Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-03-2024 09:52
General
-
Target
aut7C05.exe
-
Size
4.5MB
-
MD5
f9a9b17c831721033458d59bf69f45b6
-
SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b
-
SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
-
SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
SSDEEP
98304:V5xj2G4KJi7pqIx/nysBa5VOGnSL0QitFbfFcDluO4OP4kGHd9seAAo80CWhe:VmzKQ7pLnysBawAbGtuN0CW8
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
ASPack v2.12-2.42 10 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Modifies registry class 3 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aut7C05.exe"C:\Users\Admin\AppData\Local\Temp\aut7C05.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Programdata\Windows\install.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"4⤵
- UAC bypass
- Windows security bypass
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"4⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10004⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"4⤵
- Launches sc.exe
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Programdata\Install\del.bat3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
-
-
-
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
12KB
MD5806734f8bff06b21e470515e314cfa0d
SHA1d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA2567ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207
-
Filesize
1KB
MD56a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
Filesize
1.3MB
MD5265e321b81dd1b4012885f7187c17134
SHA1ac318ca9f61e60b9d2552374978c1f24a1ef3373
SHA2566e1027be84195ee12e37147cd43bbb74c4e019a3292894c1566697fc296f450f
SHA5122e0f339a7470cdc433680336983ade513993a6493de9777ecc2af9695c45f4cd973971dad514cca5bae1f2136f271dc427904ba8d95b32486a8fdecb4a4cd25e
-
Filesize
22KB
MD520cc481def5e0b4cf08b259aeda470ab
SHA1718c2776cac976464448147c000dca05f3e4ce07
SHA2567fc73bb8291e91222c3aaf9370391b910ae423af6eb835212da24f070c35d6e5
SHA5126b40dba41a46d13cf01d2bd29606fb9eb0cf877c7dc8425d57592550a8adf784b0fba5bd380cefc38db2bf8dc9b7559b5ae83d3ec2b60227fd9237c682a84378
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
630KB
MD59f987478bbe0153eee82ac2eb1fa2c7c
SHA13a3a2ec55431d2101b097c696efc3896d2ea7924
SHA256245f291e2edc366bba662d5c7acf54fc5edca1784a8438e8ab02efea86bc4039
SHA51241c638f32ac33a84032883156b8eb4114221a5250406dde24c5532f4ab932a00c8819ab049cd8a21baff2dce5e97c4c05927ae1560a7e217026893c06aabdcf4
-
Filesize
64KB
MD5a93ffb21131ea4dc0f1a18f023a93e68
SHA1ca8c389c79a9ca442920d93c4612451f50110f3a
SHA25667f5a3110dc58b25f1ee7f0fc555f8ec1161b3c0d1ca8dee20db873db7a75e8c
SHA512be939ea48eea8211b1089378db154fd47bb268e2f1de84d72798db79c7e89a7e4aa01cf3ddc7962cb2333db7a1f1484064a2b65218e2715f868c76d52ea319fe
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
15KB
MD5000deaa095e9363d382ff2ef41bdb759
SHA1af7869c8eebaffd01135097d6618bd275641002b
SHA2563bedb54fed64bab323954d50339f66a8742c45ad32b4f119586bab0c3c807f77
SHA51239672b9bebbf477de9797a584ec8315038719df37f2cc1f891278109d374202190f98976f0c1aef2c7104cbbbe355c70cf7cc34ca9b9308ca928e75c9b0cc7fb
-
Filesize
1.1MB
MD5f1d690f5343e1759562963556bfb8368
SHA176061ba2571de9c1bd493f42b6ac2448da5e99ea
SHA2568b773134c2c6c1c55a126c3cf84f1f0e80fe3275bc4417f89da1e955a493d25e
SHA51268ce5bb1493eabc6e77e62bb27f1c7bd424479a959158b6d635d158be3790a2158d42f76e5bf653ac6a76311d9150f7c6f8048c42a8c519aa0f1145d1173c80a
-
Filesize
99KB
MD565c5009178e8c0d2bfa031fbb8efe23e
SHA19a4929ad43cda086b435596152c3629e0161de2e
SHA256d0db5a7cf5c5c5c07ec542d94b4533a704592757a9486440f39d0a3a9afefb65
SHA51274fbc711d12dd545cadd4d53afa51527167f0390da3867f2d333a249a1ca79f392c8f39898a4ae98709edb31576872fa23e77d84718793567bb14c28e62abae0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
48KB
MD53889bd6ee4134d3fc1a78e480c6a5186
SHA121834f44f2eb5395e57872cd2a388a1e4d77f2a9
SHA256ca3bfe63a09bb7a1f8d1cbba0e68523b9dd84dbf9af0ee903223fbe3eb52f793
SHA51214d62c3d169bdc3aff85f3dd96de16ef0895a280af07eb64319eb5e7c3f5d4763e0ae6aabad0ed00ff1b4ac89d2d7629d715246b8790037db49ec26ab45f0024
-
Filesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
Filesize
879KB
MD59200b6435dc36152bab62369797a02b7
SHA1bdc68b273d96053122c2344be69953864acf68e7
SHA256b612817a019b5f1b74f30bc2a4bcb235281fac54e0f339961f71138f9c54f235
SHA512c3216472c2634eea8fa56d309603ce4e847cfc9fac0385d30e85a663e9379625f64baeb5ac4a7195ee225e8be9f7e3e06402cd3d5f2420eaaa075f4055f9f41b
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
6.7MB
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB