Analysis
-
max time kernel
163s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
22/11/2022, 19:10 UTC
General
-
Target
283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512.exe
-
Size
2.3MB
-
MD5
51b63624539d377d79a619208b2cc795
-
SHA1
15da4757cf87574eee4fb4538bed3639f83f9ddb
-
SHA256
283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512
-
SHA512
83115bb2a56e85b59cce5c8bd346667efe8416f959e751c959b1802a48e3c53f8e4c5f057b2f86a9a9563f5e6f85429fd82651b1dc66c433565b99cc25c43a4e
-
SSDEEP
49152:WlmMc8EjGCbKeaoK94jmPBLeL7gBfi/4gXkc/hbHorCUm0fN:Wlm382GCbKeWyjUBLL2dT/xoWUT
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 3 IoCs
-
Modifies data under HKEY_USERS 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512.exe"C:\Users\Admin\AppData\Local\Temp\283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im anvir.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\WindowsUpdate"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Users\Admin\WindowsUpdate\svnhost.exe"C:\Users\Admin\WindowsUpdate\svnhost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WindowsUpdate\svnhost.exeC:\Users\Admin\WindowsUpdate\svnhost.exe -second4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
-
DNSrutils.comRemote address:8.8.8.8:53Requestrutils.comIN AResponserutils.comIN A34.102.136.180 -
GEThttp://rutils.com/utils/inet_id_notify.php?test=1Remote address:34.102.136.180:80RequestGET /utils/inet_id_notify.php?test=1 HTTP/1.1
Host: rutils.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/4.0 (compatible; RMS)
ResponseHTTP/1.1 200 OK
Server: openresty
Date: Tue, 22 Nov 2022 19:10:41 GMT
Content-Type: text/html
Content-Length: 2551
Last-Modified: Sat, 22 Oct 2022 15:35:03 GMT
ETag: "63540da7-9f7"
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_YvEwr2RxNbhPgiHb+rEOiZlnmYg85N51ercGMjVFd2lS5sX1sT8VFGaZ73r2NiWSDjCL0vLChu7ACtI7qLr9Bg
Set-Cookie: system=PW;Path=/;Max-Age=86400;
Set-Cookie: caf_ipaddr=154.61.71.13;Path=/;Max-Age=86400;
Set-Cookie: country=US;Path=/;Max-Age=86400;
Set-Cookie: city="";Path=/;Max-Age=86400;
Set-Cookie: traffic_target=gd;Path=/;Max-Age=86400;
Accept-Ranges: bytes
Via: 1.1 google
-
POSThttp://rutils.com/utils/inet_id_notify.phpRemote address:34.102.136.180:80RequestPOST /utils/inet_id_notify.php HTTP/1.0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=--------112222201034531
Content-Length: 1015
Host: rutils.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: UTF-8
Accept-Encoding: identity
User-Agent: Mozilla/4.0 (compatible; RMS)
ResponseHTTP/1.0 405 Not Allowed
Server: openresty
Date: Tue, 22 Nov 2022 19:10:41 GMT
Content-Type: text/html
Content-Length: 154
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_TtoJwHKuOObf1GdS+qSWPEPTcGN+uqa8af7FU/2FOJm8nJGJ5krtXx+X5Qx9oTtCnKkRquWEPIEQD4p75Sm8JQ
Via: 1.1 google
Connection: Keep-Alive
-
67.26.109.254:80
-
34.102.136.180:80http://rutils.com/utils/inet_id_notify.php?test=1http
HTTP Request
GET http://rutils.com/utils/inet_id_notify.php?test=1HTTP Response
200 -
34.102.136.180:80http://rutils.com/utils/inet_id_notify.phphttp
HTTP Request
POST http://rutils.com/utils/inet_id_notify.phpHTTP Response
405 -
194.58.100.53:443https
-
20.189.173.13:443
-
209.197.3.8:80
-
209.197.3.8:80
-
209.197.3.8:80
-
104.80.225.205:443
-
8.238.23.254:80
-
8.238.23.254:80
-
8.238.23.254:80
-
194.58.100.53:443https
-
194.58.100.53:443https
-
8.8.8.8:53rutils.comdns
DNS Request
rutils.com
DNS Response
34.102.136.180
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD5794b9c46edf14e255d2e5e40b351ed70
SHA15e80a8ed318b1c6b7faa0c0ab25a0d2a1db146d8
SHA256d7612a721e42438071bf9adeda3a8d098f7e5e6952aa5a692df88035238f5284
SHA512b0dc026f404bc7700fa5c3b7ca2aade91f9c9dd4dc3a6955d8a93c129995163710f73d4e4cd6825abf4531acd3b53f6358dc56d2b84f7965646a2c1f9893105f
-
Filesize
957KB
MD55a01089e2ead26a443bd91293f0bbf3c
SHA15ae736caec70187e328b8ea0c02991830e426527
SHA256d08b94fa5b9794f8217a52236b0a510bec753f4b99a31be6718aea42bd877e54
SHA512843cc40efd1a3087c6af9d0f079202cf2a6bf6adaa1c3593b62af863d70d53bc0809186ff3f01b21232c4e056f6307e12ccb7423b3c3751db509150b426d4413
-
Filesize
3KB
MD52b48c32d510e84801be81fd80f41b222
SHA181db252a7755c8f3680722f7af194f009587c6f5
SHA256f145719caf442d9ac21a881db71e7ce7913ae8d000ce88b93dd7123a6f46a448
SHA51202c41fcf9811cbe30ab3475c44366b0ee18605fa856dde511b66be62cd973432115207df7ca6f207003a412ae08451707b4c43d90bc0e02b4731eb65b1eb0cff
-
Filesize
1KB
MD52d75932c25700febaa54c29e2bc464e9
SHA1d043f8453f1c44a45dc1f7ff3e7329a0791ffb31
SHA25634d49cf979367440a9adcf358b11decbfdb9b01953f234903cda5535e59cc7ce
SHA51211fd079edc682d05d133dedfd6a60a3dbd3f979f31a1ab8e76ba4933f917742dd5d27ea6b4b36a8791064b65a29e498e41478c6d8c0c23d0cee5b7a6812491ce
-
Filesize
765B
MD5769ef920da6c87f5ea394b23c3db4334
SHA12a9103a822d89210c7e304f56131f53c0f29a008
SHA2565296fd6ac8f27feafffdb1946d0f3b9d1094b449279fc08417cd4327326fa175
SHA512c7f3231a4b9ead1cc798088b3b1bdf3649b5c94fa358e4358ecf3513ef62160194a6047af2b24c5339e3c6a5e4e10e46674f8fc51fa8618b45eaa52bb0be4905
-
Filesize
5.7MB
MD59fe52c81b7688321ca8c481f3098c74d
SHA18db972be34a9203cbe8540567430dc5759995ef5
SHA2566132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94
SHA512a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074
-
Filesize
409KB
MD51525887bc6978c0b54fec544877319e6
SHA17820fcd66e6fbf717d78a2a4df5b0367923dc431
SHA256a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69
SHA51256cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153
-
Filesize
691KB
MD5c8fd8c4bc131d59606b08920b2fda91c
SHA1df777e7c6c1b3d84a8277e6a669e9a5f7c15896d
SHA2566f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240
SHA5122fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d
-
Filesize
104KB
MD5289a39547b5ad28d27910eeb442a5200
SHA1075c6ccec7731d5d9d4bb015bc627c0059351654
SHA256359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f
SHA512f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05
-
Filesize
144KB
MD5794b9c46edf14e255d2e5e40b351ed70
SHA15e80a8ed318b1c6b7faa0c0ab25a0d2a1db146d8
SHA256d7612a721e42438071bf9adeda3a8d098f7e5e6952aa5a692df88035238f5284
SHA512b0dc026f404bc7700fa5c3b7ca2aade91f9c9dd4dc3a6955d8a93c129995163710f73d4e4cd6825abf4531acd3b53f6358dc56d2b84f7965646a2c1f9893105f
-
Filesize
957KB
MD55a01089e2ead26a443bd91293f0bbf3c
SHA15ae736caec70187e328b8ea0c02991830e426527
SHA256d08b94fa5b9794f8217a52236b0a510bec753f4b99a31be6718aea42bd877e54
SHA512843cc40efd1a3087c6af9d0f079202cf2a6bf6adaa1c3593b62af863d70d53bc0809186ff3f01b21232c4e056f6307e12ccb7423b3c3751db509150b426d4413
-
Filesize
3KB
MD52b48c32d510e84801be81fd80f41b222
SHA181db252a7755c8f3680722f7af194f009587c6f5
SHA256f145719caf442d9ac21a881db71e7ce7913ae8d000ce88b93dd7123a6f46a448
SHA51202c41fcf9811cbe30ab3475c44366b0ee18605fa856dde511b66be62cd973432115207df7ca6f207003a412ae08451707b4c43d90bc0e02b4731eb65b1eb0cff
-
Filesize
765B
MD5769ef920da6c87f5ea394b23c3db4334
SHA12a9103a822d89210c7e304f56131f53c0f29a008
SHA2565296fd6ac8f27feafffdb1946d0f3b9d1094b449279fc08417cd4327326fa175
SHA512c7f3231a4b9ead1cc798088b3b1bdf3649b5c94fa358e4358ecf3513ef62160194a6047af2b24c5339e3c6a5e4e10e46674f8fc51fa8618b45eaa52bb0be4905
-
Filesize
5.7MB
MD59fe52c81b7688321ca8c481f3098c74d
SHA18db972be34a9203cbe8540567430dc5759995ef5
SHA2566132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94
SHA512a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074
-
Filesize
5.7MB
MD59fe52c81b7688321ca8c481f3098c74d
SHA18db972be34a9203cbe8540567430dc5759995ef5
SHA2566132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94
SHA512a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074
-
Filesize
5.7MB
MD59fe52c81b7688321ca8c481f3098c74d
SHA18db972be34a9203cbe8540567430dc5759995ef5
SHA2566132c9e667923ce1cabb3293b1f3be77d70fb1681bf2d3fb173a93f89eecdd94
SHA512a90c7b64fed2a5a53c03846e18ab8d6209ced08c77ec858454f93e65b3284d069f0559987fcf567b1c4fa5b0f8bd1812e4bb4c7c8200a7470c8f85d588e96074
-
Filesize
409KB
MD51525887bc6978c0b54fec544877319e6
SHA17820fcd66e6fbf717d78a2a4df5b0367923dc431
SHA256a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69
SHA51256cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153
-
Filesize
691KB
MD5c8fd8c4bc131d59606b08920b2fda91c
SHA1df777e7c6c1b3d84a8277e6a669e9a5f7c15896d
SHA2566f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240
SHA5122fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d
-
Filesize
104KB
MD5289a39547b5ad28d27910eeb442a5200
SHA1075c6ccec7731d5d9d4bb015bc627c0059351654
SHA256359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f
SHA512f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05
-
Filesize
104KB
MD5289a39547b5ad28d27910eeb442a5200
SHA1075c6ccec7731d5d9d4bb015bc627c0059351654
SHA256359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f
SHA512f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05
-
Filesize
104KB
MD5289a39547b5ad28d27910eeb442a5200
SHA1075c6ccec7731d5d9d4bb015bc627c0059351654
SHA256359832f19484c0dafa3975b9bd933149bdddd6239df1c2abaf24e90961dc5d5f
SHA512f183d9223b4492828665f99d018981cacef0c7ee73918354e192a1ce2e691ced90de9699bf8b8fd327794a30b07c9c6040a4f548694a6e01857c64736ca89f05