8edbedff95b25d5e437e4ff1ff5197c50ebce68020c9531ccaa09510c6f94a13

Analysis

max time kernel
0s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d864a0ac635e811332124e1df1458257.exe
Size

10.4MB
MD5

d864a0ac635e811332124e1df1458257
SHA1

8d2e8e36ad08c6d7a38fdb3304ce25181586cd5c
SHA256

8edbedff95b25d5e437e4ff1ff5197c50ebce68020c9531ccaa09510c6f94a13
SHA512

f1cf8119708965ecf5052be88732e23031afc47676da3482227ce93b90f06064e363012448fb699ee4fdf1bd8643b3aad647de1b77d36ae0a74c6ff8f5ab0f1b
SSDEEP

196608:xoeZUtx0psIKcQEgNvR5ffalRn2amSNJiWa:xlqSsIiEgNvbfSlB2amSNJir

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d864a0ac635e811332124e1df1458257.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	d864a0ac635e811332124e1df1458257.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid	Process
5000	regedit.exe

C:\Users\Admin\AppData\Local\Temp\d864a0ac635e811332124e1df1458257.exe
"C:\Users\Admin\AppData\Local\Temp\d864a0ac635e811332124e1df1458257.exe"
1⤵
- Checks computer location settings
PID:660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3FA9.tmp\1213.bat" "
  2⤵
  PID:632
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /silentinstall
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /firewall
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "settings.reg"
    3⤵
    - Runs .reg file with regedit
    PID:5000
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /start
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:2060

C:\Windows\SysWOW64\rutserv.exe
C:\Windows\SysWOW64\rutserv.exe
1⤵
PID:4988
- C:\Windows\SysWOW64\rfusclient.exe
  C:\Windows\SysWOW64\rfusclient.exe
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\rfusclient.exe
    C:\Windows\SysWOW64\rfusclient.exe /tray
    3⤵
    PID:1256
- C:\Windows\SysWOW64\rfusclient.exe
  C:\Windows\SysWOW64\rfusclient.exe /tray
  2⤵
  PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3FA9.tmp\1213.bat

Filesize
1KB

MD5
a1b4263a202c77f63141c716e836a4ab

SHA1
f3859ca14556b04192ed95ff0d9876500a9ab52d

SHA256
3c85a85ca0516b3763fa370e8347da94b65b047d194847756879c8f482d78231

SHA512
64498944db72ca33ff2877d60f375e67f42fc5c9624a2b7617fe5b5776db06c66f4af3763b6bb2e3b6c654a1b148494e7397286e5d69f76aaa35e3abdfbf41bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FA9.tmp\RIPCServer.dll

Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FA9.tmp\RWLN.dll

Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FA9.tmp\dsfVorbisDecoder.dll

Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FA9.tmp\rfusclient.exe

Filesize
3.9MB

MD5
511ab5d90c2e370a942fc3b9077c38d3

SHA1
a7d4f2dc7ab8ca93a4bec1bac2468166c0ed3f86

SHA256
0f07353d08de0a6265d25b66a273fabeef807f868779ad79559cd17c203e313c

SHA512
82861f55433d9bc6daeb9657c9b8c056fa7cfc7c09bc51d3e4cef7684e3ca4d78036ad1a07ad2336e5e49510bab41fa5a3888dae80ef674a7ff5c16305e240c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FA9.tmp\rutserv.exe

Filesize
2.4MB

MD5
21367f2ba84f11ba517780876a3e462a

SHA1
dcdddc5097630a491031ef19d211b77979ffb984

SHA256
0ad6b6f39c0e049b07ba814d7af2f0daf397c212b9149ce9aec39a23ad51beff

SHA512
91c223605a16cd8526a6fed2d6a5f9912de878fe6afa8c7ede95cd72233d1969c89c0b1d0074cee9bd572bb972036b4e79a017c037ac2075007623303f964915

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FA9.tmp\vp8decoder.dll

Filesize
403KB

MD5
6f6bfe02e84a595a56b456f72debd4ee

SHA1
90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

SHA256
5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

SHA512
ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FA9.tmp\vp8encoder.dll

Filesize
685KB

MD5
c638bca1a67911af7f9ed67e7b501154

SHA1
0fd74d2f1bd78f678b897a776d8bce36742c39b7

SHA256
519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

SHA512
ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
894KB

MD5
94be18c279a7a9a5388e2e8f8d707c6b

SHA1
84bdef64fe915463e1e79de593b7fb4a6a6c4088

SHA256
8f79398406c12e5ed81421b31e07d2643f8ccc69636db62e3d7f8f3c1c117e58

SHA512
500cb1dc589b28eb8d62f3e2ace398168dfb89b972fa772627478b3768b2c755b340e0a737e321f6a90a00efecae5641fc47092cc6f4778cabfd87a247535343

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
382KB

MD5
7d445b9beca2310df6fac7da74d9fc91

SHA1
ab4c0911f506c844b7abbc5e62b156c95c4e4f64

SHA256
4fd50c80e41f5b5da26295e2f7b15d54c48426d600e6ade41ca7049b758e615c

SHA512
afaad2050b2394f471f4f94b36a2745b9da17f8965fc2998961aefc51cc2d6722d8bb7e891115c8c8101e81c2b5dc3e90fe0837bf8fa91bc6edfbd86cdf90cfa

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
381KB

MD5
f65821343b067e427c06e5b099bc0d4d

SHA1
00c55a877f85f0d17655d5e933d85c798bbbce90

SHA256
8056e00ee570dd0818b73224d81c0bd5f75cc9c78eadc0624d10a6b4192a8dec

SHA512
365e3b6ac4557aaece0b485ff56d84cee37da8db002987a6afd73a38b376fc9a2887e4c2cdaaa0a0f1ae3442d863fef281788d676ca43c559ae60dc49d891df4

Download Submit
memory/1256-67-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1256-68-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1356-48-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1356-49-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/1800-62-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/1800-52-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2212-71-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2212-63-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2212-73-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2384-46-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2384-44-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/3844-75-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/3844-80-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/3844-64-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/3844-70-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/3844-78-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4988-79-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4988-72-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4988-54-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4988-69-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4988-83-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4988-89-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4988-93-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4988-100-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4988-107-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4988-114-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download