Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    182s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 07:06

General

  • Target

    eb8cce04e68e0edf8d1f33b6b5fb79e89bb9abc5bf42fcd4b0df0360c9a86e1c.exe

  • Size

    3.6MB

  • MD5

    08d6651c58801b8ba799e21f2972aeec

  • SHA1

    431166615f079fa7399620c96bb7854f1337d3d0

  • SHA256

    eb8cce04e68e0edf8d1f33b6b5fb79e89bb9abc5bf42fcd4b0df0360c9a86e1c

  • SHA512

    89f80ff6536a55f4ed677af6f36910e3796f5dc684d3dee1190a87735448508309d8b1b4211087bf44513cac0412e7dbdfd85e37234c97a11fced749f01adfc6

  • SSDEEP

    98304:7JYtfH2yd+W+2dtu32yWx35rUDHvD9ICRDxq79u6e:7J82I+IujYp+PD78xA

Score
10/10

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 15 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb8cce04e68e0edf8d1f33b6b5fb79e89bb9abc5bf42fcd4b0df0360c9a86e1c.exe
    "C:\Users\Admin\AppData\Local\Temp\eb8cce04e68e0edf8d1f33b6b5fb79e89bb9abc5bf42fcd4b0df0360c9a86e1c.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Remote Mnipultor System" /f
          4⤵
            PID:3708
          • C:\Windows\SysWOW64\net.exe
            net stop rserver3
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4680
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop rserver3
              5⤵
                PID:3568
            • C:\Windows\SysWOW64\net.exe
              net stop Telnet
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4948
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop Telnet
                5⤵
                  PID:3800
              • C:\Windows\SysWOW64\sc.exe
                sc config tlntsvr strt= disbled
                4⤵
                • Launches sc.exe
                PID:3528
              • C:\Windows\SysWOW64\net.exe
                net stop "Service Host Controller"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1368
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Service Host Controller"
                  5⤵
                    PID:720
                • C:\Windows\SysWOW64\net.exe
                  net user HelpAssistnt /delete
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4292
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 user HelpAssistnt /delete
                    5⤵
                      PID:3488
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh dvfirewll firewll delete rule nme="RelIP"
                    4⤵
                      PID:796
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh dvfirewll firewll delete rule nme="Microsoft Outlook Express"
                      4⤵
                        PID:3260
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh dvfirewll firewll delete rule nme="Service Host Controller"
                        4⤵
                          PID:2988
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh dvfirewll firewll delete rule nme="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"
                          4⤵
                            PID:2028
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh dvfirewll firewll delete rule nme="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"
                            4⤵
                              PID:828
                            • C:\Windows\SysWOW64\netsh.exe
                              netsh firewll delete portopening tcp 57009
                              4⤵
                                PID:920
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh dvfirewll firewll delete rule nme="cm_server"
                                4⤵
                                  PID:2508
                                • C:\Windows\SysWOW64\netsh.exe
                                  netsh dvfirewll firewll delete portopening tcp 57011 ll
                                  4⤵
                                    PID:4968
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαᵿ«¡¡á∩ ß¿ßΓѼá Microsoft Windows" /f
                                    4⤵
                                    • Modifies registry key
                                    PID:3020
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f
                                    4⤵
                                    • Modifies registry key
                                    PID:3472
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecilAccounts\UserList" /v HelpAssistnt /f
                                    4⤵
                                      PID:4452
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg delete "HKLM\Softwre\Microsoft\Windows\CurrentVersion\Run" /v "cm_server.exe" /f
                                      4⤵
                                        PID:2676
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f
                                        4⤵
                                          PID:4088
                                        • C:\Windows\SysWOW64\ctroot3\rutserv.exe
                                          "rutserv.exe" /silentinstll
                                          4⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2472
                                          • C:\Windows\SysWOW64\ctroot3\rfusclient.exe
                                            C:\Windows\SysWOW64\ctroot3\rfusclient.exe /tray /user
                                            5⤵
                                            • Executes dropped EXE
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            PID:228
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
                                      2⤵
                                        PID:8

                                    Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

                                      Filesize

                                      300B

                                      MD5

                                      d17f3f5f091178f70159d867ecec5460

                                      SHA1

                                      92de256d8ae00483e38402dee3c3e65c9a2024e6

                                      SHA256

                                      81c227b6a9dd3e8b4176bc478b1e9846cc3355882f28efa1c426cee126238d34

                                      SHA512

                                      da37c8ad0abe5aa8b98803585365a2a939d205367a13b340a1928bdadeeb0b9678da31f22d673580a88c72f5b63087e9da3af68a508f4ee6afad9ffde5720abe

                                    • C:\Users\Admin\AppData\Local\Temp\HookDrv.dll

                                      Filesize

                                      198KB

                                      MD5

                                      348af5474c0abb5769d4d75a12cca4ee

                                      SHA1

                                      b423c186f9cc4735f35df99bae8e72c351dfc745

                                      SHA256

                                      828ce0069f2f21dd9c3cf3832883ec9229831feaff4d212058e95579441d72a8

                                      SHA512

                                      6b6659c9b16ba523ffbf89f82194226299089cea92ee570e272a609a843d34f46e9a035b30f2cf99817e540a81bf692c1e72f4569675baf1189b256a8a5da487

                                    • C:\Users\Admin\AppData\Local\Temp\RIPCServer.dll

                                      Filesize

                                      144KB

                                      MD5

                                      30e269f850baf6ca25187815912e21c5

                                      SHA1

                                      eb160de97d12b4e96f350dd0d0126d41d658afb3

                                      SHA256

                                      379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

                                      SHA512

                                      9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

                                    • C:\Users\Admin\AppData\Local\Temp\RWLN.dll

                                      Filesize

                                      357KB

                                      MD5

                                      bb1f3e716d12734d1d2d9219a3979a62

                                      SHA1

                                      0ef66eed2f2ae45ec2d478902833b830334109cb

                                      SHA256

                                      d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

                                      SHA512

                                      bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

                                    • C:\Users\Admin\AppData\Local\Temp\dsfVorbisEncoder.dll

                                      Filesize

                                      1.6MB

                                      MD5

                                      ff622a8812d8b1eff8f8d1a32087f9d2

                                      SHA1

                                      910615c9374b8734794ac885707ff5370db42ef1

                                      SHA256

                                      1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

                                      SHA512

                                      1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

                                    • C:\Users\Admin\AppData\Local\Temp\install.bat

                                      Filesize

                                      36KB

                                      MD5

                                      ab1df25ce1634bc85c334e72ccf8bad0

                                      SHA1

                                      ed41e7278e4d4188d83bd25c75b06778ca03bbef

                                      SHA256

                                      6cf6dbf922a1b97cf2b558cb5b22528824c9c50871d3b3c8f3901117092ff005

                                      SHA512

                                      f77718eff79f7e161d7fc1c1120c7ea1e2f02233118a8f0046ffb20ee62750c502caa172aa5865b96d27cafea10c01a067f37076976b653421258863d7147eaa

                                    • C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

                                      Filesize

                                      3.7MB

                                      MD5

                                      f65eb9487ee7a6a1c81c01f240a9292e

                                      SHA1

                                      c36b1c952c64a30e361a5f620a9228a269a7b566

                                      SHA256

                                      c58eb6e0ce843878414cfa41c6b7cf4cbddb5672c9876fdd5d1ca49cf080db60

                                      SHA512

                                      f34dd9b53babf403393fde3fb778049e8394c5b43226a1c9fda0217f36aecf9051bcbe72de05ffdfd18d88b48ef5e57a705470c3923efcbe1b41b94cb8af9a19

                                    • C:\Users\Admin\AppData\Local\Temp\rutserv.exe

                                      Filesize

                                      4.5MB

                                      MD5

                                      77924b64450702a795d22ace4fe37b8f

                                      SHA1

                                      cf6b226a727355d9d6115e22f5bdc7bc9b3b4a69

                                      SHA256

                                      c416263b697c89b0969c7a9ceaf74c4e415a9002f36b886cd5e5f15e06397ecf

                                      SHA512

                                      ddc158bb17c6b5d35bdeaa2d4ab0bc3f0fea40df06c0b26f7ec3de9c173823d024058972ed2b2ec6569a25d429f27c370444debd855d36d65d74825102883d16

                                    • C:\Users\Admin\AppData\Local\Temp\set.reg

                                      Filesize

                                      16KB

                                      MD5

                                      2f11ff57f92c5f0a25a7c5f44d07bdee

                                      SHA1

                                      5dee09685da98b4d7763b61fdbdddcd09e63df78

                                      SHA256

                                      ac47d2ff7c82da7b7a9321028e5e0568154663ec7b3d3acb31a80d69eb407f5a

                                      SHA512

                                      208a8a94b655d34f6df5aec138bcf511981e5abfeee633cf40a9edf15886bb83ed54e3b71e6d28ca4d471cae3266cfbf73997826cf0186d03884aee0363784d0

                                    • C:\Users\Admin\AppData\Local\Temp\stop.js

                                      Filesize

                                      215B

                                      MD5

                                      804b35ef108ec9839eb6a9335add8ca1

                                      SHA1

                                      bf91e6645c4a1c8cab2d20388469da9ed0a82d56

                                      SHA256

                                      fe111b7ea4e14ab7ba5004aea52b10030e0282bb5c40d4ba55761a2c5be59406

                                      SHA512

                                      822a3ec5e0e353058d4355bc01a44440dafe8d16c57744a3dcbc962eb110ed3f6843556568616bfc5dc7fad5f5832cd27d6591dc50105f2c79fc16c33919936d

                                    • C:\Windows\SysWOW64\ctroot3\HookDrv.dll

                                      Filesize

                                      198KB

                                      MD5

                                      348af5474c0abb5769d4d75a12cca4ee

                                      SHA1

                                      b423c186f9cc4735f35df99bae8e72c351dfc745

                                      SHA256

                                      828ce0069f2f21dd9c3cf3832883ec9229831feaff4d212058e95579441d72a8

                                      SHA512

                                      6b6659c9b16ba523ffbf89f82194226299089cea92ee570e272a609a843d34f46e9a035b30f2cf99817e540a81bf692c1e72f4569675baf1189b256a8a5da487

                                    • C:\Windows\SysWOW64\ctroot3\RIPCServer.dll

                                      Filesize

                                      144KB

                                      MD5

                                      30e269f850baf6ca25187815912e21c5

                                      SHA1

                                      eb160de97d12b4e96f350dd0d0126d41d658afb3

                                      SHA256

                                      379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

                                      SHA512

                                      9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

                                    • C:\Windows\SysWOW64\ctroot3\RWLN.dll

                                      Filesize

                                      357KB

                                      MD5

                                      bb1f3e716d12734d1d2d9219a3979a62

                                      SHA1

                                      0ef66eed2f2ae45ec2d478902833b830334109cb

                                      SHA256

                                      d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

                                      SHA512

                                      bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

                                    • C:\Windows\SysWOW64\ctroot3\dsfVorbisEncoder.dll

                                      Filesize

                                      1.6MB

                                      MD5

                                      ff622a8812d8b1eff8f8d1a32087f9d2

                                      SHA1

                                      910615c9374b8734794ac885707ff5370db42ef1

                                      SHA256

                                      1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

                                      SHA512

                                      1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

                                    • C:\Windows\SysWOW64\ctroot3\rfusclient.exe

                                      Filesize

                                      3.7MB

                                      MD5

                                      f65eb9487ee7a6a1c81c01f240a9292e

                                      SHA1

                                      c36b1c952c64a30e361a5f620a9228a269a7b566

                                      SHA256

                                      c58eb6e0ce843878414cfa41c6b7cf4cbddb5672c9876fdd5d1ca49cf080db60

                                      SHA512

                                      f34dd9b53babf403393fde3fb778049e8394c5b43226a1c9fda0217f36aecf9051bcbe72de05ffdfd18d88b48ef5e57a705470c3923efcbe1b41b94cb8af9a19

                                    • C:\Windows\SysWOW64\ctroot3\rfusclient.exe

                                      Filesize

                                      3.7MB

                                      MD5

                                      f65eb9487ee7a6a1c81c01f240a9292e

                                      SHA1

                                      c36b1c952c64a30e361a5f620a9228a269a7b566

                                      SHA256

                                      c58eb6e0ce843878414cfa41c6b7cf4cbddb5672c9876fdd5d1ca49cf080db60

                                      SHA512

                                      f34dd9b53babf403393fde3fb778049e8394c5b43226a1c9fda0217f36aecf9051bcbe72de05ffdfd18d88b48ef5e57a705470c3923efcbe1b41b94cb8af9a19

                                    • C:\Windows\SysWOW64\ctroot3\rutserv.exe

                                      Filesize

                                      4.5MB

                                      MD5

                                      77924b64450702a795d22ace4fe37b8f

                                      SHA1

                                      cf6b226a727355d9d6115e22f5bdc7bc9b3b4a69

                                      SHA256

                                      c416263b697c89b0969c7a9ceaf74c4e415a9002f36b886cd5e5f15e06397ecf

                                      SHA512

                                      ddc158bb17c6b5d35bdeaa2d4ab0bc3f0fea40df06c0b26f7ec3de9c173823d024058972ed2b2ec6569a25d429f27c370444debd855d36d65d74825102883d16

                                    • C:\Windows\SysWOW64\ctroot3\rutserv.exe

                                      Filesize

                                      4.5MB

                                      MD5

                                      77924b64450702a795d22ace4fe37b8f

                                      SHA1

                                      cf6b226a727355d9d6115e22f5bdc7bc9b3b4a69

                                      SHA256

                                      c416263b697c89b0969c7a9ceaf74c4e415a9002f36b886cd5e5f15e06397ecf

                                      SHA512

                                      ddc158bb17c6b5d35bdeaa2d4ab0bc3f0fea40df06c0b26f7ec3de9c173823d024058972ed2b2ec6569a25d429f27c370444debd855d36d65d74825102883d16