Analysis
-
max time kernel
202s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 15:28
Static task
static1
Behavioral task
behavioral1
Sample
27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe
Resource
win7-20221111-en
General
-
Target
27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe
-
Size
4.3MB
-
MD5
410ae573482c963faa9489b22b27704e
-
SHA1
14a4b83b56bc5a5caeef26cfe0528177836b7f44
-
SHA256
27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c
-
SHA512
cd0f45fb6e154c3fb230ec7f56927eea7369091b97401d9fcc8fb948d627af5cf3afdbd43ea3dcc18344b1dc99b9f211156bf8b2fb18d5d32705e10090665f96
-
SSDEEP
98304:7JYNakukyg+fCpLG9fevK46z4hF42Xp+wsTWgIZY3THkxfqvcQ4R:7J+aHDnfCBsfewzcF42Xp+wZgIm3zkxl
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rms.exepid process 3444 rms.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rms.exe upx C:\Users\Admin\AppData\Local\Temp\rms.exe upx behavioral2/memory/3444-137-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3444-141-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation WScript.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3444-141-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe C:\Users\Admin\AppData\Local\Temp\svchosts.exe autoit_exe -
Drops file in System32 directory 17 IoCs
Processes:
rms.exedescription ioc process File opened for modification C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll rms.exe File created C:\Windows\SysWOW64\catroot3\msvcp90.dll rms.exe File created C:\Windows\SysWOW64\catroot3\RIPCServer.dll rms.exe File created C:\Windows\SysWOW64\catroot3\RWLN.dll rms.exe File created C:\Windows\SysWOW64\catroot3\set.reg rms.exe File created C:\Windows\SysWOW64\catroot3\vp8decoder.dll rms.exe File created C:\Windows\SysWOW64\catroot3\ID.txt rms.exe File created C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll rms.exe File created C:\Windows\SysWOW64\catroot3\Microsoft.VC90.CRT.manifest rms.exe File created C:\Windows\SysWOW64\catroot3\rfusclient.exe rms.exe File created C:\Windows\SysWOW64\catroot3\rutserv.exe rms.exe File opened for modification C:\Windows\SysWOW64\catroot3 rms.exe File created C:\Windows\SysWOW64\catroot3\gdiplus.dll rms.exe File created C:\Windows\SysWOW64\catroot3\msvcr90.dll rms.exe File created C:\Windows\SysWOW64\catroot3\vp8encoder.dll rms.exe File created C:\Windows\SysWOW64\catroot3\svchosts.exe rms.exe File created C:\Windows\SysWOW64\catroot3\dsfVorbisDecoder.dll rms.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 4152 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rms.exepid process 3444 rms.exe 3444 rms.exe 3444 rms.exe 3444 rms.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exeWScript.exerms.exenet.exedescription pid process target process PID 4936 wrote to memory of 4816 4936 27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe WScript.exe PID 4936 wrote to memory of 4816 4936 27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe WScript.exe PID 4936 wrote to memory of 4816 4936 27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe WScript.exe PID 4816 wrote to memory of 3444 4816 WScript.exe rms.exe PID 4816 wrote to memory of 3444 4816 WScript.exe rms.exe PID 4816 wrote to memory of 3444 4816 WScript.exe rms.exe PID 4936 wrote to memory of 4704 4936 27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe cmd.exe PID 4936 wrote to memory of 4704 4936 27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe cmd.exe PID 4936 wrote to memory of 4704 4936 27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe cmd.exe PID 3444 wrote to memory of 964 3444 rms.exe netsh.exe PID 3444 wrote to memory of 964 3444 rms.exe netsh.exe PID 3444 wrote to memory of 964 3444 rms.exe netsh.exe PID 3444 wrote to memory of 4152 3444 rms.exe sc.exe PID 3444 wrote to memory of 4152 3444 rms.exe sc.exe PID 3444 wrote to memory of 4152 3444 rms.exe sc.exe PID 3444 wrote to memory of 4756 3444 rms.exe net.exe PID 3444 wrote to memory of 4756 3444 rms.exe net.exe PID 3444 wrote to memory of 4756 3444 rms.exe net.exe PID 4756 wrote to memory of 4736 4756 net.exe net1.exe PID 4756 wrote to memory of 4736 4756 net.exe net1.exe PID 4756 wrote to memory of 4736 4756 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe"C:\Users\Admin\AppData\Local\Temp\27907cd6cc2a4da97ac2d0c2d15c4a847cd6b0087aa08356f700b5816dc61f3c.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rms.exe"C:\Users\Admin\AppData\Local\Temp\rms.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop rserver34⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rserver35⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
300B
MD5aed1825b3ba8f85100e8633a02f92ad9
SHA1d4bab4703835fcb2170eb0a487073ee13095b005
SHA256738579c1ad95ac7b8b3ce3b3430fbf7d0283520edb5c9f02acd0fabced12fbc6
SHA512dc6e791e45f192583e986bdd8b2eece3e7258a47e727f46e2d087265d71f7cc3cd8ac2177d217238d41301981a71185b1301b029ae16f7c3669b9f2e3091796b
-
C:\Users\Admin\AppData\Local\Temp\ID.txtFilesize
20B
MD51e2c5d5a907623946f0caedc47463a0e
SHA1bee0a11b1cf3f39cea6c47fdf200f7002c38e8b6
SHA256ebb51acca56a866bb61632169b78fb238adc708fec47a58b1c1ebcb3ef3be2e0
SHA5129efdefe9d8346c1ca80152558665f02a8d7cdefeb3c11b073f9283b7260349529c79d2e2ed056b8dff29565a43502f180bb797a5221c7d857658c890bb257d68
-
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC90.CRT.manifestFilesize
1KB
MD553213fc8c2cb0d6f77ca6cbd40fff22c
SHA1d8ba81ed6586825835b76e9d566077466ee41a85
SHA25603d0776812368478ce60e8160ec3c6938782db1832f5cb53b7842e5840f9dbc5
SHA512e3ced32a2eabfd0028ec16e62687573d86c0112b2b1d965f1f9d0bb5557cef5fdf5233e87fe73be621a52affe4ce53bedf958558aa899646fa390f4541cf11eb
-
C:\Users\Admin\AppData\Local\Temp\RIPCServer.dllFilesize
145KB
MD5501d1108baff017b9c7d7054995082e3
SHA1ce7408993f25d615785835067bfc7c6731cb7d85
SHA256be88c1319f8741842f3ce7b7606615efb96f0f46fad9321a2b995239ccf826e3
SHA5128dd404d56cf9285e32069c1b774a565269223d30089f0d5b3a100f316cdfd96ff7246d8cc1337dc74b9f970dddc9023fa21c7059185af972d3fcda2204c0a9f8
-
C:\Users\Admin\AppData\Local\Temp\RWLN.dllFilesize
359KB
MD56d692f1ae8653afb6e478427cacefe1e
SHA1de53d27feeedf1c08e0dc911905c57a383da2626
SHA256fe1aa78691da4a8a944ee9e922e49a1712d620fb728faab135dabe081c088834
SHA5120bbb21f5515eec44aea414d17123eb2275b78db788e927878652fe876bb17f706c395f6a20309c4c7aaef6bce9c280890bce38693a9a1858f7bac9665759af6b
-
C:\Users\Admin\AppData\Local\Temp\dsfVorbisDecoder.dllFilesize
234KB
MD58e3f59b8c9dfc933fca30edefeb76186
SHA137a78089d5936d1bc3b60915971604c611a94dbd
SHA256528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8
SHA5123224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d
-
C:\Users\Admin\AppData\Local\Temp\dsfVorbisEncoder.dllFilesize
1.6MB
MD5ff622a8812d8b1eff8f8d1a32087f9d2
SHA1910615c9374b8734794ac885707ff5370db42ef1
SHA2561b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf
SHA5121a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931
-
C:\Users\Admin\AppData\Local\Temp\gdiplus.dllFilesize
1.6MB
MD5871c903a90c45ca08a9d42803916c3f7
SHA1d962a12bc15bfb4c505bb63f603ca211588958db
SHA256f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645
SHA512985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145
-
C:\Users\Admin\AppData\Local\Temp\msvcp90.dllFilesize
556KB
MD5b2eee3dee31f50e082e9c720a6d7757d
SHA13322840fef43c92fb55dc31e682d19970daf159d
SHA2564608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01
SHA5128b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3
-
C:\Users\Admin\AppData\Local\Temp\msvcr90.dllFilesize
637KB
MD57538050656fe5d63cb4b80349dd1cfe3
SHA1f825c40fee87cc9952a61c8c34e9f6eee8da742d
SHA256e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099
SHA512843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeFilesize
3.9MB
MD56b00ef267e590b8aec937d4fbaa7c54b
SHA1238f121a3dba5d3a5492cda9010d3f4fb8419a04
SHA256ec893dc3e9f74479844b104fd403488abe224f4f0816f4ca2e57802814d5118a
SHA512bd747aadcc762c62db00d2304132e75f41fc4ec40a85f87b014a2b0fba2f11c3bc22abd10a24bbe73cfbad573431b3376ce1377966e39dbff2b482b7fe9f49ee
-
C:\Users\Admin\AppData\Local\Temp\rms.exeFilesize
361KB
MD547de6cbe483b94672ea76a4c0244e35c
SHA1b66b8380542801c0c13350ddb2f8d45ab18d1e0d
SHA256ad45e23138876ceb5ab5ffe86db4e2cc28974c20194e1f5457c12fc0a4cab4ad
SHA512e7c0af7d7b6c33abe0e9d6888b91428fecca1ef0a5656717c68c7550d5cca4e5220ceebee674f284d158eb6c83020cbec339dbbee980f5eb37fdad5910218dcb
-
C:\Users\Admin\AppData\Local\Temp\rms.exeFilesize
361KB
MD547de6cbe483b94672ea76a4c0244e35c
SHA1b66b8380542801c0c13350ddb2f8d45ab18d1e0d
SHA256ad45e23138876ceb5ab5ffe86db4e2cc28974c20194e1f5457c12fc0a4cab4ad
SHA512e7c0af7d7b6c33abe0e9d6888b91428fecca1ef0a5656717c68c7550d5cca4e5220ceebee674f284d158eb6c83020cbec339dbbee980f5eb37fdad5910218dcb
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeFilesize
5.1MB
MD5a9201bd8618bdc4795a95b1755fb93b6
SHA193eabe79096041e08ad0306a5edb9746bcc7ec50
SHA256923d484040afc3a0c733df39c09c34ff3d36c78d7d60440deb101ba54a05c0e8
SHA512f8b1aad039753df2b6633f7442e9f1311474b4078208b912cff92ab4eaef905af08c0ccfaa04beca3861144dfa87443bb078d476d3d858fa017965b189468a2b
-
C:\Users\Admin\AppData\Local\Temp\set.regFilesize
19KB
MD5fbeffad4e3342688d031a6da98ca018b
SHA15755e596ceab775fe89a739d9dab6de98caa80ed
SHA256e0f8e83303610d60e049ea0c2081461443d34ad69c9137a7e92d81b4b9bf616e
SHA512e67934a075cab2161437ef310bddec0f3addad68ece768082b76b2f898e29c54f58af894622761fc6322e165929b7de80b5499c07c79f3bc9805e7a49686a8ed
-
C:\Users\Admin\AppData\Local\Temp\stop.jsFilesize
211B
MD5fb5b62a32e853a51359fb598a4d5008f
SHA1f3cc4663189878044c956c1f84b9c32f3d29d2b2
SHA256b1b1b8f753e130e463f02527541389295f9b7d28c331085a2a03d83f8587550f
SHA5129304880a49bf479f8322f19089109b36cf1104fb0b581357560e3fe1c1f31ca379607797d7a757e1e85a9fbde40094b99b4a3c5830172998102d041435ccded8
-
C:\Users\Admin\AppData\Local\Temp\svchosts.exeFilesize
708KB
MD53b5e40b584904d9beebeea1e4a94ef7e
SHA188de849817a4b93b83ccb95a1f37f698cee197d9
SHA25673ce0e5045ba4b7bd2f7f2f5a1c3bb1dfd2a9a1c2c48d76dfc529d8a3e217f12
SHA5121125a94d2673105d40a45b0f8c6088bf8f9fff89cdf3d5231e73d1a15ece23bfd8e564fad63707bb4c3a559310666aedf784d78418be27953b22296d89a5faa5
-
C:\Users\Admin\AppData\Local\Temp\vp8decoder.dllFilesize
403KB
MD56f6bfe02e84a595a56b456f72debd4ee
SHA190bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2
SHA2565e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51
SHA512ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50
-
C:\Users\Admin\AppData\Local\Temp\vp8encoder.dllFilesize
685KB
MD5c638bca1a67911af7f9ed67e7b501154
SHA10fd74d2f1bd78f678b897a776d8bce36742c39b7
SHA256519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8
SHA512ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f
-
memory/964-139-0x0000000000000000-mapping.dmp
-
memory/3444-141-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/3444-137-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/3444-135-0x0000000000000000-mapping.dmp
-
memory/4152-142-0x0000000000000000-mapping.dmp
-
memory/4704-138-0x0000000000000000-mapping.dmp
-
memory/4736-159-0x0000000000000000-mapping.dmp
-
memory/4756-158-0x0000000000000000-mapping.dmp
-
memory/4816-132-0x0000000000000000-mapping.dmp