rms | 5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520

Analysis

max time kernel
122s
max time network
111s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-11-2022 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe
Size

2.3MB
MD5

f9a70b66ff579dc6e00109eb5d48055e
SHA1

4337646a6b0d12f8732e5b20003cc999852e3f62
SHA256

5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520
SHA512

782086b98f6c3c296716fa4178170302c56a2fff512e34e9efc724d1eb1108fa7e58e7c1e30425de91aae718c966819e5aa716e4cedad4778d5bf2d6dffec306
SSDEEP

49152:RLfmMc8EjGCbKeaoK94jmPBLeL7gBfi/4gXkc/hbHorCUm0fV:RLfm382GCbKeWyjUBLL2dT/xoWUf

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 2 IoCs

pid	Process
624	svnhost.exe
1932	svnhost.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
268	attrib.exe

Loads dropped DLL 4 IoCs

pid	Process
1004	cmd.exe
1004	cmd.exe
624	svnhost.exe
1932	svnhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	svnhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\svnhost.exe = "C:\\Users\\Admin\\WindowsUpdate\\svnhost.exe"	svnhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 28 IoCs

evasion

pid	Process
828	taskkill.exe
1808	taskkill.exe
1176	taskkill.exe
1964	taskkill.exe
1648	taskkill.exe
1652	taskkill.exe
432	taskkill.exe
1028	taskkill.exe
1012	taskkill.exe
1708	taskkill.exe
1504	taskkill.exe
1792	taskkill.exe
1588	taskkill.exe
1392	taskkill.exe
1072	taskkill.exe
2028	taskkill.exe
868	taskkill.exe
1156	taskkill.exe
912	taskkill.exe
1568	taskkill.exe
1444	taskkill.exe
1244	taskkill.exe
964	taskkill.exe
1088	taskkill.exe
1052	taskkill.exe
588	taskkill.exe
908	taskkill.exe
2016	taskkill.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svnhost.exe = "C:\\Users\\Admin\\WindowsUpdate\\svnhost.exe"	svnhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\rnd = 320038003900330033003600	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00	svnhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\InternetId = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000360022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e0062006100730068002e00640064006e0073002e006e00650074003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e0074007200750065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e003400340033003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\Password = 41004300340032004500310039003600350041003900430030003700340030003900310038003900350046003900380044003800460046004300410042004400330032004200380035003800340035003700420035004300380041003900370038003700300030003200350038003300430041003200460030003700430036004200360041003600350033003400360037004100450041003100390030004100330032003600360042004300330034003600360035003900390033004100370039003100360044003500380035004200430033004100370030003000430037003600340036003300440042003600360044004500450044003300360043004600	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\Options = 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70090c497046696c7465725479706502021750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636081141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034313834312e363639303833363537340d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223536303036223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a0a4164646974696f6e616c0607383636323337311144697361626c65496e7465726e65744964080b536166654d6f6465536574080000	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\notification = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e00730073006600660078006400400067006d00610069006c002e0063006f006d003c002f0065006d00610069006c003e003c00690064003e003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\InternetId = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000360022003e003c0069006e007400650072006e00650074005f00690064003e003400330035002d003800310036002d003100360031003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e0074007200750065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e0062006100730068002e00640064006e0073002e006e00650074003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e0074007200750065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e003400340033003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00	svnhost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
876	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
624	svnhost.exe
624	svnhost.exe
624	svnhost.exe
624	svnhost.exe
1932	svnhost.exe
1932	svnhost.exe
1932	svnhost.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	624	svnhost.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeTakeOwnershipPrivilege	1932	svnhost.exe
Token: SeTcbPrivilege	1932	svnhost.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeTcbPrivilege	1932	svnhost.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1004	864	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe	28
PID 864 wrote to memory of 1004	864	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe	28
PID 864 wrote to memory of 1004	864	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe	28
PID 864 wrote to memory of 1004	864	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe	28
PID 864 wrote to memory of 1004	864	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe	28
PID 864 wrote to memory of 1004	864	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe	28
PID 864 wrote to memory of 1004	864	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe	28
PID 1004 wrote to memory of 1244	1004	cmd.exe	30
PID 1004 wrote to memory of 1244	1004	cmd.exe	30
PID 1004 wrote to memory of 1244	1004	cmd.exe	30
PID 1004 wrote to memory of 1244	1004	cmd.exe	30
PID 1004 wrote to memory of 964	1004	cmd.exe	32
PID 1004 wrote to memory of 964	1004	cmd.exe	32
PID 1004 wrote to memory of 964	1004	cmd.exe	32
PID 1004 wrote to memory of 964	1004	cmd.exe	32
PID 1004 wrote to memory of 1176	1004	cmd.exe	33
PID 1004 wrote to memory of 1176	1004	cmd.exe	33
PID 1004 wrote to memory of 1176	1004	cmd.exe	33
PID 1004 wrote to memory of 1176	1004	cmd.exe	33
PID 1004 wrote to memory of 268	1004	cmd.exe	34
PID 1004 wrote to memory of 268	1004	cmd.exe	34
PID 1004 wrote to memory of 268	1004	cmd.exe	34
PID 1004 wrote to memory of 268	1004	cmd.exe	34
PID 1004 wrote to memory of 624	1004	cmd.exe	35
PID 1004 wrote to memory of 624	1004	cmd.exe	35
PID 1004 wrote to memory of 624	1004	cmd.exe	35
PID 1004 wrote to memory of 624	1004	cmd.exe	35
PID 1004 wrote to memory of 432	1004	cmd.exe	36
PID 1004 wrote to memory of 432	1004	cmd.exe	36
PID 1004 wrote to memory of 432	1004	cmd.exe	36
PID 1004 wrote to memory of 432	1004	cmd.exe	36
PID 1004 wrote to memory of 1708	1004	cmd.exe	37
PID 1004 wrote to memory of 1708	1004	cmd.exe	37
PID 1004 wrote to memory of 1708	1004	cmd.exe	37
PID 1004 wrote to memory of 1708	1004	cmd.exe	37
PID 1004 wrote to memory of 828	1004	cmd.exe	38
PID 1004 wrote to memory of 828	1004	cmd.exe	38
PID 1004 wrote to memory of 828	1004	cmd.exe	38
PID 1004 wrote to memory of 828	1004	cmd.exe	38
PID 1004 wrote to memory of 1504	1004	cmd.exe	39
PID 1004 wrote to memory of 1504	1004	cmd.exe	39
PID 1004 wrote to memory of 1504	1004	cmd.exe	39
PID 1004 wrote to memory of 1504	1004	cmd.exe	39
PID 1004 wrote to memory of 1652	1004	cmd.exe	40
PID 1004 wrote to memory of 1652	1004	cmd.exe	40
PID 1004 wrote to memory of 1652	1004	cmd.exe	40
PID 1004 wrote to memory of 1652	1004	cmd.exe	40
PID 1004 wrote to memory of 1792	1004	cmd.exe	41
PID 1004 wrote to memory of 1792	1004	cmd.exe	41
PID 1004 wrote to memory of 1792	1004	cmd.exe	41
PID 1004 wrote to memory of 1792	1004	cmd.exe	41
PID 1004 wrote to memory of 1088	1004	cmd.exe	42
PID 1004 wrote to memory of 1088	1004	cmd.exe	42
PID 1004 wrote to memory of 1088	1004	cmd.exe	42
PID 1004 wrote to memory of 1088	1004	cmd.exe	42
PID 1004 wrote to memory of 2028	1004	cmd.exe	43
PID 1004 wrote to memory of 2028	1004	cmd.exe	43
PID 1004 wrote to memory of 2028	1004	cmd.exe	43
PID 1004 wrote to memory of 2028	1004	cmd.exe	43
PID 1004 wrote to memory of 868	1004	cmd.exe	44
PID 1004 wrote to memory of 868	1004	cmd.exe	44
PID 1004 wrote to memory of 868	1004	cmd.exe	44
PID 1004 wrote to memory of 868	1004	cmd.exe	44
PID 1004 wrote to memory of 1052	1004	cmd.exe	45

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe
"C:\Users\Admin\AppData\Local\Temp\5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im anvir.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\WindowsUpdate"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:268
- - C:\Users\Admin\WindowsUpdate\svnhost.exe
    "C:\Users\Admin\WindowsUpdate\svnhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:624
  - - C:\Users\Admin\WindowsUpdate\svnhost.exe
      C:\Users\Admin\WindowsUpdate\svnhost.exe -second
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 localhost
    3⤵
    - Runs ping.exe
    PID:876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

Filesize
144KB

MD5
794b9c46edf14e255d2e5e40b351ed70

SHA1
5e80a8ed318b1c6b7faa0c0ab25a0d2a1db146d8

SHA256
d7612a721e42438071bf9adeda3a8d098f7e5e6952aa5a692df88035238f5284

SHA512
b0dc026f404bc7700fa5c3b7ca2aade91f9c9dd4dc3a6955d8a93c129995163710f73d4e4cd6825abf4531acd3b53f6358dc56d2b84f7965646a2c1f9893105f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

Filesize
957KB

MD5
5a01089e2ead26a443bd91293f0bbf3c

SHA1
5ae736caec70187e328b8ea0c02991830e426527

SHA256
d08b94fa5b9794f8217a52236b0a510bec753f4b99a31be6718aea42bd877e54

SHA512
843cc40efd1a3087c6af9d0f079202cf2a6bf6adaa1c3593b62af863d70d53bc0809186ff3f01b21232c4e056f6307e12ccb7423b3c3751db509150b426d4413

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.dll

Filesize
3KB

MD5
be6fc300c2d1383b492e4146bf4a8ade

SHA1
955f5f5ddac35bb2043e1a1b7f705ca06c053291

SHA256
14e9fa14ea51d41ad033a4083c0b6d8e1c36631857d9b754dd97353e72b1c734

SHA512
208a93ab1b5c102f05bad973753a8efa0ea93b0e3110838ff4a3de4a5bff2b2ce3fc759d6a9d2a8a17857b61f840a0911de31ad950de03d4dbdf3e47809621fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.bat

Filesize
1KB

MD5
724cf69b934c5ea48919692c043d1f7c

SHA1
a6e77bdfb330e2581f2e95b2f90f880d5dee4d3d

SHA256
0a55e2f6d351225ca543d119d17b47325e55fdba5c513d3849a8ab082a6a73ba

SHA512
f433a0ad04518879233eebbf8d1261ce0d17568dd72e5dcc8fad1e648faf61fe189407f995a262e0978726c93a13a4fa1bd7d519d139472fb70bdefecd2577da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\null

Filesize
259B

MD5
4b44539a6c90707af1df164702cc60cd

SHA1
95bc1d9f37a5638500302a0ea5a43ac55e2cbe7c

SHA256
5052cfc48f1113ede8829a9127acada57162e4bdc1153b14240ef0be7b161c1f

SHA512
4f34d323261807e7b6cf304618b9551d8f725418c4028c8cb69f3d21891b60cfa3e22c56d4770431d85df1bc7304c48ca931eb8108956e749f21aa11070835db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.ini

Filesize
124B

MD5
02f6e839a25528052aaabf1eaa3cbc09

SHA1
069d528f27099497be7a4e6cf9e8f0bead1a71f5

SHA256
6c04d815f37b1b9f5a8664bfaf54ee6772c7b40220528057105194fcea18db41

SHA512
cdfb2ab5034df602d2ee728a3be3e22f2363de764ae99a2560e971aac0608c05589e852833c2889ea043b591fa289fd5dad0a27e78be69046e09131a1e85a29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\svnhost.exe

Filesize
5.7MB

MD5
9fe52c81b7688321ca8c481f3098c74d

SHA1
8db972be34a9203cbe8540567430dc5759995ef5

SHA256
6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

SHA512
a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

Filesize
409KB

MD5
1525887bc6978c0b54fec544877319e6

SHA1
7820fcd66e6fbf717d78a2a4df5b0367923dc431

SHA256
a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69

SHA512
56cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

Filesize
691KB

MD5
c8fd8c4bc131d59606b08920b2fda91c

SHA1
df777e7c6c1b3d84a8277e6a669e9a5f7c15896d

SHA256
6f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240

SHA512
2fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll

Filesize
104KB

MD5
289a39547b5ad28d27910eeb442a5200

SHA1
075c6ccec7731d5d9d4bb015bc627c0059351654

SHA256
359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

SHA512
f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

Download Submit
C:\Users\Admin\WindowsUpdate\RIPCServer.dll

Filesize
144KB

MD5
794b9c46edf14e255d2e5e40b351ed70

SHA1
5e80a8ed318b1c6b7faa0c0ab25a0d2a1db146d8

SHA256
d7612a721e42438071bf9adeda3a8d098f7e5e6952aa5a692df88035238f5284

SHA512
b0dc026f404bc7700fa5c3b7ca2aade91f9c9dd4dc3a6955d8a93c129995163710f73d4e4cd6825abf4531acd3b53f6358dc56d2b84f7965646a2c1f9893105f

Download Submit
C:\Users\Admin\WindowsUpdate\RWLN.dll

Filesize
957KB

MD5
5a01089e2ead26a443bd91293f0bbf3c

SHA1
5ae736caec70187e328b8ea0c02991830e426527

SHA256
d08b94fa5b9794f8217a52236b0a510bec753f4b99a31be6718aea42bd877e54

SHA512
843cc40efd1a3087c6af9d0f079202cf2a6bf6adaa1c3593b62af863d70d53bc0809186ff3f01b21232c4e056f6307e12ccb7423b3c3751db509150b426d4413

Download Submit
C:\Users\Admin\WindowsUpdate\config.dll

Filesize
3KB

MD5
be6fc300c2d1383b492e4146bf4a8ade

SHA1
955f5f5ddac35bb2043e1a1b7f705ca06c053291

SHA256
14e9fa14ea51d41ad033a4083c0b6d8e1c36631857d9b754dd97353e72b1c734

SHA512
208a93ab1b5c102f05bad973753a8efa0ea93b0e3110838ff4a3de4a5bff2b2ce3fc759d6a9d2a8a17857b61f840a0911de31ad950de03d4dbdf3e47809621fe

Download Submit
C:\Users\Admin\WindowsUpdate\settings.ini

Filesize
124B

MD5
02f6e839a25528052aaabf1eaa3cbc09

SHA1
069d528f27099497be7a4e6cf9e8f0bead1a71f5

SHA256
6c04d815f37b1b9f5a8664bfaf54ee6772c7b40220528057105194fcea18db41

SHA512
cdfb2ab5034df602d2ee728a3be3e22f2363de764ae99a2560e971aac0608c05589e852833c2889ea043b591fa289fd5dad0a27e78be69046e09131a1e85a29f

Download Submit
C:\Users\Admin\WindowsUpdate\svnhost.exe

Filesize
5.7MB

MD5
9fe52c81b7688321ca8c481f3098c74d

SHA1
8db972be34a9203cbe8540567430dc5759995ef5

SHA256
6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

SHA512
a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

Download Submit
C:\Users\Admin\WindowsUpdate\svnhost.exe

Filesize
5.7MB

MD5
9fe52c81b7688321ca8c481f3098c74d

SHA1
8db972be34a9203cbe8540567430dc5759995ef5

SHA256
6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

SHA512
a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

Download Submit
C:\Users\Admin\WindowsUpdate\svnhost.exe

Filesize
5.7MB

MD5
9fe52c81b7688321ca8c481f3098c74d

SHA1
8db972be34a9203cbe8540567430dc5759995ef5

SHA256
6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

SHA512
a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

Download Submit
C:\Users\Admin\WindowsUpdate\vp8decoder.dll

Filesize
409KB

MD5
1525887bc6978c0b54fec544877319e6

SHA1
7820fcd66e6fbf717d78a2a4df5b0367923dc431

SHA256
a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69

SHA512
56cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153

Download Submit
C:\Users\Admin\WindowsUpdate\vp8encoder.dll

Filesize
691KB

MD5
c8fd8c4bc131d59606b08920b2fda91c

SHA1
df777e7c6c1b3d84a8277e6a669e9a5f7c15896d

SHA256
6f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240

SHA512
2fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d

Download Submit
C:\Users\Admin\WindowsUpdate\winmm.dll

Filesize
104KB

MD5
289a39547b5ad28d27910eeb442a5200

SHA1
075c6ccec7731d5d9d4bb015bc627c0059351654

SHA256
359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

SHA512
f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

Download Submit
\Users\Admin\WindowsUpdate\svnhost.exe

Filesize
5.7MB

MD5
9fe52c81b7688321ca8c481f3098c74d

SHA1
8db972be34a9203cbe8540567430dc5759995ef5

SHA256
6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

SHA512
a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

Download Submit
\Users\Admin\WindowsUpdate\svnhost.exe

Filesize
5.7MB

MD5
9fe52c81b7688321ca8c481f3098c74d

SHA1
8db972be34a9203cbe8540567430dc5759995ef5

SHA256
6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

SHA512
a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

Download Submit
\Users\Admin\WindowsUpdate\winmm.dll

Filesize
104KB

MD5
289a39547b5ad28d27910eeb442a5200

SHA1
075c6ccec7731d5d9d4bb015bc627c0059351654

SHA256
359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

SHA512
f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

Download Submit
\Users\Admin\WindowsUpdate\winmm.dll

Filesize
104KB

MD5
289a39547b5ad28d27910eeb442a5200

SHA1
075c6ccec7731d5d9d4bb015bc627c0059351654

SHA256
359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

SHA512
f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

Download Submit
memory/864-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download