rms | 83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe
Size

3.5MB
MD5

8f67199f264b4b15551a67932f46e63e
SHA1

3ec6a7e99997c2dae412db35e0ba0347cb307cac
SHA256

83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b
SHA512

4204b3aff9b6f229717fea16eafa9e6e0337212dc6ccf2496258e5b3fd7951eeb0a4f17d9fde9c31d5241bf62fef949c4ff9f9a99a1ec3c31dee09ac23147503
SSDEEP

49152:QAJYJJkoiDGevfebtMDlHD3AHBMpmwpe36KUBDHpuLsH/zMLKx0CmsjJGXpZeoiu:7JYJAfvmZMFuMjgduDHcm4LHCMXpmiz

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 7 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

3424 rutserv.exe
3812 rutserv.exe
4840 rutserv.exe
1256 rutserv.exe
4036 rfusclient.exe
4888 rfusclient.exe
2556 rfusclient.exe
Modifies Windows Firewall 1 TTPs 8 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

3636 netsh.exe
2776 netsh.exe
3648 netsh.exe
4588 netsh.exe
3096 netsh.exe
4392 netsh.exe
4168 netsh.exe
3864 netsh.exe
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

5072 attrib.exe
4712 attrib.exe
4648 attrib.exe
4776 attrib.exe

pid	process
3424	rutserv.exe
3812	rutserv.exe
4840	rutserv.exe
1256	rutserv.exe
4036	rfusclient.exe
4888	rfusclient.exe
2556	rfusclient.exe

pid	process
3636	netsh.exe
2776	netsh.exe
3648	netsh.exe
4588	netsh.exe
3096	netsh.exe
4392	netsh.exe
4168	netsh.exe
3864	netsh.exe

pid	process
5072	attrib.exe
4712	attrib.exe
4648	attrib.exe
4776	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 20 IoCs

Processes:

rutserv.execmd.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\catroot3\HookDrv.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\RIPCServer.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\set.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de.exe	attrib.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\de.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\rfusclient.exe	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\RWLN.dll	cmd.exe
File created	C:\Windows\SysWOW64\de.exe	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3\HookDrv.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\RWLN.dll	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\set.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\catroot3	attrib.exe
File created	C:\Windows\SysWOW64\catroot3\rfusclient.exe	cmd.exe
File created	C:\Windows\SysWOW64\catroot3\RIPCServer.dll	cmd.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5008 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4196 taskkill.exe
8 taskkill.exe
1696 taskkill.exe
2436 taskkill.exe
3444 taskkill.exe

pid	process
5008	sc.exe

pid	process
4196	taskkill.exe
8	taskkill.exe
1696	taskkill.exe
2436	taskkill.exe
3444	taskkill.exe

Modifies registry class 1 IoCs

Processes:

83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

4296 reg.exe
1952 reg.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

536 regedit.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rutserv.exerfusclient.exe

pid process

1256 rutserv.exe
1256 rutserv.exe
1256 rutserv.exe
1256 rutserv.exe
4888 rfusclient.exe
4888 rfusclient.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

2556 rfusclient.exe

pid	process
4296	reg.exe
1952	reg.exe

pid	process
536	regedit.exe

pid	process
1256	rutserv.exe
1256	rutserv.exe
1256	rutserv.exe
1256	rutserv.exe
4888	rfusclient.exe
4888	rfusclient.exe

pid	process
2556	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerutserv.exerutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	8	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	3444	taskkill.exe
Token: SeDebugPrivilege	3424	rutserv.exe
Token: SeDebugPrivilege	4840	rutserv.exe
Token: SeTakeOwnershipPrivilege	1256	rutserv.exe
Token: SeTcbPrivilege	1256	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exeWScript.execmd.exenet.exe

description	pid	process	target process
PID 2820 wrote to memory of 920	2820	83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe	WScript.exe
PID 2820 wrote to memory of 920	2820	83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe	WScript.exe
PID 2820 wrote to memory of 920	2820	83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe	WScript.exe
PID 920 wrote to memory of 2640	920	WScript.exe	cmd.exe
PID 920 wrote to memory of 2640	920	WScript.exe	cmd.exe
PID 920 wrote to memory of 2640	920	WScript.exe	cmd.exe
PID 2820 wrote to memory of 4944	2820	83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe	cmd.exe
PID 2820 wrote to memory of 4944	2820	83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe	cmd.exe
PID 2820 wrote to memory of 4944	2820	83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe	cmd.exe
PID 2640 wrote to memory of 4196	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 4196	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 4196	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 8	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 8	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 8	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 532	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 532	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 532	2640	cmd.exe	reg.exe
PID 2640 wrote to memory of 4776	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4776	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4776	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 5072	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 5072	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 5072	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4712	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4712	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4712	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4648	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4648	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4648	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4624	2640	cmd.exe	net.exe
PID 2640 wrote to memory of 4624	2640	cmd.exe	net.exe
PID 2640 wrote to memory of 4624	2640	cmd.exe	net.exe
PID 4624 wrote to memory of 2208	4624	net.exe	net1.exe
PID 4624 wrote to memory of 2208	4624	net.exe	net1.exe
PID 4624 wrote to memory of 2208	4624	net.exe	net1.exe
PID 2640 wrote to memory of 1696	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 1696	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 1696	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 2436	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 2436	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 2436	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 3444	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 3444	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 3444	2640	cmd.exe	taskkill.exe
PID 2640 wrote to memory of 428	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 428	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 428	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 1664	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 1664	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 1664	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4080	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4080	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 4080	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 3384	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 3384	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 3384	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 3284	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 3284	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 3284	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 368	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 368	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 368	2640	cmd.exe	attrib.exe
PID 2640 wrote to memory of 5064	2640	cmd.exe	net.exe

Views/modifies file attributes 1 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
4776	attrib.exe
4648	attrib.exe
4080	attrib.exe
368	attrib.exe
388	attrib.exe
1252	attrib.exe
5072	attrib.exe
4712	attrib.exe
428	attrib.exe
1664	attrib.exe
3384	attrib.exe
3284	attrib.exe

C:\Users\Admin\AppData\Local\Temp\83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe
"C:\Users\Admin\AppData\Local\Temp\83ade247633d89edd7c003a5e977da5e6dbdce41ab1de3a688d167ce51e2501b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im RManServer.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
4⤵
PID:532

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\System32\catroot3"
4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4776

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\stop.js"
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5072

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\install.bat"
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4712

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Windows\System32\de.exe"
4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4648

C:\Windows\SysWOW64\net.exe
net stop rserver3
4⤵
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop rserver3
5⤵
PID:2208

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rserver3.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im r_server.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im cam_server.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Windows\system32\cam_server.exe"
4⤵
- Views/modifies file attributes
PID:428

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"
4⤵
- Views/modifies file attributes
PID:1664

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Windows\system32\rserver30"
4⤵
- Views/modifies file attributes
PID:4080

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Windows\SysWOW64\rserver30"
4⤵
- Views/modifies file attributes
PID:3384

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Windows\system32\r_server.exe"
4⤵
- Views/modifies file attributes
PID:3284

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"
4⤵
- Views/modifies file attributes
PID:368

C:\Windows\SysWOW64\net.exe
net stop Telnet
4⤵
PID:5064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Telnet
5⤵
PID:2312

C:\Windows\SysWOW64\sc.exe
sc config tlntsvr start= disabled
4⤵
- Launches sc.exe
PID:5008

C:\Windows\SysWOW64\net.exe
net stop "Service Host Controller"
4⤵
PID:1516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Service Host Controller"
5⤵
PID:1876

C:\Windows\SysWOW64\net.exe
net user HelpAssistant /delete
4⤵
PID:212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user HelpAssistant /delete
5⤵
PID:1536

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn security /f
4⤵
PID:1744

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="RealIP"
4⤵
- Modifies Windows Firewall
PID:4392

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="Microsoft Outlook Express"
4⤵
- Modifies Windows Firewall
PID:4168

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="Service Host Controller"
4⤵
- Modifies Windows Firewall
PID:3864

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"
4⤵
- Modifies Windows Firewall
PID:3636

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"
4⤵
- Modifies Windows Firewall
PID:2776

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete portopening tcp 57009
4⤵
- Modifies Windows Firewall
PID:3648

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="cam_server"
4⤵
- Modifies Windows Firewall
PID:4588

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete portopening tcp 57011 all
4⤵
- Modifies Windows Firewall
PID:3096

C:\Windows\SysWOW64\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαáµ¿«¡¡á∩ ß¿ßΓÑ¼á Microsoft Windows" /f
4⤵
- Modifies registry key
PID:4296

C:\Windows\SysWOW64\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f
4⤵
- Modifies registry key
PID:1952

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f
4⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f
4⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f
4⤵
PID:4400

C:\Windows\SysWOW64\catroot3\rutserv.exe
"rutserv.exe" /silentinstall
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\SysWOW64\catroot3\rutserv.exe
"rutserv.exe" /firewall
4⤵
- Executes dropped EXE
PID:3812

C:\Windows\SysWOW64\regedit.exe
regedit /s set.reg
4⤵
- Runs .reg file with regedit
PID:536

C:\Windows\SysWOW64\catroot3\rutserv.exe
"rutserv.exe" /start
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\stop.js"
4⤵
- Views/modifies file attributes
PID:1252

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\install.bat"
4⤵
- Views/modifies file attributes
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
PID:4944

C:\Windows\SysWOW64\catroot3\rutserv.exe
C:\Windows\SysWOW64\catroot3\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\catroot3\rfusclient.exe
C:\Windows\SysWOW64\catroot3\rfusclient.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Windows\SysWOW64\catroot3\rfusclient.exe
C:\Windows\SysWOW64\catroot3\rfusclient.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2556

C:\Windows\SysWOW64\catroot3\rfusclient.exe
C:\Windows\SysWOW64\catroot3\rfusclient.exe /tray
2⤵
- Executes dropped EXE
PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
300B

MD5
685c4803abe213f0927353125ab855cc

SHA1
4a98d8b716e78a2219ee9bf5d01ee1a29abfe135

SHA256
2d59ce82f84512b155225f452625b26d44616d3c7540b19657383c082993495a

SHA512
85a692b204de76efabc38c1485f011970cf6a28d5a2e9a1f2f218dcc17400ce84ce80ee0e1b6560d37102317fedcafc1eb855d99d5c3a33a837eb7fc3fb37164

Download Submit
C:\Users\Admin\AppData\Local\Temp\HookDrv.dll
Filesize
198KB

MD5
348af5474c0abb5769d4d75a12cca4ee

SHA1
b423c186f9cc4735f35df99bae8e72c351dfc745

SHA256
828ce0069f2f21dd9c3cf3832883ec9229831feaff4d212058e95579441d72a8

SHA512
6b6659c9b16ba523ffbf89f82194226299089cea92ee570e272a609a843d34f46e9a035b30f2cf99817e540a81bf692c1e72f4569675baf1189b256a8a5da487

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIPCServer.dll
Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWLN.dll
Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\de.exe
Filesize
98KB

MD5
b8622a3042d7fa48b2e6de433007c870

SHA1
6399b9d115c3f1d3c5469f81b1a821bf75b75ae8

SHA256
cdb8330b9a36462dad63fb5c98520c4dd1cecf8a20d071bb0eff15ecf9fe0c98

SHA512
19450e826c78cc9526bf9ccba356fa63c8282ae3093db9ad71c1f21bcd80b3850b3aabbd2221fd6ddc293378df3d52ac0484c8882aeee517145d018ce3b4ed73

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsfVorbisEncoder.dll
Filesize
1.6MB

MD5
ff622a8812d8b1eff8f8d1a32087f9d2

SHA1
910615c9374b8734794ac885707ff5370db42ef1

SHA256
1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

SHA512
1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
4KB

MD5
07635ff42819d63a141dbb23c099d614

SHA1
2b5ae76c7368634d15a79c8c06fe3bdc5e2bb73c

SHA256
7f45fe873cdd125e2fcdf8b146559d1500b3d622d1be1324af945db12c2d9179

SHA512
109f5ee9370d47ef988c811ba31d7696a39ebd4e08ddf9566dd7011508c7038cdbb9ad6fe58b73c4aaf2d7f8f587483b2cc1f8173e8defca5cfb00d915c03b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
3.9MB

MD5
1c08c069e2613830d464358e64e129c0

SHA1
88b13f5b0dbe01d8e8badbe6cd1254849304509e

SHA256
c1eca4a9056a18b412cb5ce3380598ee7bae385a99faae0cf471ac9bb04fd222

SHA512
5af70d797177b6bddf41daa753214ef5ee413c11023a775d431f6494cb5b01b50e2f9221f86dc9d95074b465cb27bbabfd88ea42c9f4a90be1135f1b70991fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
4.6MB

MD5
89d8579491b86455a3fd9dce03eebcd2

SHA1
05a46af0fc9ffc29bbf8f15979e1cd940a730f78

SHA256
7489894bf2d7995af8dbca5fcf83f0e7577b9a73da39e014db27efff4967b4e4

SHA512
d9294684648bc4b8c3d1fb0b5a5cc68d7b1d503fbf5f9c565bb30e1e4511a35771b9751b38af14c544f53892ed98be50d52ff7050cacf6ba974aaeb0e274186b

Download Submit
C:\Users\Admin\AppData\Local\Temp\set.reg
Filesize
16KB

MD5
81c80910b0c2cf0be469f33dc4ef12c1

SHA1
0399ed7b5f725c8140a3505c86355f6226a47729

SHA256
fecbb64b2e7292f7aabeb6e0a7dc212e4dd14af58f8b8f387ce53c53c373743c

SHA512
c659175c735620763ad5b11627da01e61321d1eac8f36c58212b4ae957db328baf21fa9c1a9090f0ff56ec580e3f71bf14f07f2a634d836b60e63a0f22e91fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\stop.js
Filesize
215B

MD5
804b35ef108ec9839eb6a9335add8ca1

SHA1
bf91e6645c4a1c8cab2d20388469da9ed0a82d56

SHA256
fe111b7ea4e14ab7ba5004aea52b10030e0282bb5c40d4ba55761a2c5be59406

SHA512
822a3ec5e0e353058d4355bc01a44440dafe8d16c57744a3dcbc962eb110ed3f6843556568616bfc5dc7fad5f5832cd27d6591dc50105f2c79fc16c33919936d

Download Submit
C:\Windows\SysWOW64\catroot3\HookDrv.dll
Filesize
198KB

MD5
348af5474c0abb5769d4d75a12cca4ee

SHA1
b423c186f9cc4735f35df99bae8e72c351dfc745

SHA256
828ce0069f2f21dd9c3cf3832883ec9229831feaff4d212058e95579441d72a8

SHA512
6b6659c9b16ba523ffbf89f82194226299089cea92ee570e272a609a843d34f46e9a035b30f2cf99817e540a81bf692c1e72f4569675baf1189b256a8a5da487

Download Submit
C:\Windows\SysWOW64\catroot3\RIPCServer.dll
Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Windows\SysWOW64\catroot3\RWLN.dll
Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Windows\SysWOW64\catroot3\dsfVorbisEncoder.dll
Filesize
1.6MB

MD5
ff622a8812d8b1eff8f8d1a32087f9d2

SHA1
910615c9374b8734794ac885707ff5370db42ef1

SHA256
1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

SHA512
1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe
Filesize
3.9MB

MD5
1c08c069e2613830d464358e64e129c0

SHA1
88b13f5b0dbe01d8e8badbe6cd1254849304509e

SHA256
c1eca4a9056a18b412cb5ce3380598ee7bae385a99faae0cf471ac9bb04fd222

SHA512
5af70d797177b6bddf41daa753214ef5ee413c11023a775d431f6494cb5b01b50e2f9221f86dc9d95074b465cb27bbabfd88ea42c9f4a90be1135f1b70991fa0

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe
Filesize
3.9MB

MD5
1c08c069e2613830d464358e64e129c0

SHA1
88b13f5b0dbe01d8e8badbe6cd1254849304509e

SHA256
c1eca4a9056a18b412cb5ce3380598ee7bae385a99faae0cf471ac9bb04fd222

SHA512
5af70d797177b6bddf41daa753214ef5ee413c11023a775d431f6494cb5b01b50e2f9221f86dc9d95074b465cb27bbabfd88ea42c9f4a90be1135f1b70991fa0

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe
Filesize
3.9MB

MD5
1c08c069e2613830d464358e64e129c0

SHA1
88b13f5b0dbe01d8e8badbe6cd1254849304509e

SHA256
c1eca4a9056a18b412cb5ce3380598ee7bae385a99faae0cf471ac9bb04fd222

SHA512
5af70d797177b6bddf41daa753214ef5ee413c11023a775d431f6494cb5b01b50e2f9221f86dc9d95074b465cb27bbabfd88ea42c9f4a90be1135f1b70991fa0

Download Submit
C:\Windows\SysWOW64\catroot3\rfusclient.exe
Filesize
3.9MB

MD5
1c08c069e2613830d464358e64e129c0

SHA1
88b13f5b0dbe01d8e8badbe6cd1254849304509e

SHA256
c1eca4a9056a18b412cb5ce3380598ee7bae385a99faae0cf471ac9bb04fd222

SHA512
5af70d797177b6bddf41daa753214ef5ee413c11023a775d431f6494cb5b01b50e2f9221f86dc9d95074b465cb27bbabfd88ea42c9f4a90be1135f1b70991fa0

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe
Filesize
4.6MB

MD5
89d8579491b86455a3fd9dce03eebcd2

SHA1
05a46af0fc9ffc29bbf8f15979e1cd940a730f78

SHA256
7489894bf2d7995af8dbca5fcf83f0e7577b9a73da39e014db27efff4967b4e4

SHA512
d9294684648bc4b8c3d1fb0b5a5cc68d7b1d503fbf5f9c565bb30e1e4511a35771b9751b38af14c544f53892ed98be50d52ff7050cacf6ba974aaeb0e274186b

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe
Filesize
4.6MB

MD5
89d8579491b86455a3fd9dce03eebcd2

SHA1
05a46af0fc9ffc29bbf8f15979e1cd940a730f78

SHA256
7489894bf2d7995af8dbca5fcf83f0e7577b9a73da39e014db27efff4967b4e4

SHA512
d9294684648bc4b8c3d1fb0b5a5cc68d7b1d503fbf5f9c565bb30e1e4511a35771b9751b38af14c544f53892ed98be50d52ff7050cacf6ba974aaeb0e274186b

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe
Filesize
4.6MB

MD5
89d8579491b86455a3fd9dce03eebcd2

SHA1
05a46af0fc9ffc29bbf8f15979e1cd940a730f78

SHA256
7489894bf2d7995af8dbca5fcf83f0e7577b9a73da39e014db27efff4967b4e4

SHA512
d9294684648bc4b8c3d1fb0b5a5cc68d7b1d503fbf5f9c565bb30e1e4511a35771b9751b38af14c544f53892ed98be50d52ff7050cacf6ba974aaeb0e274186b

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe
Filesize
4.6MB

MD5
89d8579491b86455a3fd9dce03eebcd2

SHA1
05a46af0fc9ffc29bbf8f15979e1cd940a730f78

SHA256
7489894bf2d7995af8dbca5fcf83f0e7577b9a73da39e014db27efff4967b4e4

SHA512
d9294684648bc4b8c3d1fb0b5a5cc68d7b1d503fbf5f9c565bb30e1e4511a35771b9751b38af14c544f53892ed98be50d52ff7050cacf6ba974aaeb0e274186b

Download Submit
C:\Windows\SysWOW64\catroot3\rutserv.exe
Filesize
4.6MB

MD5
89d8579491b86455a3fd9dce03eebcd2

SHA1
05a46af0fc9ffc29bbf8f15979e1cd940a730f78

SHA256
7489894bf2d7995af8dbca5fcf83f0e7577b9a73da39e014db27efff4967b4e4

SHA512
d9294684648bc4b8c3d1fb0b5a5cc68d7b1d503fbf5f9c565bb30e1e4511a35771b9751b38af14c544f53892ed98be50d52ff7050cacf6ba974aaeb0e274186b

Download Submit
C:\Windows\SysWOW64\catroot3\set.reg
Filesize
16KB

MD5
81c80910b0c2cf0be469f33dc4ef12c1

SHA1
0399ed7b5f725c8140a3505c86355f6226a47729

SHA256
fecbb64b2e7292f7aabeb6e0a7dc212e4dd14af58f8b8f387ce53c53c373743c

SHA512
c659175c735620763ad5b11627da01e61321d1eac8f36c58212b4ae957db328baf21fa9c1a9090f0ff56ec580e3f71bf14f07f2a634d836b60e63a0f22e91fd3

Download Submit
C:\Windows\SysWOW64\de.exe
Filesize
98KB

MD5
b8622a3042d7fa48b2e6de433007c870

SHA1
6399b9d115c3f1d3c5469f81b1a821bf75b75ae8

SHA256
cdb8330b9a36462dad63fb5c98520c4dd1cecf8a20d071bb0eff15ecf9fe0c98

SHA512
19450e826c78cc9526bf9ccba356fa63c8282ae3093db9ad71c1f21bcd80b3850b3aabbd2221fd6ddc293378df3d52ac0484c8882aeee517145d018ce3b4ed73

Download Submit
memory/8-139-0x0000000000000000-mapping.dmp

Download
memory/212-170-0x0000000000000000-mapping.dmp

Download
memory/368-164-0x0000000000000000-mapping.dmp

Download
memory/388-206-0x0000000000000000-mapping.dmp

Download
memory/428-159-0x0000000000000000-mapping.dmp

Download
memory/532-140-0x0000000000000000-mapping.dmp

Download
memory/536-192-0x0000000000000000-mapping.dmp

Download
memory/920-132-0x0000000000000000-mapping.dmp

Download
memory/1252-205-0x0000000000000000-mapping.dmp

Download
memory/1516-168-0x0000000000000000-mapping.dmp

Download
memory/1536-171-0x0000000000000000-mapping.dmp

Download
memory/1664-160-0x0000000000000000-mapping.dmp

Download
memory/1696-156-0x0000000000000000-mapping.dmp

Download
memory/1744-172-0x0000000000000000-mapping.dmp

Download
memory/1876-169-0x0000000000000000-mapping.dmp

Download
memory/1952-182-0x0000000000000000-mapping.dmp

Download
memory/2052-183-0x0000000000000000-mapping.dmp

Download
memory/2208-155-0x0000000000000000-mapping.dmp

Download
memory/2312-166-0x0000000000000000-mapping.dmp

Download
memory/2436-157-0x0000000000000000-mapping.dmp

Download
memory/2556-207-0x0000000000000000-mapping.dmp

Download
memory/2600-184-0x0000000000000000-mapping.dmp

Download
memory/2640-135-0x0000000000000000-mapping.dmp

Download
memory/2776-177-0x0000000000000000-mapping.dmp

Download
memory/3096-180-0x0000000000000000-mapping.dmp

Download
memory/3284-163-0x0000000000000000-mapping.dmp

Download
memory/3384-162-0x0000000000000000-mapping.dmp

Download
memory/3424-186-0x0000000000000000-mapping.dmp

Download
memory/3444-158-0x0000000000000000-mapping.dmp

Download
memory/3636-176-0x0000000000000000-mapping.dmp

Download
memory/3648-178-0x0000000000000000-mapping.dmp

Download
memory/3812-190-0x0000000000000000-mapping.dmp

Download
memory/3864-175-0x0000000000000000-mapping.dmp

Download
memory/4036-202-0x0000000000000000-mapping.dmp

Download
memory/4080-161-0x0000000000000000-mapping.dmp

Download
memory/4168-174-0x0000000000000000-mapping.dmp

Download
memory/4196-137-0x0000000000000000-mapping.dmp

Download
memory/4296-181-0x0000000000000000-mapping.dmp

Download
memory/4392-173-0x0000000000000000-mapping.dmp

Download
memory/4400-185-0x0000000000000000-mapping.dmp

Download
memory/4588-179-0x0000000000000000-mapping.dmp

Download
memory/4624-154-0x0000000000000000-mapping.dmp

Download
memory/4648-152-0x0000000000000000-mapping.dmp

Download
memory/4712-151-0x0000000000000000-mapping.dmp

Download
memory/4776-141-0x0000000000000000-mapping.dmp

Download
memory/4840-194-0x0000000000000000-mapping.dmp

Download
memory/4888-201-0x0000000000000000-mapping.dmp

Download
memory/4944-136-0x0000000000000000-mapping.dmp

Download
memory/5008-167-0x0000000000000000-mapping.dmp

Download
memory/5064-165-0x0000000000000000-mapping.dmp

Download
memory/5072-150-0x0000000000000000-mapping.dmp

Download