Analysis

  • max time kernel
    163s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2022, 19:10 UTC

General

  • Target

    283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512.exe

  • Size

    2.3MB

  • MD5

    51b63624539d377d79a619208b2cc795

  • SHA1

    15da4757cf87574eee4fb4538bed3639f83f9ddb

  • SHA256

    283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512

  • SHA512

    83115bb2a56e85b59cce5c8bd346667efe8416f959e751c959b1802a48e3c53f8e4c5f057b2f86a9a9563f5e6f85429fd82651b1dc66c433565b99cc25c43a4e

  • SSDEEP

    49152:WlmMc8EjGCbKeaoK94jmPBLeL7gBfi/4gXkc/hbHorCUm0fN:Wlm382GCbKeWyjUBLL2dT/xoWUT

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512.exe
    "C:\Users\Admin\AppData\Local\Temp\283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3408
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im anvir.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1112
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rutserv.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3448
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im rfusclient.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4296
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r "C:\Users\Admin\WindowsUpdate"
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:3968
      • C:\Users\Admin\WindowsUpdate\svnhost.exe
        "C:\Users\Admin\WindowsUpdate\svnhost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1368
        • C:\Users\Admin\WindowsUpdate\svnhost.exe
          C:\Users\Admin\WindowsUpdate\svnhost.exe -second
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:744
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4492

Network

  • flag-unknown
    DNS
    rutils.com
    svnhost.exe
    Remote address:
    8.8.8.8:53
    Request
    rutils.com
    IN A
    Response
    rutils.com
    IN A
    34.102.136.180
  • flag-unknown
    GET
    http://rutils.com/utils/inet_id_notify.php?test=1
    svnhost.exe
    Remote address:
    34.102.136.180:80
    Request
    GET /utils/inet_id_notify.php?test=1 HTTP/1.1
    Host: rutils.com
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: identity
    User-Agent: Mozilla/4.0 (compatible; RMS)
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Tue, 22 Nov 2022 19:10:41 GMT
    Content-Type: text/html
    Content-Length: 2551
    Last-Modified: Sat, 22 Oct 2022 15:35:03 GMT
    ETag: "63540da7-9f7"
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_YvEwr2RxNbhPgiHb+rEOiZlnmYg85N51ercGMjVFd2lS5sX1sT8VFGaZ73r2NiWSDjCL0vLChu7ACtI7qLr9Bg
    Set-Cookie: system=PW;Path=/;Max-Age=86400;
    Set-Cookie: caf_ipaddr=154.61.71.13;Path=/;Max-Age=86400;
    Set-Cookie: country=US;Path=/;Max-Age=86400;
    Set-Cookie: city="";Path=/;Max-Age=86400;
    Set-Cookie: traffic_target=gd;Path=/;Max-Age=86400;
    Accept-Ranges: bytes
    Via: 1.1 google
  • flag-unknown
    POST
    http://rutils.com/utils/inet_id_notify.php
    svnhost.exe
    Remote address:
    34.102.136.180:80
    Request
    POST /utils/inet_id_notify.php HTTP/1.0
    Connection: keep-alive
    Content-Type: multipart/form-data; boundary=--------112222201034531
    Content-Length: 1015
    Host: rutils.com
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Charset: UTF-8
    Accept-Encoding: identity
    User-Agent: Mozilla/4.0 (compatible; RMS)
    Response
    HTTP/1.0 405 Not Allowed
    Server: openresty
    Date: Tue, 22 Nov 2022 19:10:41 GMT
    Content-Type: text/html
    Content-Length: 154
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_TtoJwHKuOObf1GdS+qSWPEPTcGN+uqa8af7FU/2FOJm8nJGJ5krtXx+X5Qx9oTtCnKkRquWEPIEQD4p75Sm8JQ
    Via: 1.1 google
    Connection: Keep-Alive
  • 67.26.109.254:80
    230 B
    200 B
    5
    5
  • 34.102.136.180:80
    http://rutils.com/utils/inet_id_notify.php?test=1
    http
    svnhost.exe
    486 B
    3.5kB
    6
    6

    HTTP Request

    GET http://rutils.com/utils/inet_id_notify.php?test=1

    HTTP Response

    200
  • 34.102.136.180:80
    http://rutils.com/utils/inet_id_notify.php
    http
    svnhost.exe
    1.7kB
    767 B
    7
    5

    HTTP Request

    POST http://rutils.com/utils/inet_id_notify.php

    HTTP Response

    405
  • 194.58.100.53:443
    https
    svnhost.exe
    4.5kB
    212 B
    7
    5
  • 20.189.173.13:443
    322 B
    7
  • 209.197.3.8:80
    322 B
    7
  • 209.197.3.8:80
    322 B
    7
  • 209.197.3.8:80
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 8.238.23.254:80
    322 B
    7
  • 8.238.23.254:80
    322 B
    7
  • 8.238.23.254:80
    322 B
    7
  • 194.58.100.53:443
    https
    svnhost.exe
    3.1kB
    292 B
    7
    7
  • 194.58.100.53:443
    https
    svnhost.exe
    3.1kB
    292 B
    7
    7
  • 8.8.8.8:53
    rutils.com
    dns
    svnhost.exe
    56 B
    72 B
    1
    1

    DNS Request

    rutils.com

    DNS Response

    34.102.136.180

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

    Filesize

    144KB

    MD5

    794b9c46edf14e255d2e5e40b351ed70

    SHA1

    5e80a8ed318b1c6b7faa0c0ab25a0d2a1db146d8

    SHA256

    d7612a721e42438071bf9adeda3a8d098f7e5e6952aa5a692df88035238f5284

    SHA512

    b0dc026f404bc7700fa5c3b7ca2aade91f9c9dd4dc3a6955d8a93c129995163710f73d4e4cd6825abf4531acd3b53f6358dc56d2b84f7965646a2c1f9893105f

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

    Filesize

    957KB

    MD5

    5a01089e2ead26a443bd91293f0bbf3c

    SHA1

    5ae736caec70187e328b8ea0c02991830e426527

    SHA256

    d08b94fa5b9794f8217a52236b0a510bec753f4b99a31be6718aea42bd877e54

    SHA512

    843cc40efd1a3087c6af9d0f079202cf2a6bf6adaa1c3593b62af863d70d53bc0809186ff3f01b21232c4e056f6307e12ccb7423b3c3751db509150b426d4413

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.dll

    Filesize

    3KB

    MD5

    2b48c32d510e84801be81fd80f41b222

    SHA1

    81db252a7755c8f3680722f7af194f009587c6f5

    SHA256

    f145719caf442d9ac21a881db71e7ce7913ae8d000ce88b93dd7123a6f46a448

    SHA512

    02c41fcf9811cbe30ab3475c44366b0ee18605fa856dde511b66be62cd973432115207df7ca6f207003a412ae08451707b4c43d90bc0e02b4731eb65b1eb0cff

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.bat

    Filesize

    1KB

    MD5

    2d75932c25700febaa54c29e2bc464e9

    SHA1

    d043f8453f1c44a45dc1f7ff3e7329a0791ffb31

    SHA256

    34d49cf979367440a9adcf358b11decbfdb9b01953f234903cda5535e59cc7ce

    SHA512

    11fd079edc682d05d133dedfd6a60a3dbd3f979f31a1ab8e76ba4933f917742dd5d27ea6b4b36a8791064b65a29e498e41478c6d8c0c23d0cee5b7a6812491ce

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.ini

    Filesize

    765B

    MD5

    769ef920da6c87f5ea394b23c3db4334

    SHA1

    2a9103a822d89210c7e304f56131f53c0f29a008

    SHA256

    5296fd6ac8f27feafffdb1946d0f3b9d1094b449279fc08417cd4327326fa175

    SHA512

    c7f3231a4b9ead1cc798088b3b1bdf3649b5c94fa358e4358ecf3513ef62160194a6047af2b24c5339e3c6a5e4e10e46674f8fc51fa8618b45eaa52bb0be4905

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\svnhost.exe

    Filesize

    5.7MB

    MD5

    9fe52c81b7688321ca8c481f3098c74d

    SHA1

    8db972be34a9203cbe8540567430dc5759995ef5

    SHA256

    6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

    SHA512

    a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

    Filesize

    409KB

    MD5

    1525887bc6978c0b54fec544877319e6

    SHA1

    7820fcd66e6fbf717d78a2a4df5b0367923dc431

    SHA256

    a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69

    SHA512

    56cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

    Filesize

    691KB

    MD5

    c8fd8c4bc131d59606b08920b2fda91c

    SHA1

    df777e7c6c1b3d84a8277e6a669e9a5f7c15896d

    SHA256

    6f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240

    SHA512

    2fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll

    Filesize

    104KB

    MD5

    289a39547b5ad28d27910eeb442a5200

    SHA1

    075c6ccec7731d5d9d4bb015bc627c0059351654

    SHA256

    359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

    SHA512

    f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

  • C:\Users\Admin\WindowsUpdate\RIPCServer.dll

    Filesize

    144KB

    MD5

    794b9c46edf14e255d2e5e40b351ed70

    SHA1

    5e80a8ed318b1c6b7faa0c0ab25a0d2a1db146d8

    SHA256

    d7612a721e42438071bf9adeda3a8d098f7e5e6952aa5a692df88035238f5284

    SHA512

    b0dc026f404bc7700fa5c3b7ca2aade91f9c9dd4dc3a6955d8a93c129995163710f73d4e4cd6825abf4531acd3b53f6358dc56d2b84f7965646a2c1f9893105f

  • C:\Users\Admin\WindowsUpdate\RWLN.dll

    Filesize

    957KB

    MD5

    5a01089e2ead26a443bd91293f0bbf3c

    SHA1

    5ae736caec70187e328b8ea0c02991830e426527

    SHA256

    d08b94fa5b9794f8217a52236b0a510bec753f4b99a31be6718aea42bd877e54

    SHA512

    843cc40efd1a3087c6af9d0f079202cf2a6bf6adaa1c3593b62af863d70d53bc0809186ff3f01b21232c4e056f6307e12ccb7423b3c3751db509150b426d4413

  • C:\Users\Admin\WindowsUpdate\config.dll

    Filesize

    3KB

    MD5

    2b48c32d510e84801be81fd80f41b222

    SHA1

    81db252a7755c8f3680722f7af194f009587c6f5

    SHA256

    f145719caf442d9ac21a881db71e7ce7913ae8d000ce88b93dd7123a6f46a448

    SHA512

    02c41fcf9811cbe30ab3475c44366b0ee18605fa856dde511b66be62cd973432115207df7ca6f207003a412ae08451707b4c43d90bc0e02b4731eb65b1eb0cff

  • C:\Users\Admin\WindowsUpdate\settings.ini

    Filesize

    765B

    MD5

    769ef920da6c87f5ea394b23c3db4334

    SHA1

    2a9103a822d89210c7e304f56131f53c0f29a008

    SHA256

    5296fd6ac8f27feafffdb1946d0f3b9d1094b449279fc08417cd4327326fa175

    SHA512

    c7f3231a4b9ead1cc798088b3b1bdf3649b5c94fa358e4358ecf3513ef62160194a6047af2b24c5339e3c6a5e4e10e46674f8fc51fa8618b45eaa52bb0be4905

  • C:\Users\Admin\WindowsUpdate\svnhost.exe

    Filesize

    5.7MB

    MD5

    9fe52c81b7688321ca8c481f3098c74d

    SHA1

    8db972be34a9203cbe8540567430dc5759995ef5

    SHA256

    6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

    SHA512

    a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

  • C:\Users\Admin\WindowsUpdate\svnhost.exe

    Filesize

    5.7MB

    MD5

    9fe52c81b7688321ca8c481f3098c74d

    SHA1

    8db972be34a9203cbe8540567430dc5759995ef5

    SHA256

    6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

    SHA512

    a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

  • C:\Users\Admin\WindowsUpdate\svnhost.exe

    Filesize

    5.7MB

    MD5

    9fe52c81b7688321ca8c481f3098c74d

    SHA1

    8db972be34a9203cbe8540567430dc5759995ef5

    SHA256

    6132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94

    SHA512

    a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074

  • C:\Users\Admin\WindowsUpdate\vp8decoder.dll

    Filesize

    409KB

    MD5

    1525887bc6978c0b54fec544877319e6

    SHA1

    7820fcd66e6fbf717d78a2a4df5b0367923dc431

    SHA256

    a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69

    SHA512

    56cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153

  • C:\Users\Admin\WindowsUpdate\vp8encoder.dll

    Filesize

    691KB

    MD5

    c8fd8c4bc131d59606b08920b2fda91c

    SHA1

    df777e7c6c1b3d84a8277e6a669e9a5f7c15896d

    SHA256

    6f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240

    SHA512

    2fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d

  • C:\Users\Admin\WindowsUpdate\winmm.dll

    Filesize

    104KB

    MD5

    289a39547b5ad28d27910eeb442a5200

    SHA1

    075c6ccec7731d5d9d4bb015bc627c0059351654

    SHA256

    359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

    SHA512

    f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

  • C:\Users\Admin\WindowsUpdate\winmm.dll

    Filesize

    104KB

    MD5

    289a39547b5ad28d27910eeb442a5200

    SHA1

    075c6ccec7731d5d9d4bb015bc627c0059351654

    SHA256

    359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

    SHA512

    f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

  • C:\Users\Admin\WindowsUpdate\winmm.dll

    Filesize

    104KB

    MD5

    289a39547b5ad28d27910eeb442a5200

    SHA1

    075c6ccec7731d5d9d4bb015bc627c0059351654

    SHA256

    359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f

    SHA512

    f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.