685f5df79e392144b2c73df3ef162329ed197a3b0959224e8346716bc347743669172da8211faf7c
-
Filesize
48KB
MD59558b5bc81eb3d87ca356676cd22a09a
SHA11851e3eed3aff625cf9336694d6374ce24ad5814
SHA256ef247557be6f34aa3ec855e0d0a0367ae0660ff3104791e345363904428de7e8
SHA5124f034167680f90cb166ad73a52fca40e863f63fe056917bb0603132bbeccc592ddb4a9c7f7a10dd022ec5b326bd24f68b9ebbcbc02879b6419fcdfb6903be434
-
Filesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
Filesize
14KB
MD5db67fd8b8c3204ac5ac8dfd4fdf7bb4b
SHA198e2b85bc9c16cf3f1f522d724b12f8b0d8aa03b
SHA256e7053729708353f327cefdefc92b2fb3dae9c595b56427f9f80f2ad4c432aad3
SHA512e3386bd35570bc0e667b0209836c517d028f03208407c414d6a3e47a415ac71b48dd7b22c926d0f775dde46c9106f55bc1a13aa540effca3c667710ff0af5d75
-
Filesize
151KB
MD5565f817a855a681f0b386c9fe970f764
SHA1da0645c4dd38bfc6415c4e083b505715b8b2bc75
SHA2567be9bbf87492a63833f6f2665e461d4e097e3326dec3e7984ecca8a916939843
SHA5120e851284a2c2ea1db7adeaf108cee42472018ff85e8ff28954643f417ff8b61d6d30944112678d47f65b952dbc69c097d3faf54e60b84a51eb92f07efde84f8d
-
Filesize
257KB
MD5fd0c05de8c367b6f843c96f014f0d9d7
SHA168e6b3d8c3b906b74618c6f17c52b5ad19ab857b
SHA256a1507cb1240e89bf4f3468f462a5befab762edac1540b0d5f4839c46b137859b
SHA51212ace11d440f5fad425781f29bd94a12025718764670f0b56d49f8337cd09f43fa0a5d9579d65dcacd47f0dea3a3053b52af795c83972ae1bcc24e5a1cdce13f
-
Filesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
Filesize
4.8MB
MD51040073244f599b73b3f383412aa9640
SHA13cd9b3baa4de24767a2918d03f455d58fa32ff44
SHA2561e35b3107c8d02bd7184cae941b75dfb7d5fb674da6f30c7ed2cad58c0de2987
SHA51287fc4d91d229390ff968e1ce1d4c508ffe4c564d8103dcb3685f5df79e392144b2c73df3ef162329ed197a3b0959224e8346716bc347743669172da8211faf7c
-
Filesize
4.8MB
MD51040073244f599b73b3f383412aa9640
SHA13cd9b3baa4de24767a2918d03f455d58fa32ff44
SHA2561e35b3107c8d02bd7184cae941b75dfb7d5fb674da6f30c7ed2cad58c0de2987
SHA51287fc4d91d229390ff968e1ce1d4c508ffe4c564d8103dcb3685f5df79e392144b2c73df3ef162329ed197a3b0959224e8346716bc347743669172da8211faf7c
-
Filesize
4.8MB
MD51040073244f599b73b3f383412aa9640
SHA13cd9b3baa4de24767a2918d03f455d58fa32ff44
SHA2561e35b3107c8d02bd7184cae941b75dfb7d5fb674da6f30c7ed2cad58c0de2987
SHA51287fc4d91d229390ff968e1ce1d4c508ffe4c564d8103dcb3685f5df79e392144b2c73df3ef162329ed197a3b0959224e8346716bc347743669172da8211faf7c
-
Filesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
Filesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
Filesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef
-
Filesize
5.8MB
MD508b50eec7aa610a427fb98673cac6f57
SHA1dc35911c23632f24ce18c1b1d4a95b6e8dfbbe20
SHA2563525603566f45c7afcd6119d5181fbf1b6306ca8c44d12e29f72fdf3bca612f7
SHA5124b5208f0cb00b5d0871e8060234634073edd28b902168855044f3283afeff570b2b947c3b682d57a31dae2c92b11dd694398cba23c1354555957011580d4f2ef