Overview

overview

10

Static

static

3

aut7C05.exe

windows7-x64

10

aut7C05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2024 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aut7C05.exe

  • Size

    4.5MB

  • MD5

    f9a9b17c831721033458d59bf69f45b6

  • SHA1

    472313a8a15aca343cf669cfc61a9ae65279e06b

  • SHA256

    9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

  • SHA512

    653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

  • SSDEEP

    98304:V5xj2G4KJi7pqIx/nysBa5VOGnSL0QitFbfFcDluO4OP4kGHd9seAAo80CWhe:VmzKQ7pLnysBawAbGtuN0CW8

Score
10/10
rmsaspackv2evasionrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies registry class 4 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\aut7C05.exe
    "C:\Users\Admin\AppData\Local\Temp\aut7C05.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3520
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s "reg1.reg"
          4⤵
          • UAC bypass
          • Windows security bypass
          • Runs .reg file with regedit
          PID:384
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s "reg2.reg"
          4⤵
          • Runs .reg file with regedit
          PID:2444
        • C:\Windows\SysWOW64\timeout.exe
          timeout 2
          4⤵
          • Delays execution with timeout.exe
          PID:3872
        • C:\ProgramData\Windows\rutserv.exe
          rutserv.exe /silentinstall
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4824
        • C:\ProgramData\Windows\rutserv.exe
          rutserv.exe /firewall
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:4592
        • C:\ProgramData\Windows\rutserv.exe
          rutserv.exe /start
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:948
        • C:\Windows\SysWOW64\attrib.exe
          ATTRIB +H +S C:\Programdata\Windows\*.*
          4⤵
          • Views/modifies file attributes
          PID:3200
        • C:\Windows\SysWOW64\attrib.exe
          ATTRIB +H +S C:\Programdata\Windows
          4⤵
          • Views/modifies file attributes
          PID:2324
        • C:\Windows\SysWOW64\sc.exe
          sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
          4⤵
          • Launches sc.exe
          PID:4592
        • C:\Windows\SysWOW64\sc.exe
          sc config RManService obj= LocalSystem type= interact type= own
          4⤵
          • Launches sc.exe
          PID:1688
        • C:\Windows\SysWOW64\sc.exe
          sc config RManService DisplayName= "Microsoft Framework"
          4⤵
          • Launches sc.exe
          PID:4516
    • C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Windows\SysWOW64\timeout.exe
          timeout 5
          4⤵
          • Delays execution with timeout.exe
          PID:4552
  • C:\ProgramData\Windows\rutserv.exe
    C:\ProgramData\Windows\rutserv.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\ProgramData\Windows\rfusclient.exe
      C:\ProgramData\Windows\rfusclient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\ProgramData\Windows\rfusclient.exe
        C:\ProgramData\Windows\rfusclient.exe /tray
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: SetClipboardViewer
        PID:1528
    • C:\ProgramData\Windows\rfusclient.exe
      C:\ProgramData\Windows\rfusclient.exe /tray
      2⤵
      • Executes dropped EXE
      PID:3264
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3244 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3144

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Windows\install.vbs
      Filesize

      140B

      MD5

      5e36713ab310d29f2bdd1c93f2f0cad2

      SHA1

      7e768cca6bce132e4e9132e8a00a1786e6351178

      SHA256

      cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

      SHA512

      8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

      Download Submit

    • C:\ProgramData\Windows\reg1.reg
      Filesize

      12KB

      MD5

      806734f8bff06b21e470515e314cfa0d

      SHA1

      d4ef2552f6e04620f7f3d05f156c64888c9c97ee

      SHA256

      7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

      SHA512

      007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207

      Download Submit

    • C:\ProgramData\Windows\reg2.reg
      Filesize

      1KB

      MD5

      6a5d2192b8ad9e96a2736c8b0bdbd06e

      SHA1

      235a78495192fc33f13af3710d0fe44e86a771c9

      SHA256

      4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

      SHA512

      411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

      Download Submit

    • C:\ProgramData\Windows\rfusclient.exe
      Filesize

      250KB

      MD5

      fdcc1962ece6a1ec22f3b956d98c9360

      SHA1

      65a62a4e4d0f79bc0fd07bc3f4a460a1e250a6a7

      SHA256

      c12f9de43bc0d925a419fa6d495b519fae2226c79f59412aba2b5a5f68d2e63d

      SHA512

      8d18caf9f746ff75082f7f3384fb6efe4f4189d19bede02ebbe4227978a8d1d635f16dcde4d669df35dcb13ab311dfccf69c7d759a91a5bb7e3df2b37658a9c3

      Download Submit

    • C:\ProgramData\Windows\rfusclient.exe
      Filesize

      1.3MB

      MD5

      f122687143c2367ac8996996426d4e6d

      SHA1

      865ac6d18fc8f9ee2db7ad55dad61e0f7300d492

      SHA256

      c60e39d72ff799c92f69bd99cea86e0c913d28cab7729b28a69b8c292cbd01d7

      SHA512

      bfc7a2634565d1c579e2ead1d6b1cfe24a348de371a1e61c6c92659a3e90990b0a3613db115147b89206479c8185e719da866374bebf214011458aec521ad7ba

      Download Submit

    • C:\ProgramData\Windows\rfusclient.exe
      Filesize

      1.5MB

      MD5

      b8667a1e84567fcf7821bcefb6a444af

      SHA1

      9c1f91fe77ad357c8f81205d65c9067a270d61f0

      SHA256

      dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

      SHA512

      ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

      Download Submit

    • C:\ProgramData\Windows\rutserv.exe
      Filesize

      1.7MB

      MD5

      37a8802017a212bb7f5255abc7857969

      SHA1

      cb10c0d343c54538d12db8ed664d0a1fa35b6109

      SHA256

      1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

      SHA512

      4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

      Download Submit

    • C:\ProgramData\Windows\vp8decoder.dll
      Filesize

      155KB

      MD5

      88318158527985702f61d169434a4940

      SHA1

      3cc751ba256b5727eb0713aad6f554ff1e7bca57

      SHA256

      4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

      SHA512

      5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

      Download Submit

    • C:\ProgramData\Windows\vp8encoder.dll
      Filesize

      256KB

      MD5

      8213150807a84c21f6c1659ce4627018

      SHA1

      1867de22a8999763c9c1ac7b68e6d8358cce360f

      SHA256

      cc8f5e8304848bdae1502491220f3de6de01d4d1e347ef49d288719a5ec68922

      SHA512

      435d0f996dfe3682fe6846761fdd38e5d7fb39ebf7ad23362dc5a4eed303254c7062c6b33c353fcd8cfbbd786a629471f2480cbf01abe52195f0d15c2b81d490

      Download Submit

    • C:\ProgramData\Windows\winit.exe
      Filesize

      961KB

      MD5

      03a781bb33a21a742be31deb053221f3

      SHA1

      3951c17d7cadfc4450c40b05adeeb9df8d4fb578

      SHA256

      e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

      SHA512

      010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

      Download Submit

    • C:\Programdata\Windows\install.bat
      Filesize

      418B

      MD5

      db76c882184e8d2bac56865c8e88f8fd

      SHA1

      fc6324751da75b665f82a3ad0dcc36bf4b91dfac

      SHA256

      e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

      SHA512

      da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aut4CE3.tmp
      Filesize

      61B

      MD5

      398a9ce9f398761d4fe45928111a9e18

      SHA1

      caa84e9626433fec567089a17f9bcca9f8380e62

      SHA256

      e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

      SHA512

      45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

      Download Submit

    • memory/948-55-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/948-75-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/948-61-0x0000000002670000-0x0000000002671000-memory.dmp

      Filesize

      4KB

      Download

    • memory/948-60-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/948-59-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/948-58-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/948-57-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/948-56-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1528-105-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1528-114-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1528-106-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1528-107-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1528-108-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1528-110-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1528-125-0x0000000000C90000-0x0000000000C91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1528-109-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1528-115-0x0000000000C90000-0x0000000000C91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1708-63-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-65-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-66-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-67-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-68-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-64-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-116-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-120-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-126-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-130-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-74-0x0000000000C40000-0x0000000000C41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1708-139-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/1708-146-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/3220-112-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3220-86-0x0000000002770000-0x0000000002771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3220-76-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3220-84-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3220-82-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3220-81-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3220-77-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3220-79-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3264-118-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3264-113-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3264-85-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3264-91-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3264-141-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3264-132-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3264-124-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3264-78-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3264-83-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3264-123-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3264-80-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3264-87-0x0000000000400000-0x00000000009B6000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4592-53-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4592-52-0x0000000002770000-0x0000000002771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4592-51-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4592-50-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4592-46-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4592-49-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4592-47-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4592-48-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4824-37-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4824-40-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4824-41-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4824-44-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4824-38-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4824-43-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4824-39-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/4824-42-0x0000000000400000-0x0000000000AB9000-memory.dmp

      Filesize

      6.7MB

      Download