rms | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

8.3MB
MD5

73f351beae5c881fafe36f42cde9a47c
SHA1

dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256

a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512

f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66
SSDEEP

196608:PdQ5Lq4eAGPJgBDpKLtW0tzHlYd3cvF8m9k/RRZpAp2FG0c+imhtO:P2VqyC8mQ0vxN79kpR40cUO

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 8 IoCs

Processes:

installer.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid	Process
2396	installer.exe
2320	rutserv.exe
1316	rutserv.exe
604	rutserv.exe
2408	rutserv.exe
1820	rfusclient.exe
1224	rfusclient.exe
2868	rfusclient.exe

Loads dropped DLL 4 IoCs

Processes:

tmp.exeMsiExec.exerutserv.exe

pid	Process
1072	tmp.exe
2356	MsiExec.exe
2408	rutserv.exe
2408	rutserv.exe

Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exe

flow	pid	Process
3	2584	msiexec.exe
6	2584	msiexec.exe
8	2584	msiexec.exe
10	2584	msiexec.exe
12	2584	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 53 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe

Drops file in Windows directory 18 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\f76192c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76192c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f76192f.ipi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\f76192f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F2D.tmp	msiexec.exe
File created	C:\Windows\Installer\f761931.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

installer.exemsiexec.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	Process
2396	installer.exe
2396	installer.exe
2396	installer.exe
2396	installer.exe
2396	installer.exe
2396	installer.exe
2584	msiexec.exe
2584	msiexec.exe
2320	rutserv.exe
2320	rutserv.exe
2320	rutserv.exe
2320	rutserv.exe
1316	rutserv.exe
1316	rutserv.exe
604	rutserv.exe
604	rutserv.exe
2408	rutserv.exe
2408	rutserv.exe
2408	rutserv.exe
2408	rutserv.exe
1820	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid	Process
2868	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeSecurityPrivilege	2584	msiexec.exe
Token: SeCreateTokenPrivilege	1124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1124	msiexec.exe
Token: SeLockMemoryPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeMachineAccountPrivilege	1124	msiexec.exe
Token: SeTcbPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeLoadDriverPrivilege	1124	msiexec.exe
Token: SeSystemProfilePrivilege	1124	msiexec.exe
Token: SeSystemtimePrivilege	1124	msiexec.exe
Token: SeProfSingleProcessPrivilege	1124	msiexec.exe
Token: SeIncBasePriorityPrivilege	1124	msiexec.exe
Token: SeCreatePagefilePrivilege	1124	msiexec.exe
Token: SeCreatePermanentPrivilege	1124	msiexec.exe
Token: SeBackupPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeDebugPrivilege	1124	msiexec.exe
Token: SeAuditPrivilege	1124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1124	msiexec.exe
Token: SeChangeNotifyPrivilege	1124	msiexec.exe
Token: SeRemoteShutdownPrivilege	1124	msiexec.exe
Token: SeUndockPrivilege	1124	msiexec.exe
Token: SeSyncAgentPrivilege	1124	msiexec.exe
Token: SeEnableDelegationPrivilege	1124	msiexec.exe
Token: SeManageVolumePrivilege	1124	msiexec.exe
Token: SeImpersonatePrivilege	1124	msiexec.exe
Token: SeCreateGlobalPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

installer.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	Process
2396	installer.exe
2320	rutserv.exe
1316	rutserv.exe
604	rutserv.exe
2408	rutserv.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

tmp.exeinstaller.exemsiexec.exerutserv.exerfusclient.exe

description	pid	Process	procid_target
PID 1072 wrote to memory of 2396	1072	tmp.exe	28
PID 1072 wrote to memory of 2396	1072	tmp.exe	28
PID 1072 wrote to memory of 2396	1072	tmp.exe	28
PID 1072 wrote to memory of 2396	1072	tmp.exe	28
PID 1072 wrote to memory of 2396	1072	tmp.exe	28
PID 1072 wrote to memory of 2396	1072	tmp.exe	28
PID 1072 wrote to memory of 2396	1072	tmp.exe	28
PID 2396 wrote to memory of 1124	2396	installer.exe	29
PID 2396 wrote to memory of 1124	2396	installer.exe	29
PID 2396 wrote to memory of 1124	2396	installer.exe	29
PID 2396 wrote to memory of 1124	2396	installer.exe	29
PID 2396 wrote to memory of 1124	2396	installer.exe	29
PID 2396 wrote to memory of 1124	2396	installer.exe	29
PID 2396 wrote to memory of 1124	2396	installer.exe	29
PID 2584 wrote to memory of 2356	2584	msiexec.exe	31
PID 2584 wrote to memory of 2356	2584	msiexec.exe	31
PID 2584 wrote to memory of 2356	2584	msiexec.exe	31
PID 2584 wrote to memory of 2356	2584	msiexec.exe	31
PID 2584 wrote to memory of 2356	2584	msiexec.exe	31
PID 2584 wrote to memory of 2356	2584	msiexec.exe	31
PID 2584 wrote to memory of 2356	2584	msiexec.exe	31
PID 2584 wrote to memory of 2320	2584	msiexec.exe	39
PID 2584 wrote to memory of 2320	2584	msiexec.exe	39
PID 2584 wrote to memory of 2320	2584	msiexec.exe	39
PID 2584 wrote to memory of 2320	2584	msiexec.exe	39
PID 2584 wrote to memory of 1316	2584	msiexec.exe	32
PID 2584 wrote to memory of 1316	2584	msiexec.exe	32
PID 2584 wrote to memory of 1316	2584	msiexec.exe	32
PID 2584 wrote to memory of 1316	2584	msiexec.exe	32
PID 2584 wrote to memory of 604	2584	msiexec.exe	38
PID 2584 wrote to memory of 604	2584	msiexec.exe	38
PID 2584 wrote to memory of 604	2584	msiexec.exe	38
PID 2584 wrote to memory of 604	2584	msiexec.exe	38
PID 2396 wrote to memory of 1912	2396	installer.exe	37
PID 2396 wrote to memory of 1912	2396	installer.exe	37
PID 2396 wrote to memory of 1912	2396	installer.exe	37
PID 2396 wrote to memory of 1912	2396	installer.exe	37
PID 2408 wrote to memory of 1820	2408	rutserv.exe	35
PID 2408 wrote to memory of 1820	2408	rutserv.exe	35
PID 2408 wrote to memory of 1820	2408	rutserv.exe	35
PID 2408 wrote to memory of 1820	2408	rutserv.exe	35
PID 2408 wrote to memory of 1224	2408	rutserv.exe	34
PID 2408 wrote to memory of 1224	2408	rutserv.exe	34
PID 2408 wrote to memory of 1224	2408	rutserv.exe	34
PID 2408 wrote to memory of 1224	2408	rutserv.exe	34
PID 1820 wrote to memory of 2868	1820	rfusclient.exe	40
PID 1820 wrote to memory of 2868	1820	rfusclient.exe	40
PID 1820 wrote to memory of 2868	1820	rfusclient.exe	40
PID 1820 wrote to memory of 2868	1820	rfusclient.exe	40

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
    3⤵
    PID:1912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 159F5C1253A1C120A81C960371565291
  2⤵
  - Loads dropped DLL
  PID:2356
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1316
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:604
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2320

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
2.9MB

MD5
df3b70746d3e28f1e94b7dd339393fad

SHA1
f9284b117823c45726ebb77f0b155141d6ec2b5d

SHA256
379a2d8481a2d4aea57f82b2ad7e281882ff84f16e93b47f5af851fc74df6e8c

SHA512
07d5c83846bf1c0761394df7995aad0707a17e88057787c8a83b1994fe8088437e7b55a3baa205188f4bee44f82fbb12f2dd1e2c5d0c3cbc9cec2c0bae2beace

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
2.4MB

MD5
db67db112549c9bb3c0c53222598a316

SHA1
0f0d17ec2217ff0f9c657096a38f1228f4d15d61

SHA256
40f5db288ada756270fa75cd0df7d3b9a59fdf18a8c8570e31d712191d9a9d0e

SHA512
11301b1dfb7f9f184b4d6381c875d944214f37280e5954e52cee46c92c5c7db089c9f5b0b290133863aa0262fdc2dbac541645d5a108a2b9464c106337e75b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
2.1MB

MD5
0329e184c27896b0809f92f39b326c52

SHA1
c4bc2c59380e711da3983d05302a84659ff61d3c

SHA256
255290bfe9892026ad5be0196da7b7db4148e80cfbfb4a4b4c4d7638e1459989

SHA512
45051c5af630decb06a85ecfede6acf4eb7c368c64c6ea7e62f10aa3440a57872fb3e26e390b91074d09f84a4754af3b1f9239fe0e9f1a052aefea39c4c5e2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

Filesize
1.4MB

MD5
d195df003c7bd5f59843c25a074384c8

SHA1
469bc53270afe9bf8902a96a8ad01d86cb56be22

SHA256
9e5404acf8b2337c94a30d09ae6be2f18f8d70b953ea9f486bfe7b132d16bd72

SHA512
1de83e8f5da39c5986f8f743e7cf9dc39bfb470cc021e11f32bc8cfb9dfc573404385156afd2563b9420f3dc14f618eb1f41a988615ca75dcb39a7caa359ddb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B43.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Installer\MSI1D78.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\f76192c.msi

Filesize
92KB

MD5
b32fdbab0310b5f9df4b5684f1869d5c

SHA1
291dc93b26430eb9560eb5be8d6d149e64171e17

SHA256
d6a0b0bd6846528ca3f3d505727b1eef8cd69062237b8b34378db8e1c7ece1e0

SHA512
e804cea0de422ca6268842eeba87cc22a6b26feafe89ae34bc8bc1f5f82f69883ed99ecf435690d5a68a41281491b58f39c226a6df0cbba7f9634d462cdc3049

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
3.1MB

MD5
51d256e53f1c812a165387649910cad3

SHA1
fbe8039d65f171caddf6e8551cb8353f30c5b506

SHA256
d4776d9c6939dfeb04b73caae68a6b241c83c5d7d89df6e59e5fea8834d9b70a

SHA512
2970daf81a1ab06a907bd0929535811d7decd1af9e7d3d585e8448287e51504191331fdfd652343de3ac3c282f74ae594e742b38d39f6b182280b4a898aee100

Download Submit
\Windows\Installer\MSI1D78.tmp

Filesize
93KB

MD5
826501309eaf87cc9baeb0657b222607

SHA1
ab2f41b46d384422507e45f71fb1409d9a949779

SHA256
fffa198b1ee9dafcc4e91daa90602368f73b859876b88d1841ce670867b9dc00

SHA512
63077090a9d0c621287e5d8bbebe92add3f5a926c908565d895c104e3352d096e04ca6591d3203a0f44b891d17c634a4db82f8fe454f6f2d03b7954c0d6becb2

Download Submit
memory/604-190-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/604-171-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1224-208-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1224-201-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1224-226-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1224-215-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1224-211-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1224-205-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1224-192-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1316-152-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1316-151-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1820-206-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1820-200-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1820-191-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2320-147-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2320-149-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2396-172-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2396-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2408-209-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2408-175-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2408-202-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2408-213-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2408-220-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2408-224-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2408-199-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2408-228-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2408-231-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2408-238-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2408-242-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2868-197-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2868-198-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download