Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
26-12-2023 15:27
General
-
Target
78db881af6d41d8ce120db6dfe104f24.exe
-
Size
2.4MB
-
MD5
78db881af6d41d8ce120db6dfe104f24
-
SHA1
1519b9fcc1f17b90a88acbfc089b5d2f76f21bad
-
SHA256
b644b71318ac3f1a5c01249c65bcc490ef7cffe13925c1e8e200eecd91df6c9c
-
SHA512
ea19d704961651c5fdac730f47b1470a9816dad13d9a3b67c6116eb6a778d8823a479d930676105172cea9fe235dd45f9993e12a228b984a43b5299a18866f58
-
SSDEEP
49152:d7K+TDiZtK4JnUTTbd7xnXTPTntYmzZfv+3nmRVHdA0IyDmAHA5Z4/:deLtKzRpX/tzVc0bIyawA5Z4/
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Modifies Windows Firewall 1 TTPs 8 IoCs
-
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 13 IoCs
-
Drops file in System32 directory 31 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 5 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\78db881af6d41d8ce120db6dfe104f24.exe"C:\Users\Admin\AppData\Local\Temp\78db881af6d41d8ce120db6dfe104f24.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Company\NewProduct\setup.exe"C:\Program Files (x86)\Company\NewProduct\setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "3⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im RManServer.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\System32\catroot3"1⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/realip.exe"1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\install.bat"1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\net.exenet stop rserver31⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rserver32⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rserver3.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im r_server.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cam_server.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\system32\rserver30"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\system32\r_server.exe"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\net.exenet stop Telnet1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Telnet2⤵
-
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start= disabled1⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Service Host Controller"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user HelpAssistant /delete1⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn security /f1⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="RealIP"1⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\net.exenet user HelpAssistant /delete1⤵
-
C:\Windows\SysWOW64\net.exenet stop "Service Host Controller"1⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Microsoft Outlook Express"1⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Service Host Controller"1⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"1⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"1⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete portopening tcp 570091⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="cam_server"1⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete portopening tcp 57011 all1⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαᵿ«¡¡á∩ ß¿ßΓѼá Microsoft Windows" /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f1⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f1⤵
-
C:\Windows\SysWOW64\catroot3\rutserv.exe"rutserv.exe" /silentinstall1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regedit.exeregedit /s set.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\catroot3\rutserv.exe"rutserv.exe" /firewall1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\catroot3\rutserv.exeC:\Windows\SysWOW64\catroot3\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\catroot3\rfusclient.exeC:\Windows\SysWOW64\catroot3\rfusclient.exe /tray2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\catroot3\rfusclient.exeC:\Windows\SysWOW64\catroot3\rfusclient.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\catroot3\rfusclient.exeC:\Windows\SysWOW64\catroot3\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/realip.exe"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\install.bat"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\stop.js"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/HookLib.dll"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/block_reader.sys"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\catroot3\rutserv.exe"rutserv.exe" /start1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f1⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\SysWOW64\rserver30"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\system32\cam_server.exe"1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\stop.js"1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/block_reader.sys"1⤵
- Sets file to hidden
- Views/modifies file attributes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD55f2abc82a5c1eca8878544725661fa8c
SHA1565d6f27a9b6853f07fdcbaf4766bb5f54545200
SHA25673a8168dd84405f6230636fdf2543454d7b3df885579678c0ccdf3ce125fa5fc
SHA51211ddfa43a4d615c73eb42dc947b166b3d283d6a0440d6378265baf0118ac697588bc4dba904f3558a513768ab442d280a3a583abbd266b6a5e43689aa4fb713a
-
Filesize
92KB
MD5242386985792a80f532b9fc5f93f820e
SHA1a0d32daa079d69e4fb6502db9d29c08a9298169b
SHA2564c203211a3399655d3faa872a17e050e683f9b49ed7275fdb75a9d6d12164871
SHA51242666a949cbbc5621123578ecf47fcd2c9ac2ee1404aeaae6ddad5d5134e6e284ddbe90cfbbc097f26f3f707af3b05fe6e8157b4ddc70a7a6e62758b5f2c8295
-
Filesize
144KB
MD5513066a38057079e232f5f99baef2b94
SHA1a6da9e87415b8918447ec361ba98703d12b4ee76
SHA25602dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e
SHA51283a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5
-
Filesize
84KB
MD565889701199e41ae2abee652a232af6e
SHA13f76c39fde130b550013a4f13bfea2862b5628cf
SHA256ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e
SHA512edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5
-
Filesize
240KB
MD55f2fc8a0d96a1e796a4daae9465f5dd6
SHA1224f13f3cbaa441c0cb6d6300715fda7136408ea
SHA256f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f
SHA512da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad
-
Filesize
1.4MB
MD53c9dd83b3cd8b8a38d75963467860342
SHA18d63e23caa3d093bb02858154301cbe0cb198b5d
SHA256ccd5ab456e20db5891f0ff23bbcf63f1003a02126203e320a80c83512a24bbda
SHA512b2b11cf1eabf4d3a862fb8950bc8e32ebbb2b6341c384dcb5c6dc26794b02375f99fa9280bf168070d478a7d1ce1ba3071907760f04b705730aefda7c82dca90
-
Filesize
193KB
MD560c0adcd87bfac0b09f72267c6a9c8fe
SHA158e49d62429df8e51e31a412e8ece4c745b87721
SHA2566c3224f619a8ab86c51d045e3f0276c4af57bcf373f675db7aaaed58b7571428
SHA512dacdda5bfb8d089df498f7d59887451af7b1f1b63527b76d6d5c5579492c73655ba2b2db33aa69b5822536e9ba931848cdb22005cbfa8ee47104bd040864f5d3
-
Filesize
40KB
MD52abb9b5840a118fd3845495082cc1033
SHA1bbf3bac0d6849b15b68da0ed5ef1e25e74fbab7f
SHA25652700888d426c79fdd3cefb1401ccfce06dca1e2fd025f40ec431b038d3da257
SHA512351e09b02947342a7239d399232684a0f6af15f468982b5f9d6a78c2ff61157dee90e9adea0b81eb0f6ef4de0a8d471c78f3e14c56cb296444f595ab360a09a6
-
Filesize
35KB
MD5d20fffa97653fd8a9f3b0272ede57258
SHA10db2b2f5bbce3231d04a031fe491c8d13f5e4f97
SHA256d3de83732cca3d1e7a776cda78cf4721f6abf3d3d8fb81b424abdc3e59507093
SHA5125d54d6a6c76f8a09ac66300fcfff25b5b4b1a1fa957be3873a182277d765ba1b52e9cc23ba8f9b7beebe274871dbb41f744c88f3c1950c9a6d08cb3670c76fa1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
4KB
-
Filesize
3.4MB
-
Filesize
352KB
-
Filesize
3.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.8MB
-
Filesize
4KB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
3.4MB
-
Filesize
352KB
-
Filesize
4KB