Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe
Resource
win7-20220812-en
General
-
Target
e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe
-
Size
7.2MB
-
MD5
faf5021dc3a27579ea50efced8a4f137
-
SHA1
c06cc6593ac3b29af35566d96d649db45001db8e
-
SHA256
e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2
-
SHA512
01b495962b976c366b92381fd8c7031df446663b6c06f4f251a9c17017ffb00cbb1f08de55423a6aa6219454f472d2ef8a6a8eb245ceff690cd70540636b3eb4
-
SSDEEP
196608:DdbSqYn+fJi3qpm6JrfuDG4RRvLjqYSMoO4dsjkS2YfGo/v:DdSqYn+xi3qpmUOL4uj1tfGo/v
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 51 2524 msiexec.exe 56 2524 msiexec.exe 58 2524 msiexec.exe 60 2524 msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 4496 rutserv.exe 4864 rutserv.exe 1136 rutserv.exe 3476 rutserv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe -
Loads dropped DLL 5 IoCs
pid Process 1776 MsiExec.exe 4496 rutserv.exe 4864 rutserv.exe 1136 rutserv.exe 3476 rutserv.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Program Files directory 58 IoCs
description ioc Process File created C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll cmd.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Microsoft.VC90.CRT.manifest msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\msvcr90.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll msiexec.exe File opened for modification C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll cmd.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\msvcp90.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\English.lg msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisDecoder.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\gdiplus.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll msiexec.exe File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e57deca.msi msiexec.exe File created C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe msiexec.exe File created C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_start_C00864331B9D4391A8A26292A601EBE2.exe msiexec.exe File created C:\Windows\Installer\e57dec7.msi msiexec.exe File created C:\Windows\Installer\SourceHash{54067864-C0E7-47DB-A0C1-D6C874CE6BD8} msiexec.exe File opened for modification C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe msiexec.exe File opened for modification C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe msiexec.exe File opened for modification C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_start_C00864331B9D4391A8A26292A601EBE2.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI86B0.tmp msiexec.exe File created C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe msiexec.exe File created C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe msiexec.exe File opened for modification C:\Windows\Installer\e57dec7.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7AF7.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 628 taskkill.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\468760457E0CBD740A1C6D8C47ECB68D\RMS msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Version = "100602960" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Language = "1049" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\ProductIcon = "C:\\Windows\\Installer\\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\\ARPPRODUCTICON.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\468760457E0CBD740A1C6D8C47ECB68D msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\PackageName = "rms.host5.5ru_mod3.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\468760457E0CBD740A1C6D8C47ECB68D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\ProductName = "Remote Manipulator System - Host" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\PackageCode = "F23A46DC50B831949B88AB866205389B" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 60 PING.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2524 msiexec.exe 2524 msiexec.exe 4496 rutserv.exe 4496 rutserv.exe 4496 rutserv.exe 4496 rutserv.exe 4496 rutserv.exe 4496 rutserv.exe 4864 rutserv.exe 4864 rutserv.exe 1136 rutserv.exe 1136 rutserv.exe 3476 rutserv.exe 3476 rutserv.exe 3476 rutserv.exe 3476 rutserv.exe 3476 rutserv.exe 3476 rutserv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 628 taskkill.exe Token: SeShutdownPrivilege 212 msiexec.exe Token: SeIncreaseQuotaPrivilege 212 msiexec.exe Token: SeSecurityPrivilege 2524 msiexec.exe Token: SeCreateTokenPrivilege 212 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 212 msiexec.exe Token: SeLockMemoryPrivilege 212 msiexec.exe Token: SeIncreaseQuotaPrivilege 212 msiexec.exe Token: SeMachineAccountPrivilege 212 msiexec.exe Token: SeTcbPrivilege 212 msiexec.exe Token: SeSecurityPrivilege 212 msiexec.exe Token: SeTakeOwnershipPrivilege 212 msiexec.exe Token: SeLoadDriverPrivilege 212 msiexec.exe Token: SeSystemProfilePrivilege 212 msiexec.exe Token: SeSystemtimePrivilege 212 msiexec.exe Token: SeProfSingleProcessPrivilege 212 msiexec.exe Token: SeIncBasePriorityPrivilege 212 msiexec.exe Token: SeCreatePagefilePrivilege 212 msiexec.exe Token: SeCreatePermanentPrivilege 212 msiexec.exe Token: SeBackupPrivilege 212 msiexec.exe Token: SeRestorePrivilege 212 msiexec.exe Token: SeShutdownPrivilege 212 msiexec.exe Token: SeDebugPrivilege 212 msiexec.exe Token: SeAuditPrivilege 212 msiexec.exe Token: SeSystemEnvironmentPrivilege 212 msiexec.exe Token: SeChangeNotifyPrivilege 212 msiexec.exe Token: SeRemoteShutdownPrivilege 212 msiexec.exe Token: SeUndockPrivilege 212 msiexec.exe Token: SeSyncAgentPrivilege 212 msiexec.exe Token: SeEnableDelegationPrivilege 212 msiexec.exe Token: SeManageVolumePrivilege 212 msiexec.exe Token: SeImpersonatePrivilege 212 msiexec.exe Token: SeCreateGlobalPrivilege 212 msiexec.exe Token: SeShutdownPrivilege 4276 msiexec.exe Token: SeIncreaseQuotaPrivilege 4276 msiexec.exe Token: SeCreateTokenPrivilege 4276 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4276 msiexec.exe Token: SeLockMemoryPrivilege 4276 msiexec.exe Token: SeIncreaseQuotaPrivilege 4276 msiexec.exe Token: SeMachineAccountPrivilege 4276 msiexec.exe Token: SeTcbPrivilege 4276 msiexec.exe Token: SeSecurityPrivilege 4276 msiexec.exe Token: SeTakeOwnershipPrivilege 4276 msiexec.exe Token: SeLoadDriverPrivilege 4276 msiexec.exe Token: SeSystemProfilePrivilege 4276 msiexec.exe Token: SeSystemtimePrivilege 4276 msiexec.exe Token: SeProfSingleProcessPrivilege 4276 msiexec.exe Token: SeIncBasePriorityPrivilege 4276 msiexec.exe Token: SeCreatePagefilePrivilege 4276 msiexec.exe Token: SeCreatePermanentPrivilege 4276 msiexec.exe Token: SeBackupPrivilege 4276 msiexec.exe Token: SeRestorePrivilege 4276 msiexec.exe Token: SeShutdownPrivilege 4276 msiexec.exe Token: SeDebugPrivilege 4276 msiexec.exe Token: SeAuditPrivilege 4276 msiexec.exe Token: SeSystemEnvironmentPrivilege 4276 msiexec.exe Token: SeChangeNotifyPrivilege 4276 msiexec.exe Token: SeRemoteShutdownPrivilege 4276 msiexec.exe Token: SeUndockPrivilege 4276 msiexec.exe Token: SeSyncAgentPrivilege 4276 msiexec.exe Token: SeEnableDelegationPrivilege 4276 msiexec.exe Token: SeManageVolumePrivilege 4276 msiexec.exe Token: SeImpersonatePrivilege 4276 msiexec.exe Token: SeCreateGlobalPrivilege 4276 msiexec.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 1532 wrote to memory of 1228 1532 e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe 83 PID 1532 wrote to memory of 1228 1532 e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe 83 PID 1532 wrote to memory of 1228 1532 e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe 83 PID 1228 wrote to memory of 4228 1228 cmd.exe 85 PID 1228 wrote to memory of 4228 1228 cmd.exe 85 PID 1228 wrote to memory of 4228 1228 cmd.exe 85 PID 1228 wrote to memory of 628 1228 cmd.exe 86 PID 1228 wrote to memory of 628 1228 cmd.exe 86 PID 1228 wrote to memory of 628 1228 cmd.exe 86 PID 1228 wrote to memory of 32 1228 cmd.exe 87 PID 1228 wrote to memory of 32 1228 cmd.exe 87 PID 1228 wrote to memory of 32 1228 cmd.exe 87 PID 1228 wrote to memory of 212 1228 cmd.exe 88 PID 1228 wrote to memory of 212 1228 cmd.exe 88 PID 1228 wrote to memory of 212 1228 cmd.exe 88 PID 1228 wrote to memory of 4276 1228 cmd.exe 90 PID 1228 wrote to memory of 4276 1228 cmd.exe 90 PID 1228 wrote to memory of 4276 1228 cmd.exe 90 PID 1228 wrote to memory of 4312 1228 cmd.exe 91 PID 1228 wrote to memory of 4312 1228 cmd.exe 91 PID 1228 wrote to memory of 4312 1228 cmd.exe 91 PID 1228 wrote to memory of 1352 1228 cmd.exe 92 PID 1228 wrote to memory of 1352 1228 cmd.exe 92 PID 1228 wrote to memory of 1352 1228 cmd.exe 92 PID 1228 wrote to memory of 1884 1228 cmd.exe 93 PID 1228 wrote to memory of 1884 1228 cmd.exe 93 PID 1228 wrote to memory of 1884 1228 cmd.exe 93 PID 1228 wrote to memory of 4460 1228 cmd.exe 94 PID 1228 wrote to memory of 4460 1228 cmd.exe 94 PID 1228 wrote to memory of 4460 1228 cmd.exe 94 PID 1228 wrote to memory of 4552 1228 cmd.exe 95 PID 1228 wrote to memory of 4552 1228 cmd.exe 95 PID 1228 wrote to memory of 4552 1228 cmd.exe 95 PID 1228 wrote to memory of 4068 1228 cmd.exe 96 PID 1228 wrote to memory of 4068 1228 cmd.exe 96 PID 1228 wrote to memory of 4068 1228 cmd.exe 96 PID 1228 wrote to memory of 4288 1228 cmd.exe 97 PID 1228 wrote to memory of 4288 1228 cmd.exe 97 PID 1228 wrote to memory of 4288 1228 cmd.exe 97 PID 1228 wrote to memory of 1888 1228 cmd.exe 98 PID 1228 wrote to memory of 1888 1228 cmd.exe 98 PID 1228 wrote to memory of 1888 1228 cmd.exe 98 PID 1228 wrote to memory of 60 1228 cmd.exe 99 PID 1228 wrote to memory of 60 1228 cmd.exe 99 PID 1228 wrote to memory of 60 1228 cmd.exe 99 PID 1228 wrote to memory of 3624 1228 cmd.exe 102 PID 1228 wrote to memory of 3624 1228 cmd.exe 102 PID 1228 wrote to memory of 3624 1228 cmd.exe 102 PID 2524 wrote to memory of 1776 2524 msiexec.exe 105 PID 2524 wrote to memory of 1776 2524 msiexec.exe 105 PID 2524 wrote to memory of 1776 2524 msiexec.exe 105 PID 2524 wrote to memory of 4496 2524 msiexec.exe 109 PID 2524 wrote to memory of 4496 2524 msiexec.exe 109 PID 2524 wrote to memory of 4496 2524 msiexec.exe 109 PID 2524 wrote to memory of 4864 2524 msiexec.exe 110 PID 2524 wrote to memory of 4864 2524 msiexec.exe 110 PID 2524 wrote to memory of 4864 2524 msiexec.exe 110 PID 2524 wrote to memory of 1136 2524 msiexec.exe 111 PID 2524 wrote to memory of 1136 2524 msiexec.exe 111 PID 2524 wrote to memory of 1136 2524 msiexec.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe"C:\Users\Admin\AppData\Local\Temp\e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵PID:4228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f3⤵PID:32
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress3⤵
- Suspicious use of AdjustPrivilegeToken
PID:212
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {54067864-C0E7-47DB-A0C1-D6C874CE6BD8} /qn REBOOT=ReallySuppress3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress3⤵PID:4312
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress3⤵PID:1352
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress3⤵PID:1884
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress3⤵PID:4460
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {B04BFE4C-7F11-49D8-ADFE-867939D886FA} /qn REBOOT=ReallySuppress3⤵PID:4552
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {2B0A2EED-E2C8-40CE-A701-95B211A39B34} /qn REBOOT=ReallySuppress3⤵PID:4068
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {11A90858-40BB-4858-A2DA-CA6495B5E907} /qn REBOOT=ReallySuppress3⤵PID:4288
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {CD64A32F-8B05-4913-B988-BA68265083B9} /qn REBOOT=ReallySuppress3⤵PID:1888
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:60
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /I "rms.host5.5ru_mod3.msi" /qn3⤵PID:3624
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 17C0733FD732AD55E5E5C78B339BBB372⤵
- Loads dropped DLL
PID:1776
-
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4864
-
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1136
-
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3476
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
MD53d49b75df140bd962f7f83b7f3124607
SHA1059d1b9e4a2128b5a61ea68ef14ab406aadb54b2
SHA256e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6
SHA512c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58
-
Filesize
5.7MB
MD53d49b75df140bd962f7f83b7f3124607
SHA1059d1b9e4a2128b5a61ea68ef14ab406aadb54b2
SHA256e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6
SHA512c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58
-
Filesize
5.7MB
MD53d49b75df140bd962f7f83b7f3124607
SHA1059d1b9e4a2128b5a61ea68ef14ab406aadb54b2
SHA256e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6
SHA512c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58
-
Filesize
5.7MB
MD53d49b75df140bd962f7f83b7f3124607
SHA1059d1b9e4a2128b5a61ea68ef14ab406aadb54b2
SHA256e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6
SHA512c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58
-
Filesize
5.7MB
MD53d49b75df140bd962f7f83b7f3124607
SHA1059d1b9e4a2128b5a61ea68ef14ab406aadb54b2
SHA256e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6
SHA512c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58
-
Filesize
21KB
MD5f13a5e178099344fe21141c4e37fd94e
SHA11c44f8c9639edda4eadb8dc3b3f282f7d918865c
SHA256ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb
SHA512b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99
-
Filesize
21KB
MD5f13a5e178099344fe21141c4e37fd94e
SHA11c44f8c9639edda4eadb8dc3b3f282f7d918865c
SHA256ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb
SHA512b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99
-
Filesize
21KB
MD5f13a5e178099344fe21141c4e37fd94e
SHA11c44f8c9639edda4eadb8dc3b3f282f7d918865c
SHA256ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb
SHA512b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99
-
Filesize
21KB
MD5f13a5e178099344fe21141c4e37fd94e
SHA11c44f8c9639edda4eadb8dc3b3f282f7d918865c
SHA256ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb
SHA512b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99
-
Filesize
21KB
MD5f13a5e178099344fe21141c4e37fd94e
SHA11c44f8c9639edda4eadb8dc3b3f282f7d918865c
SHA256ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb
SHA512b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99
-
Filesize
1KB
MD5d50d5abf61130986c22c1434c52dd303
SHA10ad25d3bc9d3d378d4c003213d1b2dd6b55e019b
SHA256809a84544e09da151e9efaa1217276bc7c86b5602986f6ddec80fb800040e45d
SHA5126fb570cb04819ce525f72d0fdd4472bbc8553a5649f3a7a0e0812ba4a2595af45f7892fb7877f8ae4ce26eafd8d64a9faf7b733af5837ac9dff7af1e4dc691a5
-
Filesize
7.9MB
MD53f7771670a48eb758ca4782dcbdcece7
SHA12b591362464c3c1b060fed47ac5d2e07d8bdd61f
SHA256674198f6bf6a5a840a81ed6957c1ddfa589aae99550d9ed2eef46f3bcf919545
SHA5124e8c69fd45407b4c167c5b3ba61e0b1d535c6078c3a656d1237777ce117b5154d6cc4fc715a088dd21f563225e545631a88b0057f9c3a7487ee53fef323b3739
-
Filesize
21KB
MD5f13a5e178099344fe21141c4e37fd94e
SHA11c44f8c9639edda4eadb8dc3b3f282f7d918865c
SHA256ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb
SHA512b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99
-
Filesize
125KB
MD5b0bcc622f1fff0eec99e487fa1a4ddd9
SHA149aa392454bd5869fa23794196aedc38e8eea6f5
SHA256b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA5121572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7
-
Filesize
125KB
MD5b0bcc622f1fff0eec99e487fa1a4ddd9
SHA149aa392454bd5869fa23794196aedc38e8eea6f5
SHA256b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA5121572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7