eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

max time kernel
187s
max time network
184s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2023 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan-leaks-main/Ruthenium/Ruthenium.exe
Size

36KB
MD5

a1f174ce74dbe0e84e2c2964b29de0fd
SHA1

d4dd4b86ec50b2ea2519f5472642d30301e20aa3
SHA256

5066c3a750eb6f07addf5cee1e6b00894c52e1c4fbf1702befcd5ac9bf1d83f3
SHA512

41edeab57b55b74a22ac46814f985a78704b35c14d330d5264765ce9a22d19762659a47cfce13fcef28f322ed0a018976585dd65270690422b64b4860a2ecd31
SSDEEP

384:x6j2tyffbHj9X8EY5Z3absnexUDoRGAGYk2zWfAozcQcgJgyBkAg+jdGb90kGj:SDD9hYbqbhFZkeWoecuiATjXp

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Ruthenium.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Ruthenium.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3624 2464 WerFault.exe Ruthenium.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3048 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2860 reg.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exeAUDIODG.EXE

description pid process

Token: SeDebugPrivilege 3048 taskkill.exe
Token: 33 5024 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 5024 AUDIODG.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Ruthenium.exe

pid	pid_target	process	target process
3624	2464	WerFault.exe	Ruthenium.exe

pid	process
3048	taskkill.exe

pid	process
2860	reg.exe

description	pid	process
Token: SeDebugPrivilege	3048	taskkill.exe
Token: 33	5024	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5024	AUDIODG.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Ruthenium.execmd.execmd.exe

description	pid	process	target process
PID 2464 wrote to memory of 4176	2464	Ruthenium.exe	cmd.exe
PID 2464 wrote to memory of 4176	2464	Ruthenium.exe	cmd.exe
PID 2464 wrote to memory of 4176	2464	Ruthenium.exe	cmd.exe
PID 4176 wrote to memory of 3048	4176	cmd.exe	taskkill.exe
PID 4176 wrote to memory of 3048	4176	cmd.exe	taskkill.exe
PID 4176 wrote to memory of 3048	4176	cmd.exe	taskkill.exe
PID 2464 wrote to memory of 4872	2464	Ruthenium.exe	cmd.exe
PID 2464 wrote to memory of 4872	2464	Ruthenium.exe	cmd.exe
PID 2464 wrote to memory of 4872	2464	Ruthenium.exe	cmd.exe
PID 4872 wrote to memory of 2860	4872	cmd.exe	reg.exe
PID 4872 wrote to memory of 2860	4872	cmd.exe	reg.exe
PID 4872 wrote to memory of 2860	4872	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Ruthenium\Ruthenium.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Ruthenium\Ruthenium.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im taskmgr.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1052
2⤵
- Program crash
PID:3624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x358
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2464-121-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download