a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

General

Target

tmp.exe
Size

8.3MB
MD5

73f351beae5c881fafe36f42cde9a47c
SHA1

dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256

a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512

f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66
SSDEEP

196608:PdQ5Lq4eAGPJgBDpKLtW0tzHlYd3cvF8m9k/RRZpAp2FG0c+imhtO:P2VqyC8mQ0vxN79kpR40cUO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	tmp.exe

Executes dropped EXE 1 IoCs

Processes:

backgroundTaskHost.exe

pid	Process
2552	backgroundTaskHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

backgroundTaskHost.exe

pid	Process
2552	backgroundTaskHost.exe
2552	backgroundTaskHost.exe
2552	backgroundTaskHost.exe
2552	backgroundTaskHost.exe
2552	backgroundTaskHost.exe
2552	backgroundTaskHost.exe
2552	backgroundTaskHost.exe
2552	backgroundTaskHost.exe
2552	backgroundTaskHost.exe
2552	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	4520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4520	msiexec.exe
Token: SeSecurityPrivilege	5012	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

backgroundTaskHost.exe

pid	Process
2552	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

tmp.exebackgroundTaskHost.exe

description	pid	Process	procid_target
PID 1624 wrote to memory of 2552	1624	tmp.exe	114
PID 1624 wrote to memory of 2552	1624	tmp.exe	114
PID 1624 wrote to memory of 2552	1624	tmp.exe	114
PID 2552 wrote to memory of 4520	2552	backgroundTaskHost.exe	92
PID 2552 wrote to memory of 4520	2552	backgroundTaskHost.exe	92
PID 2552 wrote to memory of 4520	2552	backgroundTaskHost.exe	92

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
    3⤵
    PID:3936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8DD1F2A714C5193E7CEBF26C5A7F602F
  2⤵
  PID:4724
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  PID:4252
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  PID:876
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  PID:224

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
1⤵
PID:4144

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
1⤵
PID:3940
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  PID:4120

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
PID:4712

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
2.5MB

MD5
4cb803fa5c8b14e9fc0d8577b5f01b12

SHA1
4835b322fc4dd08b023ccd16d7d9b66d483e3a70

SHA256
c3f0678f73e2bf0a39b90b26c5758659da5a09d36389eb6cfd2bb091404ec209

SHA512
ad3202101da86c0a68fda062c3eae67ae050777db33c03f08acf4b0c35ae4aa4451f0ce2c2d7f8001d0bc93013688c575ea01f58b20b0fa71fa881266999415c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
1.2MB

MD5
b8cf2dd72d4f3cf52b8d073cc0ac9bfa

SHA1
46298652e2e917ec40e5349aed0dca74a501caf5

SHA256
c30124c1358d2559aff2d197188af31eda39d35930419d9118d60b13acbf3077

SHA512
7975dcfb5ccddfb6572e7b3750c22d8d94e9c15e1441f86f0e243408dc995c265fbbf443fae4b61d3a5b7502a8b4e4d918db10a06f380afa4816913909be4c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
877KB

MD5
fd094a1b06ce4000c6ad9047121889fb

SHA1
82d16f99fbbd0fe332b783954d218bbfde6e5e7d

SHA256
21a8df27fd57164a7eb7acb7690fb41f0bcc1eb9b699fbf67a8645a577af94d5

SHA512
92ea21d8f699520ae8fe026a73ad849c56eb98a1ed722ac3d41f4d9c5d23f6e2274e6bc0d4a77218e3ea4796a508173e9181f8d60a7ef7839b2ddd5ff10d29ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

Filesize
1.4MB

MD5
30c2fcd421becb204c4b1f8ca925f0a5

SHA1
a8297e427dd4b360084c370ddf0b07300b85bafe

SHA256
ec3900be064505af6836560d5229d8a819f020367a4820c406c083befe4cd4ad

SHA512
c85194ab3249957cf4d63223c7685960029699c7fc87304756931edbdd06243e4aeb9153fe1d263767873cdd7a0ac96af8bff523383ee3d1e65a3cf7a378cd56

Download Submit
memory/224-139-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/224-118-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/876-108-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/876-107-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2552-14-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/2552-124-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3940-141-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/3940-148-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3940-156-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4120-145-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/4120-146-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4144-177-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4144-155-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/4144-140-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/4144-149-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4144-152-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4144-159-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4144-163-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4252-105-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4252-104-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/4712-189-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4712-125-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/4712-200-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4712-161-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4712-171-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4712-153-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/4712-175-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4712-182-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4712-157-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4712-196-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4712-147-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads