Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 13:09

General

  • Target

    e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe

  • Size

    7.2MB

  • MD5

    faf5021dc3a27579ea50efced8a4f137

  • SHA1

    c06cc6593ac3b29af35566d96d649db45001db8e

  • SHA256

    e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2

  • SHA512

    01b495962b976c366b92381fd8c7031df446663b6c06f4f251a9c17017ffb00cbb1f08de55423a6aa6219454f472d2ef8a6a8eb245ceff690cd70540636b3eb4

  • SSDEEP

    196608:DdbSqYn+fJi3qpm6JrfuDG4RRvLjqYSMoO4dsjkS2YfGo/v:DdSqYn+xi3qpmUOL4uj1tfGo/v

Score
10/10

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 58 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe
    "C:\Users\Admin\AppData\Local\Temp\e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
          PID:4228
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rutserv.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:628
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
          3⤵
            PID:32
          • C:\Windows\SysWOW64\msiexec.exe
            MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:212
          • C:\Windows\SysWOW64\msiexec.exe
            MsiExec /x {54067864-C0E7-47DB-A0C1-D6C874CE6BD8} /qn REBOOT=ReallySuppress
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4276
          • C:\Windows\SysWOW64\msiexec.exe
            MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress
            3⤵
              PID:4312
            • C:\Windows\SysWOW64\msiexec.exe
              msiexec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress
              3⤵
                PID:1352
              • C:\Windows\SysWOW64\msiexec.exe
                msiexec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress
                3⤵
                  PID:1884
                • C:\Windows\SysWOW64\msiexec.exe
                  msiexec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress
                  3⤵
                    PID:4460
                  • C:\Windows\SysWOW64\msiexec.exe
                    MsiExec /x {B04BFE4C-7F11-49D8-ADFE-867939D886FA} /qn REBOOT=ReallySuppress
                    3⤵
                      PID:4552
                    • C:\Windows\SysWOW64\msiexec.exe
                      MsiExec /x {2B0A2EED-E2C8-40CE-A701-95B211A39B34} /qn REBOOT=ReallySuppress
                      3⤵
                        PID:4068
                      • C:\Windows\SysWOW64\msiexec.exe
                        MsiExec /x {11A90858-40BB-4858-A2DA-CA6495B5E907} /qn REBOOT=ReallySuppress
                        3⤵
                          PID:4288
                        • C:\Windows\SysWOW64\msiexec.exe
                          MsiExec /x {CD64A32F-8B05-4913-B988-BA68265083B9} /qn REBOOT=ReallySuppress
                          3⤵
                            PID:1888
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1
                            3⤵
                            • Runs ping.exe
                            PID:60
                          • C:\Windows\SysWOW64\msiexec.exe
                            MsiExec /I "rms.host5.5ru_mod3.msi" /qn
                            3⤵
                              PID:3624
                        • C:\Windows\system32\msiexec.exe
                          C:\Windows\system32\msiexec.exe /V
                          1⤵
                          • Blocklisted process makes network request
                          • Enumerates connected drives
                          • Drops file in Program Files directory
                          • Drops file in Windows directory
                          • Modifies data under HKEY_USERS
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2524
                          • C:\Windows\syswow64\MsiExec.exe
                            C:\Windows\syswow64\MsiExec.exe -Embedding 17C0733FD732AD55E5E5C78B339BBB37
                            2⤵
                            • Loads dropped DLL
                            PID:1776
                          • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                            "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
                            2⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4496
                          • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                            "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
                            2⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4864
                          • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                            "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
                            2⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1136
                        • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
                          "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
                          1⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3476

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                          Filesize

                          5.7MB

                          MD5

                          3d49b75df140bd962f7f83b7f3124607

                          SHA1

                          059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

                          SHA256

                          e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

                          SHA512

                          c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

                        • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                          Filesize

                          5.7MB

                          MD5

                          3d49b75df140bd962f7f83b7f3124607

                          SHA1

                          059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

                          SHA256

                          e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

                          SHA512

                          c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

                        • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                          Filesize

                          5.7MB

                          MD5

                          3d49b75df140bd962f7f83b7f3124607

                          SHA1

                          059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

                          SHA256

                          e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

                          SHA512

                          c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

                        • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                          Filesize

                          5.7MB

                          MD5

                          3d49b75df140bd962f7f83b7f3124607

                          SHA1

                          059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

                          SHA256

                          e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

                          SHA512

                          c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

                        • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                          Filesize

                          5.7MB

                          MD5

                          3d49b75df140bd962f7f83b7f3124607

                          SHA1

                          059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

                          SHA256

                          e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

                          SHA512

                          c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

                        • C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

                          Filesize

                          21KB

                          MD5

                          f13a5e178099344fe21141c4e37fd94e

                          SHA1

                          1c44f8c9639edda4eadb8dc3b3f282f7d918865c

                          SHA256

                          ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

                          SHA512

                          b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

                        • C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

                          Filesize

                          21KB

                          MD5

                          f13a5e178099344fe21141c4e37fd94e

                          SHA1

                          1c44f8c9639edda4eadb8dc3b3f282f7d918865c

                          SHA256

                          ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

                          SHA512

                          b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

                        • C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

                          Filesize

                          21KB

                          MD5

                          f13a5e178099344fe21141c4e37fd94e

                          SHA1

                          1c44f8c9639edda4eadb8dc3b3f282f7d918865c

                          SHA256

                          ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

                          SHA512

                          b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

                        • C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

                          Filesize

                          21KB

                          MD5

                          f13a5e178099344fe21141c4e37fd94e

                          SHA1

                          1c44f8c9639edda4eadb8dc3b3f282f7d918865c

                          SHA256

                          ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

                          SHA512

                          b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

                        • C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

                          Filesize

                          21KB

                          MD5

                          f13a5e178099344fe21141c4e37fd94e

                          SHA1

                          1c44f8c9639edda4eadb8dc3b3f282f7d918865c

                          SHA256

                          ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

                          SHA512

                          b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

                          Filesize

                          1KB

                          MD5

                          d50d5abf61130986c22c1434c52dd303

                          SHA1

                          0ad25d3bc9d3d378d4c003213d1b2dd6b55e019b

                          SHA256

                          809a84544e09da151e9efaa1217276bc7c86b5602986f6ddec80fb800040e45d

                          SHA512

                          6fb570cb04819ce525f72d0fdd4472bbc8553a5649f3a7a0e0812ba4a2595af45f7892fb7877f8ae4ce26eafd8d64a9faf7b733af5837ac9dff7af1e4dc691a5

                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host5.5ru_mod3.msi

                          Filesize

                          7.9MB

                          MD5

                          3f7771670a48eb758ca4782dcbdcece7

                          SHA1

                          2b591362464c3c1b060fed47ac5d2e07d8bdd61f

                          SHA256

                          674198f6bf6a5a840a81ed6957c1ddfa589aae99550d9ed2eef46f3bcf919545

                          SHA512

                          4e8c69fd45407b4c167c5b3ba61e0b1d535c6078c3a656d1237777ce117b5154d6cc4fc715a088dd21f563225e545631a88b0057f9c3a7487ee53fef323b3739

                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll

                          Filesize

                          21KB

                          MD5

                          f13a5e178099344fe21141c4e37fd94e

                          SHA1

                          1c44f8c9639edda4eadb8dc3b3f282f7d918865c

                          SHA256

                          ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

                          SHA512

                          b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

                        • C:\Windows\Installer\MSI7AF7.tmp

                          Filesize

                          125KB

                          MD5

                          b0bcc622f1fff0eec99e487fa1a4ddd9

                          SHA1

                          49aa392454bd5869fa23794196aedc38e8eea6f5

                          SHA256

                          b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

                          SHA512

                          1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

                        • C:\Windows\Installer\MSI7AF7.tmp

                          Filesize

                          125KB

                          MD5

                          b0bcc622f1fff0eec99e487fa1a4ddd9

                          SHA1

                          49aa392454bd5869fa23794196aedc38e8eea6f5

                          SHA256

                          b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

                          SHA512

                          1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

                        • memory/1136-169-0x0000000073470000-0x0000000073477000-memory.dmp

                          Filesize

                          28KB

                        • memory/4496-161-0x0000000073470000-0x0000000073477000-memory.dmp

                          Filesize

                          28KB

                        • memory/4496-160-0x0000000073470000-0x0000000073477000-memory.dmp

                          Filesize

                          28KB

                        • memory/4864-165-0x0000000073470000-0x0000000073477000-memory.dmp

                          Filesize

                          28KB