6a15bbc07f71cb94719890fa67eff76333f87578a77197bd7cae2e4c2ef40a9f

Analysis

max time kernel
45s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2023 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42747eef2ec5138ff1c51ecaf86e0cc8e43e651c3de264aa73eb43d6f547d098.exe
Size

16.2MB
MD5

5b1242f60d18e7bfc2f5f5a0b6737396
SHA1

46b6946732de7232ea3d2db96cb7e2a4d7538334
SHA256

42747eef2ec5138ff1c51ecaf86e0cc8e43e651c3de264aa73eb43d6f547d098
SHA512

65e2d1e75d12143eb89b8466da57d0d5ba1c26fabc96f15c42689c708efa44576b8a4f0cdc8fccc69c207b12d4b68cd9fc1a82c2e2ce1b3a2d6b753b721ce81f
SSDEEP

393216:Jk4KGkr17htS1jqRnsQQ0suas3DLO4s99H36CyLTVtRxLgU:Jk1Gy/tS1wnsQQvsTi4e9XAjxLn

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

42747eef2ec5138ff1c51ecaf86e0cc8e43e651c3de264aa73eb43d6f547d098.exerfusclient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	42747eef2ec5138ff1c51ecaf86e0cc8e43e651c3de264aa73eb43d6f547d098.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Executes dropped EXE 1 IoCs

Processes:

rfusclient.exe

pid	Process
3608	rfusclient.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4944-0-0x0000000000400000-0x00000000027C0000-memory.dmp	upx
behavioral2/memory/4944-2-0x0000000000400000-0x00000000027C0000-memory.dmp	upx
behavioral2/memory/4944-67-0x0000000000400000-0x00000000027C0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rfusclient.exe

pid	Process
3608	rfusclient.exe
3608	rfusclient.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

42747eef2ec5138ff1c51ecaf86e0cc8e43e651c3de264aa73eb43d6f547d098.exe

description	pid	Process	procid_target
PID 4944 wrote to memory of 3608	4944	42747eef2ec5138ff1c51ecaf86e0cc8e43e651c3de264aa73eb43d6f547d098.exe	89
PID 4944 wrote to memory of 3608	4944	42747eef2ec5138ff1c51ecaf86e0cc8e43e651c3de264aa73eb43d6f547d098.exe	89
PID 4944 wrote to memory of 3608	4944	42747eef2ec5138ff1c51ecaf86e0cc8e43e651c3de264aa73eb43d6f547d098.exe	89

C:\Users\Admin\AppData\Local\Temp\42747eef2ec5138ff1c51ecaf86e0cc8e43e651c3de264aa73eb43d6f547d098.exe
"C:\Users\Admin\AppData\Local\Temp\42747eef2ec5138ff1c51ecaf86e0cc8e43e651c3de264aa73eb43d6f547d098.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rfusclient.exe
  "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rfusclient.exe" -run_agent
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3608
- - C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rutserv.exe
    "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rutserv.exe" -run_agent
    3⤵
    PID:4764
  - - C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rutserv.exe
      "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rutserv.exe" -run_agent -second
      4⤵
      PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\EULA.rtf

Filesize
133KB

MD5
7fd09e69fa62629a04d1e23bb8ca5ff6

SHA1
3952c5f339c8bbdf17aff113bcb0149ac8ce4fa6

SHA256
f9c56736029b7d278bf8fabc6e0f5bdac67e24b088f2172ea07df2baa3072c19

SHA512
e66d523eb5bdfc517749b608ffcd66b883be9c4b8c5c42dbf7e48fe412a5c0ca0876d0dbc8a68355e7bb532ce8749c5e444a25f996b4c27e382e79579ab2b59a

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\eventmsg.dll

Filesize
51KB

MD5
4e84df6558c385bc781cddea34c9fba3

SHA1
6d63d87c19c11bdbfa484a5835ffffd7647296c8

SHA256
0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d

SHA512
c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\eventmsg.dll

Filesize
51KB

MD5
4e84df6558c385bc781cddea34c9fba3

SHA1
6d63d87c19c11bdbfa484a5835ffffd7647296c8

SHA256
0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d

SHA512
c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\libeay32.dll

Filesize
1.3MB

MD5
f8fbc228c3139532971f66881262b940

SHA1
f1655c3b836c764fdc0bb07661c3ef70a9f51318

SHA256
e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604

SHA512
cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\libeay32.dll

Filesize
1.3MB

MD5
f8fbc228c3139532971f66881262b940

SHA1
f1655c3b836c764fdc0bb07661c3ef70a9f51318

SHA256
e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604

SHA512
cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\libeay32.dll

Filesize
1.3MB

MD5
f8fbc228c3139532971f66881262b940

SHA1
f1655c3b836c764fdc0bb07661c3ef70a9f51318

SHA256
e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604

SHA512
cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\libeay32.dll

Filesize
1.3MB

MD5
f8fbc228c3139532971f66881262b940

SHA1
f1655c3b836c764fdc0bb07661c3ef70a9f51318

SHA256
e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604

SHA512
cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rfusclient.exe

Filesize
11.1MB

MD5
0bde36e64c97bc8c2cb02aa05249fe28

SHA1
7939e68abddb44f1d91acb2694e3c56ef85371eb

SHA256
6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d

SHA512
2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rfusclient.exe

Filesize
11.1MB

MD5
0bde36e64c97bc8c2cb02aa05249fe28

SHA1
7939e68abddb44f1d91acb2694e3c56ef85371eb

SHA256
6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d

SHA512
2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rfusclient.exe

Filesize
11.1MB

MD5
0bde36e64c97bc8c2cb02aa05249fe28

SHA1
7939e68abddb44f1d91acb2694e3c56ef85371eb

SHA256
6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d

SHA512
2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\ssleay32.dll

Filesize
336KB

MD5
fe8cda03e1df3c3a6dc8375263e790c3

SHA1
67955da301ef89cd0429074e403769721e7594be

SHA256
1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd

SHA512
0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\ssleay32.dll

Filesize
336KB

MD5
fe8cda03e1df3c3a6dc8375263e790c3

SHA1
67955da301ef89cd0429074e403769721e7594be

SHA256
1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd

SHA512
0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\ssleay32.dll

Filesize
336KB

MD5
fe8cda03e1df3c3a6dc8375263e790c3

SHA1
67955da301ef89cd0429074e403769721e7594be

SHA256
1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd

SHA512
0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\ssleay32.dll

Filesize
336KB

MD5
fe8cda03e1df3c3a6dc8375263e790c3

SHA1
67955da301ef89cd0429074e403769721e7594be

SHA256
1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd

SHA512
0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\vp8decoder.dll

Filesize
379KB

MD5
e247666cdea63da5a95aebc135908207

SHA1
4642f6c3973c41b7d1c9a73111a26c2d7ac9c392

SHA256
b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33

SHA512
06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\vp8decoder.dll

Filesize
379KB

MD5
e247666cdea63da5a95aebc135908207

SHA1
4642f6c3973c41b7d1c9a73111a26c2d7ac9c392

SHA256
b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33

SHA512
06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\vp8encoder.dll

Filesize
1.6MB

MD5
d5c2a6ac30e76b7c9b55adf1fe5c1e4a

SHA1
3d841eb48d1a32b511611d4b9e6eed71e2c373ee

SHA256
11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428

SHA512
3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\vp8encoder.dll

Filesize
1.6MB

MD5
d5c2a6ac30e76b7c9b55adf1fe5c1e4a

SHA1
3d841eb48d1a32b511611d4b9e6eed71e2c373ee

SHA256
11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428

SHA512
3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\webmmux.dll

Filesize
259KB

MD5
49c51ace274d7db13caa533880869a4a

SHA1
b539ed2f1a15e2d4e5c933611d736e0c317b8313

SHA256
1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b

SHA512
13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\webmmux.dll

Filesize
259KB

MD5
49c51ace274d7db13caa533880869a4a

SHA1
b539ed2f1a15e2d4e5c933611d736e0c317b8313

SHA256
1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b

SHA512
13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\webmvorbisdecoder.dll

Filesize
364KB

MD5
eda07083af5b6608cb5b7c305d787842

SHA1
d1703c23522d285a3ccdaf7ba2eb837d40608867

SHA256
c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d

SHA512
be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\webmvorbisdecoder.dll

Filesize
364KB

MD5
eda07083af5b6608cb5b7c305d787842

SHA1
d1703c23522d285a3ccdaf7ba2eb837d40608867

SHA256
c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d

SHA512
be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\webmvorbisencoder.dll

Filesize
859KB

MD5
642dc7e57f0c962b9db4c8fb346bc5a7

SHA1
acee24383b846f7d12521228d69135e5704546f6

SHA256
63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede

SHA512
fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\4F1E026B04\webmvorbisencoder.dll

Filesize
859KB

MD5
642dc7e57f0c962b9db4c8fb346bc5a7

SHA1
acee24383b846f7d12521228d69135e5704546f6

SHA256
63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede

SHA512
fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

Download Submit
memory/1240-83-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/3608-73-0x0000000000400000-0x0000000000FA4000-memory.dmp

Filesize
11.6MB

Download
memory/3608-70-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/4764-82-0x0000000000400000-0x00000000016BA000-memory.dmp

Filesize
18.7MB

Download
memory/4764-74-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4764-80-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/4764-79-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/4944-67-0x0000000000400000-0x00000000027C0000-memory.dmp

Filesize
35.8MB

Download
memory/4944-0-0x0000000000400000-0x00000000027C0000-memory.dmp

Filesize
35.8MB

Download
memory/4944-2-0x0000000000400000-0x00000000027C0000-memory.dmp

Filesize
35.8MB

Download
memory/4944-1-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download