27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c

Analysis

max time kernel
202s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe
Size

4.3MB
MD5

410ae573482c963faa9489b22b27704e
SHA1

14a4b83b56bc5a5caeef26cfe0528177836b7f44
SHA256

27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c
SHA512

cd0f45fb6e154c3fb230ec7f56927eea7369091b97401d9fcc8fb948d627af5cf3afdbd43ea3dcc18344b1dc99b9f211156bf8b2fb18d5d32705e10090665f96
SSDEEP

98304:7JYNakukyg+fCpLG9fevK46z4hF42Xp+wsTWgIZY3THkxfqvcQ4R:7J+aHDnfCBsfewzcF42Xp+wZgIm3zkxl

Score

8^/10

evasion upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rms.exe

pid process

3444 rms.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

964 netsh.exe

pid	process
3444	rms.exe

pid	process
964	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rms.exe	upx
C:\Users\Admin\AppData\Local\Temp\rms.exe	upx
behavioral2/memory/3444-137-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3444-141-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/3444-141-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\svchosts.exe	autoit_exe

Drops file in System32 directory 17 IoCs

Processes:

rms.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\msvcp90.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\RIPCServer.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\RWLN.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\set.reg	rms.exe
File created	C:\Windows\SysWOW64\catroot3\vp8decoder.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\ID.txt	rms.exe
File created	C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\Microsoft.VC90.CRT.manifest	rms.exe
File created	C:\Windows\SysWOW64\catroot3\rfusclient.exe	rms.exe
File created	C:\Windows\SysWOW64\catroot3\rutserv.exe	rms.exe
File opened for modification	C:\Windows\SysWOW64\catroot3	rms.exe
File created	C:\Windows\SysWOW64\catroot3\gdiplus.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\msvcr90.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\vp8encoder.dll	rms.exe
File created	C:\Windows\SysWOW64\catroot3\svchosts.exe	rms.exe
File created	C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll	rms.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4152 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4152	sc.exe

Modifies registry class 1 IoCs

Processes:

27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rms.exe

pid process

3444 rms.exe
3444 rms.exe
3444 rms.exe
3444 rms.exe

pid	process
3444	rms.exe
3444	rms.exe
3444	rms.exe
3444	rms.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exeWScript.exerms.exenet.exe

description	pid	process	target process
PID 4936 wrote to memory of 4816	4936	27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe	WScript.exe
PID 4936 wrote to memory of 4816	4936	27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe	WScript.exe
PID 4936 wrote to memory of 4816	4936	27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe	WScript.exe
PID 4816 wrote to memory of 3444	4816	WScript.exe	rms.exe
PID 4816 wrote to memory of 3444	4816	WScript.exe	rms.exe
PID 4816 wrote to memory of 3444	4816	WScript.exe	rms.exe
PID 4936 wrote to memory of 4704	4936	27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe	cmd.exe
PID 4936 wrote to memory of 4704	4936	27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe	cmd.exe
PID 4936 wrote to memory of 4704	4936	27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe	cmd.exe
PID 3444 wrote to memory of 964	3444	rms.exe	netsh.exe
PID 3444 wrote to memory of 964	3444	rms.exe	netsh.exe
PID 3444 wrote to memory of 964	3444	rms.exe	netsh.exe
PID 3444 wrote to memory of 4152	3444	rms.exe	sc.exe
PID 3444 wrote to memory of 4152	3444	rms.exe	sc.exe
PID 3444 wrote to memory of 4152	3444	rms.exe	sc.exe
PID 3444 wrote to memory of 4756	3444	rms.exe	net.exe
PID 3444 wrote to memory of 4756	3444	rms.exe	net.exe
PID 3444 wrote to memory of 4756	3444	rms.exe	net.exe
PID 4756 wrote to memory of 4736	4756	net.exe	net1.exe
PID 4756 wrote to memory of 4736	4756	net.exe	net1.exe
PID 4756 wrote to memory of 4736	4756	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe
"C:\Users\Admin\AppData\Local\Temp\27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Local\Temp\rms.exe
"C:\Users\Admin\AppData\Local\Temp\rms.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:964

C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= disabled
4⤵
- Launches sc.exe
PID:4152

C:\Windows\SysWOW64\net.exe
net stop rserver3
4⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop rserver3
5⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
PID:4704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
300B

MD5
aed1825b3ba8f85100e8633a02f92ad9

SHA1
d4bab4703835fcb2170eb0a487073ee13095b005

SHA256
738579c1ad95ac7b8b3ce3b3430fbf7d0283520edb5c9f02acd0fabced12fbc6

SHA512
dc6e791e45f192583e986bdd8b2eece3e7258a47e727f46e2d087265d71f7cc3cd8ac2177d217238d41301981a71185b1301b029ae16f7c3669b9f2e3091796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ID.txt
Filesize
20B

MD5
1e2c5d5a907623946f0caedc47463a0e

SHA1
bee0a11b1cf3f39cea6c47fdf200f7002c38e8b6

SHA256
ebb51acca56a866bb61632169b78fb238adc708fec47a58b1c1ebcb3ef3be2e0

SHA512
9efdefe9d8346c1ca80152558665f02a8d7cdefeb3c11b073f9283b7260349529c79d2e2ed056b8dff29565a43502f180bb797a5221c7d857658c890bb257d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC90.CRT.manifest
Filesize
1KB

MD5
53213fc8c2cb0d6f77ca6cbd40fff22c

SHA1
d8ba81ed6586825835b76e9d566077466ee41a85

SHA256
03d0776812368478ce60e8160ec3c6938782db1832f5cb53b7842e5840f9dbc5

SHA512
e3ced32a2eabfd0028ec16e62687573d86c0112b2b1d965f1f9d0bb5557cef5fdf5233e87fe73be621a52affe4ce53bedf958558aa899646fa390f4541cf11eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIPCServer.dll
Filesize
145KB

MD5
501d1108baff017b9c7d7054995082e3

SHA1
ce7408993f25d615785835067bfc7c6731cb7d85

SHA256
be88c1319f8741842f3ce7b7606615efb96f0f46fad9321a2b995239ccf826e3

SHA512
8dd404d56cf9285e32069c1b774a565269223d30089f0d5b3a100f316cdfd96ff7246d8cc1337dc74b9f970dddc9023fa21c7059185af972d3fcda2204c0a9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWLN.dll
Filesize
359KB

MD5
6d692f1ae8653afb6e478427cacefe1e

SHA1
de53d27feeedf1c08e0dc911905c57a383da2626

SHA256
fe1aa78691da4a8a944ee9e922e49a1712d620fb728faab135dabe081c088834

SHA512
0bbb21f5515eec44aea414d17123eb2275b78db788e927878652fe876bb17f706c395f6a20309c4c7aaef6bce9c280890bce38693a9a1858f7bac9665759af6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfVorbisDecoder.dll
Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfVorbisEncoder.dll
Filesize
1.6MB

MD5
ff622a8812d8b1eff8f8d1a32087f9d2

SHA1
910615c9374b8734794ac885707ff5370db42ef1

SHA256
1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

SHA512
1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiplus.dll
Filesize
1.6MB

MD5
871c903a90c45ca08a9d42803916c3f7

SHA1
d962a12bc15bfb4c505bb63f603ca211588958db

SHA256
f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645

SHA512
985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp90.dll
Filesize
556KB

MD5
b2eee3dee31f50e082e9c720a6d7757d

SHA1
3322840fef43c92fb55dc31e682d19970daf159d

SHA256
4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01

SHA512
8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcr90.dll
Filesize
637KB

MD5
7538050656fe5d63cb4b80349dd1cfe3

SHA1
f825c40fee87cc9952a61c8c34e9f6eee8da742d

SHA256
e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099

SHA512
843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
3.9MB

MD5
6b00ef267e590b8aec937d4fbaa7c54b

SHA1
238f121a3dba5d3a5492cda9010d3f4fb8419a04

SHA256
ec893dc3e9f74479844b104fd403488abe224f4f0816f4ca2e57802814d5118a

SHA512
bd747aadcc762c62db00d2304132e75f41fc4ec40a85f87b014a2b0fba2f11c3bc22abd10a24bbe73cfbad573431b3376ce1377966e39dbff2b482b7fe9f49ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\rms.exe
Filesize
361KB

MD5
47de6cbe483b94672ea76a4c0244e35c

SHA1
b66b8380542801c0c13350ddb2f8d45ab18d1e0d

SHA256
ad45e23138876ceb5ab5ffe86db4e2cc28974c20194e1f5457c12fc0a4cab4ad

SHA512
e7c0af7d7b6c33abe0e9d6888b91428fecca1ef0a5656717c68c7550d5cca4e5220ceebee674f284d158eb6c83020cbec339dbbee980f5eb37fdad5910218dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rms.exe
Filesize
361KB

MD5
47de6cbe483b94672ea76a4c0244e35c

SHA1
b66b8380542801c0c13350ddb2f8d45ab18d1e0d

SHA256
ad45e23138876ceb5ab5ffe86db4e2cc28974c20194e1f5457c12fc0a4cab4ad

SHA512
e7c0af7d7b6c33abe0e9d6888b91428fecca1ef0a5656717c68c7550d5cca4e5220ceebee674f284d158eb6c83020cbec339dbbee980f5eb37fdad5910218dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
5.1MB

MD5
a9201bd8618bdc4795a95b1755fb93b6

SHA1
93eabe79096041e08ad0306a5edb9746bcc7ec50

SHA256
923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8

SHA512
f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.reg
Filesize
19KB

MD5
fbeffad4e3342688d031a6da98ca018b

SHA1
5755e596ceab775fe89a739d9dab6de98caa80ed

SHA256
e0f8e83303610d60e049ea0c2081461443d34ad69c9137a7e92d81b4b9bf616e

SHA512
e67934a075cab2161437ef310bddec0f3addad68ece768082b76b2f898e29c54f58af894622761fc6322e165929b7de80b5499c07c79f3bc9805e7a49686a8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\stop.js
Filesize
211B

MD5
fb5b62a32e853a51359fb598a4d5008f

SHA1
f3cc4663189878044c956c1f84b9c32f3d29d2b2

SHA256
b1b1b8f753e130e463f02527541389295f9b7d28c331085a2a03d83f8587550f

SHA512
9304880a49bf479f8322f19089109b36cf1104fb0b581357560e3fe1c1f31ca379607797d7a757e1e85a9fbde40094b99b4a3c5830172998102d041435ccded8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosts.exe
Filesize
708KB

MD5
3b5e40b584904d9beebeea1e4a94ef7e

SHA1
88de849817a4b93b83ccb95a1f37f698cee197d9

SHA256
73ce0e5045ba4b7bd2f7f2f5a1c3bb1dfd2a9a1c2c48d76dfc529d8a3e217f12

SHA512
1125a94d2673105d40a45b0f8c6088bf8f9fff89cdf3d5231e73d1a15ece23bfd8e564fad63707bb4c3a559310666aedf784d78418be27953b22296d89a5faa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8decoder.dll
Filesize
403KB

MD5
6f6bfe02e84a595a56b456f72debd4ee

SHA1
90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

SHA256
5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

SHA512
ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8encoder.dll
Filesize
685KB

MD5
c638bca1a67911af7f9ed67e7b501154

SHA1
0fd74d2f1bd78f678b897a776d8bce36742c39b7

SHA256
519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

SHA512
ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

Download Submit
memory/964-139-0x0000000000000000-mapping.dmp

Download
memory/3444-141-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3444-137-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3444-135-0x0000000000000000-mapping.dmp

Download
memory/4152-142-0x0000000000000000-mapping.dmp

Download
memory/4704-138-0x0000000000000000-mapping.dmp

Download
memory/4736-159-0x0000000000000000-mapping.dmp

Download
memory/4756-158-0x0000000000000000-mapping.dmp

Download
memory/4816-132-0x0000000000000000-mapping.dmp

Download