rms | 5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2022 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe
Size

2.3MB
MD5

f9a70b66ff579dc6e00109eb5d48055e
SHA1

4337646a6b0d12f8732e5b20003cc999852e3f62
SHA256

5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520
SHA512

782086b98f6c3c296716fa4178170302c56a2fff512e34e9efc724d1eb1108fa7e58e7c1e30425de91aae718c966819e5aa716e4cedad4778d5bf2d6dffec306
SSDEEP

49152:RLfmMc8EjGCbKeaoK94jmPBLeL7gBfi/4gXkc/hbHorCUm0fV:RLfm382GCbKeWyjUBLL2dT/xoWUf

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 312 created 2408	312	svchost.exe	87

Executes dropped EXE 2 IoCs

pid	Process
2408	svnhost.exe
3488	svnhost.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
2888	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe

Loads dropped DLL 2 IoCs

pid	Process
2408	svnhost.exe
3488	svnhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	svnhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svnhost.exe = "C:\\Users\\Admin\\WindowsUpdate\\svnhost.exe"	svnhost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svnhost.pdb	svnhost.exe
File opened for modification	C:\Windows\SysWOW64\exe\svnhost.pdb	svnhost.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\svnhost.pdb	svnhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 28 IoCs

evasion

pid	Process
3296	taskkill.exe
3552	taskkill.exe
1420	taskkill.exe
4592	taskkill.exe
4740	taskkill.exe
3036	taskkill.exe
3844	taskkill.exe
2988	taskkill.exe
4564	taskkill.exe
5068	taskkill.exe
224	taskkill.exe
2124	taskkill.exe
904	taskkill.exe
3680	taskkill.exe
4552	taskkill.exe
656	taskkill.exe
1864	taskkill.exe
4832	taskkill.exe
4248	taskkill.exe
1932	taskkill.exe
4760	taskkill.exe
4676	taskkill.exe
4608	taskkill.exe
3820	taskkill.exe
3288	taskkill.exe
2092	taskkill.exe
2412	taskkill.exe
876	taskkill.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	svnhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\svnhost.exe = "C:\\Users\\Admin\\WindowsUpdate\\svnhost.exe"	svnhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\notification = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e00730073006600660078006400400067006d00610069006c002e0063006f006d003c002f0065006d00610069006c003e003c00690064003e003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\rnd = 320038003900330033003600	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\InternetId = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000360022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e0062006100730068002e00640064006e0073002e006e00650074003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e0074007200750065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e003400340033003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\Password = 41004300340032004500310039003600350041003900430030003700340030003900310038003900350046003900380044003800460046004300410042004400330032004200380035003800340035003700420035004300380041003900370038003700300030003200350038003300430041003200460030003700430036004200360041003600350033003400360037004100450041003100390030004100330032003600360042004300330034003600360035003900390033004100370039003100360044003500380035004200430033004100370030003000430037003600340036003300440042003600360044004500450044003300360043004600	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\Options = 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70090c497046696c7465725479706502021750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636081141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034313834312e363639303833363537340d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223536303036223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a0a4164646974696f6e616c0607383636323337311144697361626c65496e7465726e65744964080b536166654d6f6465536574080000	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\InternetId = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000360022003e003c0069006e007400650072006e00650074005f00690064003e003500330038002d003100340031002d003700350030003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e0074007200750065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e0062006100730068002e00640064006e0073002e006e00650074003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e0074007200750065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e003400340033003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00	svnhost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4448	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2408	svnhost.exe
2408	svnhost.exe
2408	svnhost.exe
2408	svnhost.exe
2408	svnhost.exe
2408	svnhost.exe
3488	svnhost.exe
3488	svnhost.exe
3488	svnhost.exe
3488	svnhost.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	2408	svnhost.exe
Token: SeTcbPrivilege	312	svchost.exe
Token: SeTcbPrivilege	312	svchost.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeTakeOwnershipPrivilege	3488	svnhost.exe
Token: SeTcbPrivilege	3488	svnhost.exe
Token: SeTcbPrivilege	3488	svnhost.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	3288	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	4740	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 5080	4376	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe	81
PID 4376 wrote to memory of 5080	4376	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe	81
PID 4376 wrote to memory of 5080	4376	5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe	81
PID 5080 wrote to memory of 5068	5080	cmd.exe	83
PID 5080 wrote to memory of 5068	5080	cmd.exe	83
PID 5080 wrote to memory of 5068	5080	cmd.exe	83
PID 5080 wrote to memory of 1864	5080	cmd.exe	84
PID 5080 wrote to memory of 1864	5080	cmd.exe	84
PID 5080 wrote to memory of 1864	5080	cmd.exe	84
PID 5080 wrote to memory of 4832	5080	cmd.exe	85
PID 5080 wrote to memory of 4832	5080	cmd.exe	85
PID 5080 wrote to memory of 4832	5080	cmd.exe	85
PID 5080 wrote to memory of 2888	5080	cmd.exe	86
PID 5080 wrote to memory of 2888	5080	cmd.exe	86
PID 5080 wrote to memory of 2888	5080	cmd.exe	86
PID 5080 wrote to memory of 2408	5080	cmd.exe	87
PID 5080 wrote to memory of 2408	5080	cmd.exe	87
PID 5080 wrote to memory of 2408	5080	cmd.exe	87
PID 5080 wrote to memory of 2092	5080	cmd.exe	88
PID 5080 wrote to memory of 2092	5080	cmd.exe	88
PID 5080 wrote to memory of 2092	5080	cmd.exe	88
PID 5080 wrote to memory of 224	5080	cmd.exe	89
PID 5080 wrote to memory of 224	5080	cmd.exe	89
PID 5080 wrote to memory of 224	5080	cmd.exe	89
PID 5080 wrote to memory of 3296	5080	cmd.exe	91
PID 5080 wrote to memory of 3296	5080	cmd.exe	91
PID 5080 wrote to memory of 3296	5080	cmd.exe	91
PID 5080 wrote to memory of 4676	5080	cmd.exe	92
PID 5080 wrote to memory of 4676	5080	cmd.exe	92
PID 5080 wrote to memory of 4676	5080	cmd.exe	92
PID 312 wrote to memory of 3488	312	svchost.exe	93
PID 312 wrote to memory of 3488	312	svchost.exe	93
PID 312 wrote to memory of 3488	312	svchost.exe	93
PID 5080 wrote to memory of 3036	5080	cmd.exe	94
PID 5080 wrote to memory of 3036	5080	cmd.exe	94
PID 5080 wrote to memory of 3036	5080	cmd.exe	94
PID 5080 wrote to memory of 3552	5080	cmd.exe	95
PID 5080 wrote to memory of 3552	5080	cmd.exe	95
PID 5080 wrote to memory of 3552	5080	cmd.exe	95
PID 5080 wrote to memory of 3844	5080	cmd.exe	98
PID 5080 wrote to memory of 3844	5080	cmd.exe	98
PID 5080 wrote to memory of 3844	5080	cmd.exe	98
PID 5080 wrote to memory of 1420	5080	cmd.exe	99
PID 5080 wrote to memory of 1420	5080	cmd.exe	99
PID 5080 wrote to memory of 1420	5080	cmd.exe	99
PID 5080 wrote to memory of 4592	5080	cmd.exe	100
PID 5080 wrote to memory of 4592	5080	cmd.exe	100
PID 5080 wrote to memory of 4592	5080	cmd.exe	100
PID 5080 wrote to memory of 1932	5080	cmd.exe	101
PID 5080 wrote to memory of 1932	5080	cmd.exe	101
PID 5080 wrote to memory of 1932	5080	cmd.exe	101
PID 5080 wrote to memory of 4608	5080	cmd.exe	102
PID 5080 wrote to memory of 4608	5080	cmd.exe	102
PID 5080 wrote to memory of 4608	5080	cmd.exe	102
PID 5080 wrote to memory of 3820	5080	cmd.exe	103
PID 5080 wrote to memory of 3820	5080	cmd.exe	103
PID 5080 wrote to memory of 3820	5080	cmd.exe	103
PID 5080 wrote to memory of 3288	5080	cmd.exe	104
PID 5080 wrote to memory of 3288	5080	cmd.exe	104
PID 5080 wrote to memory of 3288	5080	cmd.exe	104
PID 5080 wrote to memory of 2124	5080	cmd.exe	106
PID 5080 wrote to memory of 2124	5080	cmd.exe	106
PID 5080 wrote to memory of 2124	5080	cmd.exe	106
PID 5080 wrote to memory of 904	5080	cmd.exe	107

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2888	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe
"C:\Users\Admin\AppData\Local\Temp\5cd9f9e3744daa7ecd4479f483124cc269e827c8acc96271e1f1ea2023afa520.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im anvir.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\WindowsUpdate"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2888
- - C:\Users\Admin\WindowsUpdate\svnhost.exe
    "C:\Users\Admin\WindowsUpdate\svnhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
  - - C:\Users\Admin\WindowsUpdate\svnhost.exe
      C:\Users\Admin\WindowsUpdate\svnhost.exe -second
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 localhost
    3⤵
    - Runs ping.exe
    PID:4448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

Filesize
144KB

MD5
794b9c46edf14e255d2e5e40b351ed70

SHA1
5e80a8ed318b1c6b7faa0c0ab25a0d2a1db146d8

SHA256
d7612a721e42438071bf9adeda3a8d098f7e5e6952aa5a692df88035238f5284

SHA512
b0dc026f404bc7700fa5c3b7ca2aade91f9c9dd4dc3a6955d8a93c129995163710f73d4e4cd6825abf4531acd3b53f6358dc56d2b84f7965646a2c1f9893105f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

Filesize
957KB

MD5
5a01089e2ead26a443bd91293f0bbf3c

SHA1
5ae736caec70187e328b8ea0c02991830e426527

SHA256
d08b94fa5b9794f8217a52236b0a510bec753f4b99a31be6718aea42bd877e54

SHA512
843cc40efd1a3087c6af9d0f079202cf2a6bf6adaa1c3593b62af863d70d53bc0809186ff3f01b21232c4e056f6307e12ccb7423b3c3751db509150b426d4413

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.dll

Filesize
3KB

MD5
be6fc300c2d1383b492e4146bf4a8ade

SHA1
955f5f5ddac35bb2043e1a1b7f705ca06c053291

SHA256
14e9fa14ea51d41ad033a4083c0b6d8e1c36631857d9b754dd97353e72b1c734

SHA512
208a93ab1b5c102f05bad973753a8efa0ea93b0e3110838ff4a3de4a5bff2b2ce3fc759d6a9d2a8a17857b61f840a0911de31ad950de03d4dbdf3e47809621fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.bat

Filesize
1KB

MD5
724cf69b934c5ea48919692c043d1f7c

SHA1
a6e77bdfb330e2581f2e95b2f90f880d5dee4d3d

SHA256
0a55e2f6d351225ca543d119d17b47325e55fdba5c513d3849a8ab082a6a73ba

SHA512
f433a0ad04518879233eebbf8d1261ce0d17568dd72e5dcc8fad1e648faf61fe189407f995a262e0978726c93a13a4fa1bd7d519d139472fb70bdefecd2577da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\null

Filesize
259B

MD5
8d3dc727102c82fe89b1f1110b8f11c1

SHA1
91ecc153b914da7d7c09d71b7a588876111c003c

SHA256
61b96cc711441f6e6856d203e7a64cbc138ad16fc6f4a87ad2ff8b0ffc8d7ccd

SHA512
5e77a20f72d8082b2386273816f5806ba07cf54b8417b15d46bf337f0d73352aead54510cea0d3abd5cc0b92ee19e253586562b5634c99129c01a6c6f725ecd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.ini

Filesize
124B

MD5
02f6e839a25528052aaabf1eaa3cbc09

SHA1
069d528f27099497be7a4e6cf9e8f0bead1a71f5

SHA256
6c04d815f37b1b9f5a8664bfaf54ee6772c7b40220528057105194fcea18db41

SHA512
cdfb2ab5034df602d2ee728a3be3e22f2363de764ae99a2560e971aac0608c05589e852833c2889ea043b591fa289fd5dad0a27e78be69046e09131a1e85a29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\svnhost.exe

Filesize
5.7MB

MD5
9fe52c81b7688321ca8c481f3098c74d

SHA1
8db972be34a9203cbe8540567430dc5759995ef5

SHA256
6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

SHA512
a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

Filesize
409KB

MD5
1525887bc6978c0b54fec544877319e6

SHA1
7820fcd66e6fbf717d78a2a4df5b0367923dc431

SHA256
a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69

SHA512
56cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

Filesize
691KB

MD5
c8fd8c4bc131d59606b08920b2fda91c

SHA1
df777e7c6c1b3d84a8277e6a669e9a5f7c15896d

SHA256
6f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240

SHA512
2fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll

Filesize
104KB

MD5
289a39547b5ad28d27910eeb442a5200

SHA1
075c6ccec7731d5d9d4bb015bc627c0059351654

SHA256
359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

SHA512
f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

Download Submit
C:\Users\Admin\WindowsUpdate\RIPCServer.dll

Filesize
144KB

MD5
794b9c46edf14e255d2e5e40b351ed70

SHA1
5e80a8ed318b1c6b7faa0c0ab25a0d2a1db146d8

SHA256
d7612a721e42438071bf9adeda3a8d098f7e5e6952aa5a692df88035238f5284

SHA512
b0dc026f404bc7700fa5c3b7ca2aade91f9c9dd4dc3a6955d8a93c129995163710f73d4e4cd6825abf4531acd3b53f6358dc56d2b84f7965646a2c1f9893105f

Download Submit
C:\Users\Admin\WindowsUpdate\RWLN.dll

Filesize
957KB

MD5
5a01089e2ead26a443bd91293f0bbf3c

SHA1
5ae736caec70187e328b8ea0c02991830e426527

SHA256
d08b94fa5b9794f8217a52236b0a510bec753f4b99a31be6718aea42bd877e54

SHA512
843cc40efd1a3087c6af9d0f079202cf2a6bf6adaa1c3593b62af863d70d53bc0809186ff3f01b21232c4e056f6307e12ccb7423b3c3751db509150b426d4413

Download Submit
C:\Users\Admin\WindowsUpdate\config.dll

Filesize
3KB

MD5
be6fc300c2d1383b492e4146bf4a8ade

SHA1
955f5f5ddac35bb2043e1a1b7f705ca06c053291

SHA256
14e9fa14ea51d41ad033a4083c0b6d8e1c36631857d9b754dd97353e72b1c734

SHA512
208a93ab1b5c102f05bad973753a8efa0ea93b0e3110838ff4a3de4a5bff2b2ce3fc759d6a9d2a8a17857b61f840a0911de31ad950de03d4dbdf3e47809621fe

Download Submit
C:\Users\Admin\WindowsUpdate\settings.ini

Filesize
124B

MD5
02f6e839a25528052aaabf1eaa3cbc09

SHA1
069d528f27099497be7a4e6cf9e8f0bead1a71f5

SHA256
6c04d815f37b1b9f5a8664bfaf54ee6772c7b40220528057105194fcea18db41

SHA512
cdfb2ab5034df602d2ee728a3be3e22f2363de764ae99a2560e971aac0608c05589e852833c2889ea043b591fa289fd5dad0a27e78be69046e09131a1e85a29f

Download Submit
C:\Users\Admin\WindowsUpdate\svnhost.exe

Filesize
5.7MB

MD5
9fe52c81b7688321ca8c481f3098c74d

SHA1
8db972be34a9203cbe8540567430dc5759995ef5

SHA256
6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

SHA512
a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

Download Submit
C:\Users\Admin\WindowsUpdate\svnhost.exe

Filesize
5.7MB

MD5
9fe52c81b7688321ca8c481f3098c74d

SHA1
8db972be34a9203cbe8540567430dc5759995ef5

SHA256
6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

SHA512
a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

Download Submit
C:\Users\Admin\WindowsUpdate\svnhost.exe

Filesize
5.7MB

MD5
9fe52c81b7688321ca8c481f3098c74d

SHA1
8db972be34a9203cbe8540567430dc5759995ef5

SHA256
6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

SHA512
a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

Download Submit
C:\Users\Admin\WindowsUpdate\vp8decoder.dll

Filesize
409KB

MD5
1525887bc6978c0b54fec544877319e6

SHA1
7820fcd66e6fbf717d78a2a4df5b0367923dc431

SHA256
a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69

SHA512
56cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153

Download Submit
C:\Users\Admin\WindowsUpdate\vp8encoder.dll

Filesize
691KB

MD5
c8fd8c4bc131d59606b08920b2fda91c

SHA1
df777e7c6c1b3d84a8277e6a669e9a5f7c15896d

SHA256
6f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240

SHA512
2fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d

Download Submit
C:\Users\Admin\WindowsUpdate\winmm.dll

Filesize
104KB

MD5
289a39547b5ad28d27910eeb442a5200

SHA1
075c6ccec7731d5d9d4bb015bc627c0059351654

SHA256
359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

SHA512
f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

Download Submit
C:\Users\Admin\WindowsUpdate\winmm.dll

Filesize
104KB

MD5
289a39547b5ad28d27910eeb442a5200

SHA1
075c6ccec7731d5d9d4bb015bc627c0059351654

SHA256
359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

SHA512
f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

Download Submit
C:\Users\Admin\WindowsUpdate\winmm.dll

Filesize
104KB

MD5
289a39547b5ad28d27910eeb442a5200

SHA1
075c6ccec7731d5d9d4bb015bc627c0059351654

SHA256
359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

SHA512
f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

Download Submit