Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
24-01-2024 00:28
General
-
Target
70f515d95bea22b5764185f203b57925.exe
-
Size
2.7MB
-
MD5
70f515d95bea22b5764185f203b57925
-
SHA1
5f5254764798d53bfdf2a00e235697bd222554fa
-
SHA256
b53c443e37a06cf2c031531e3558e9f1cc2639d8f20148714f1744e3ed622681
-
SHA512
6734f42c5791309ee166db4e0397473496295bc47b4e7cd87c00c3c9a988cbf70176b8d609295fa6bb947789e6f81b3a874e8facf294ab4d03894b17f996238d
-
SSDEEP
49152:QAJYJUfOJH2bzzkE/gNXov3rM+XhghAaecWviq7XzGx38uPDzWkmLm6oyq8bL7A1:7JYJIOJGzGmoPh/AJDGDLCHmI/S
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Modifies Windows Firewall 1 TTPs 8 IoCs
-
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 14 IoCs
-
Drops file in System32 directory 38 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 2 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\70f515d95bea22b5764185f203b57925.exe"C:\Users\Admin\AppData\Local\Temp\70f515d95bea22b5764185f203b57925.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mes.js"4⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im RManServer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\System32\catroot3"4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\stop.js"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Windows\System32\de.exe"4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\net.exenet stop rserver34⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\install.bat"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rserver3.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im r_server.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cam_server.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\system32\cam_server.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\system32\rserver30"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Windows\SysWOW64\rserver30"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\system32\r_server.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\net.exenet stop Telnet4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Telnet5⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start= disabled4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet stop "Service Host Controller"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Service Host Controller"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet user HelpAssistant /delete4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user HelpAssistant /delete5⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn security /f4⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="RealIP"4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Microsoft Outlook Express"4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Service Host Controller"4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete portopening tcp 570094⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="cam_server"4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete portopening tcp 57011 all4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαᵿ«¡¡á∩ ß¿ßΓѼá Microsoft Windows" /f4⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f4⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f4⤵
-
-
C:\Windows\SysWOW64\catroot3\rutserv.exe"rutserv.exe" /silentinstall4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\catroot3\rutserv.exe"rutserv.exe" /firewall4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s set.reg4⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\catroot3\rutserv.exe"rutserv.exe" /start4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\stop.js"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\install.bat"4⤵
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rserver31⤵
-
C:\Windows\SysWOW64\catroot3\rutserv.exeC:\Windows\SysWOW64\catroot3\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\catroot3\rfusclient.exeC:\Windows\SysWOW64\catroot3\rfusclient.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\catroot3\rfusclient.exeC:\Windows\SysWOW64\catroot3\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\catroot3\rfusclient.exeC:\Windows\SysWOW64\catroot3\rfusclient.exe /tray2⤵
- Executes dropped EXE
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236B
MD57e960e034c2bd61d8430c554c3f59225
SHA1462fae70574a49807e6419274e492a68a14d9a76
SHA256cd8ac5031197745c596f708aa42d500b5b982e0ebbb273ca9bf856ffdea40f54
SHA512a90db573f9c241689dde85801a730664df00a3e212574150e00891ae9abc0b4b8fbfe39478656b7ef464eeacbdc8b141aaa9d112246ae2aed17ccabbef412607
-
Filesize
144KB
MD5513066a38057079e232f5f99baef2b94
SHA1a6da9e87415b8918447ec361ba98703d12b4ee76
SHA25602dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e
SHA51283a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5
-
Filesize
1KB
MD5d34b3da03c59f38a510eaa8ccc151ec7
SHA141b978588a9902f5e14b2b693973cb210ed900b2
SHA256a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc
SHA512231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7
-
Filesize
448KB
MD5d7eb741be9c97a6d1063102f0e4ca44d
SHA1bf8bdca7f56ed39fb96141ae9593dec497f4e2c8
SHA2560914ab04bfd258008fec4605c3fa0e23c0d5111b9cfc374cfa4eaa1b4208dff7
SHA512cbcaedf5aca641313ba2708e4be3ea0d18dd63e4543f2c2fdcbd31964a2c01ff42724ec666da24bf7bf7b8faaa5eceae761edf82c71919753d42695c9588e65e
-
Filesize
96KB
MD5329354f10504d225384e19c8c1c575db
SHA19ef0b6256f3c5bbeb444cb00ee4b278847e8aa66
SHA25624735b40df2cdac4da4e3201fc597eed5566c5c662aa312fa491b7a24e244844
SHA512876585dd23f799f1b7cef365d3030213338b3c88bc2b20174e7c109248319bb5a3feaef43c0b962f459b2f4d90ff252c4704d6f1a0908b087e24b4f03eba9c0e
-
Filesize
325KB
MD5cf6ce6b13673dd11f0cd4b597ac56edb
SHA12017888be6edbea723b9b888ac548db5115df09e
SHA2567bda291b7f50049088ea418b5695929b9be11cc014f6ec0f43f495285d1d6f74
SHA512e5b69b4ee2ff8d9682913a2f846dc2eca8223d3100d626aea9763653fe7b8b35b8e6dc918f4c32e8ae2fc1761611dcd0b16d623ede954f173db33216b33f49dc
-
Filesize
98KB
MD5b8622a3042d7fa48b2e6de433007c870
SHA16399b9d115c3f1d3c5469f81b1a821bf75b75ae8
SHA256cdb8330b9a36462dad63fb5c98520c4dd1cecf8a20d071bb0eff15ecf9fe0c98
SHA51219450e826c78cc9526bf9ccba356fa63c8282ae3093db9ad71c1f21bcd80b3850b3aabbd2221fd6ddc293378df3d52ac0484c8882aeee517145d018ce3b4ed73
-
Filesize
84KB
MD565889701199e41ae2abee652a232af6e
SHA13f76c39fde130b550013a4f13bfea2862b5628cf
SHA256ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e
SHA512edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5
-
Filesize
240KB
MD55f2fc8a0d96a1e796a4daae9465f5dd6
SHA1224f13f3cbaa441c0cb6d6300715fda7136408ea
SHA256f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f
SHA512da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad
-
Filesize
1.6MB
MD5086a9fd9179aad7911561eeff08cf7e2
SHA1d390c28376e08769a06a4a8b46609b3a668f728b
SHA2562cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282
SHA512a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193
-
Filesize
4KB
MD5011f14a1a59c0c446f5d0f6c168ed1f7
SHA1cff018bc19278be9b73419a67cddee9831f9e9a4
SHA25641e65323386d46854c2d47721abc6cd07cf0932912e79637a8d663d2dcb5c465
SHA512c5d9fa8049afe0fe772098dd3b9e46349dcfc01452de7d9128a2b7556a62d406ad861ef34e084659d193b6c38c66530b6236d22f90a9a2e8a530cb78ed133332
-
Filesize
154B
MD50bf43169d817f42c7ccf55ddf2940d55
SHA1d3c84dfc613a1c635de464a633d1678cac60bcf9
SHA25649d4efe001243866edc91f8f9fd6231e1602bcfcab4e508d23d0cb5e68ea35c2
SHA512c647cebbed6693e89c4592cb5565011c8831329ada1f8cb5714640264484ca38ac9146db1f2dc948bcf53e12e79c9a2ded44a8c09eb30d60d14a1ec8c34ab605
-
Filesize
541KB
MD58c53ccd787c381cd535d8dcca12584d8
SHA1bc7ce60270a58450596aa3e3e5d0a99f731333d9
SHA256384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528
SHA512e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755
-
Filesize
617KB
MD51169436ee42f860c7db37a4692b38f0e
SHA14ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3
SHA2569382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46
SHA512e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0
-
Filesize
2.8MB
MD5a90c6e72a9e2602560c521a1647664ad
SHA122f7f0ddb0af04df7109c3ddbb7027909041fa73
SHA256579e5984ad5eb6e5e4b004acd01c95f609a1330f3900cd9851562eb4ac879197
SHA512fbba623cab28c0648e8bdd03c99df9e2a84180d72ea8e63367e943f8b432ebc36a7e10a8bfce11ad1803e54a8514f1ded4fec72e680ee04386965b5eb6a5d6c2
-
Filesize
3.2MB
MD562dbd11dc36780e35af1aafaa6a8f0f1
SHA1dc6aaac7171b351be3397c3e0e1769dffa848723
SHA256b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57
SHA512b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d
-
Filesize
310KB
MD53f95a06f40eaf51b86cef2bf036ebd7a
SHA164009c5f79661eb2f82c9a76a843c0d3a856695d
SHA2561eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d
SHA5126f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897
-
Filesize
14KB
MD50f47a01e21911e8cbfd6903bbf4579d8
SHA17fbc72f0a91c73f96dc056942d080911ff617a13
SHA2567fe151bd0f7bd7a2f9558eeb4ed54e2070e2a9c233e6445a24a8891fd72d1f01
SHA5125606535a4f51f4dc564fd972fea0d8cdd0ac79f2c1bea3c26b24984fb0068fba20479533c57c582af8572565c981939626a0c6bca298d57bd5785ef02b6515d8
-
Filesize
215B
MD5804b35ef108ec9839eb6a9335add8ca1
SHA1bf91e6645c4a1c8cab2d20388469da9ed0a82d56
SHA256fe111b7ea4e14ab7ba5004aea52b10030e0282bb5c40d4ba55761a2c5be59406
SHA512822a3ec5e0e353058d4355bc01a44440dafe8d16c57744a3dcbc962eb110ed3f6843556568616bfc5dc7fad5f5832cd27d6591dc50105f2c79fc16c33919936d
-
Filesize
29KB
MD5ce37892672b7e69da7a04e689d1dacbc
SHA166d26d74a8a86b597b2167118afe94e31baf25ee
SHA2568f997537023f9f32bf8f87400ca2e19fa505f1fd20fabcdf67cb7c2ff97c7323
SHA5128f51d0e2f8c0d3dcc9c118230ec3a9a00796bd6952510c9a888535a87246b0daeacb22087e5f35f8ee39ef5477cb7bda49c834bf6e4e20c102aea9280fc591fe
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
3.4MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
3.4MB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
3.8MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
4KB
-
Filesize
4KB