Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-04-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    21.8MB

  • MD5

    04d54700f8274d32b60222bc1497ebf0

  • SHA1

    1150c1a0e45c6ee5c671a5907c8f057ece4bc1e5

  • SHA256

    eb41f9ce5d810092148309af2f932db5b938c57c9c2b8a5a5078e6cb45349b7b

  • SHA512

    879667c69733b6edad159a5882b4f3a4a8f968c030b4a868742e591b61a5ff476b05f910bc3f2d64583f0bf385aaba6df4ee2ddbd91fbef0f9d74e8d05175fe1

  • SSDEEP

    393216:/LfK/LS1/Lgntpvw2D3r4qg8RvPNJrHS7i9CPq7E0YIpUx9gZjpWQma9BKyIo9Xt:zIQy+qRvPn2+CP+EUE9vFo9L5

Score
10/10
ruratbackdoortrojan

Malware Config

Signatures

  • RuRAT

    RuRAT is a remote admin tool sold as legitimate software but regularly abused in malicious phishing campaigns.

    trojanbackdoorrurat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 58 IoCs
  • Drops file in Windows directory 19 IoCs
  • Kills process with taskkill 23 IoCs
    evasion
  • Modifies data under HKEY_USERS 47 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4384
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C2AD87F1249A96D0EA55C0043C0E41D6
      2⤵
      • Loads dropped DLL
      PID:2908
    • C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
      "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\Admin\AppData\Local\Temp\RUT.msi"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1792
    • C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
      "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3888
    • C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
      "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4536
    • C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
      "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2280
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    • Suspicious behavior: EnumeratesProcesses
    PID:3984
  • C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
    "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
      "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
        "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3772
    • C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
      "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2036
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    • Suspicious behavior: EnumeratesProcesses
    PID:2208
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    • Suspicious behavior: EnumeratesProcesses
    PID:2308
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    • Suspicious behavior: EnumeratesProcesses
    PID:552
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    • Suspicious behavior: EnumeratesProcesses
    PID:920
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    • Suspicious behavior: EnumeratesProcesses
    PID:2756
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    • Suspicious behavior: EnumeratesProcesses
    PID:3800
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    • Suspicious behavior: EnumeratesProcesses
    PID:4592
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    • Suspicious behavior: EnumeratesProcesses
    PID:1284
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    • Suspicious behavior: EnumeratesProcesses
    PID:5092
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:428
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:4008
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:640
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:4500
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:3932
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:3664
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:3984
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:3372
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:556
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:1228
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:3872
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:2088
  • C:\Windows\system32\taskkill.EXE
    C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
    1⤵
    • Kills process with taskkill
    PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57a377.rbs
    Filesize

    31KB

    MD5

    55c9c9e553d735e00227e55ba6185188

    SHA1

    a85c85b1a97f586111292ac7266c62975d1efe7f

    SHA256

    6e17afcc2bbd932f24c4ca9b3a326c9544dacf620e81fa0e34bf8eee3bbe3d65

    SHA512

    74191ddaecd48030917dbfb68e3680877c486fc4fed9a7e5efd9b4068c4b2e7bb4ce98eb0a837f125594fc6edbcf92603c4c9c45a154ef4e91894b506a03de5a

    Download Submit
  • C:\Program Files (x86)\Remote Utilities - Host\eventmsg.dll
    Filesize

    51KB

    MD5

    ca8a4346b37cdd0220792885c5937b30

    SHA1

    eef05f4b7fb5f8aabfb93d10a6451cc77b489864

    SHA256

    ccd5b9e5947f956e880bd2285a6091dc9f1ee9b0eb8df627ec4e72b451a1c745

    SHA512

    c286b0fa9d24a85fe63d3a3d801f135d12409736742c4fc16ba1dc15529df136577dc8975736146437dd56467576fdedb4ac50cf05ab054547504f3dc5ca0c35

    Download Submit
  • C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll
    Filesize

    1.3MB

    MD5

    d9871a6ba02aacf3d51e6c168d9c6066

    SHA1

    42012a0116a9e8aed16c7298bd43cb1206a0f0cd

    SHA256

    7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

    SHA512

    ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

    Download Submit
  • C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
    Filesize

    10.4MB

    MD5

    68a63168426f28bc06c7c06eac6f09d5

    SHA1

    ae947e6b9b3322f7837396f606e64b0f372fa78c

    SHA256

    02003563373af3215195ca0c23af03f845921fcfa31f58770927266b03c2ac40

    SHA512

    7beabe39242237dd19606392bb7970f2eea0e8d467ee42a10e8ad3608e9b6a6aa060e4cd112fce425677dcc33ea062c6224574599351e81060c348409eeb11a6

    Download Submit
  • C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
    Filesize

    19.8MB

    MD5

    31c0bafc3f6e6c7322a7a32ac1bd87da

    SHA1

    42fd1a41e1eef5998de674ec068c702f1ee3b4f3

    SHA256

    f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5

    SHA512

    ab8dcda75a2e9c4d7dfcc23e76b3ca76b4ec5f1fbf24007bf0e9707de17461c5016ec9005dae3f62e34f586452aa145871d371536572365b35bf33b43a8d24ab

    Download Submit
  • C:\Program Files (x86)\Remote Utilities - Host\ssleay32.dll
    Filesize

    337KB

    MD5

    fe6d8feaeae983513e0a9a223604041b

    SHA1

    efa54892735d331a24b707068040e5a697455cee

    SHA256

    af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

    SHA512

    a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

    Download Submit
  • C:\Program Files (x86)\Remote Utilities - Host\vp8decoder.dll
    Filesize

    380KB

    MD5

    41acd8b6d9d80a61f2f686850e3d676a

    SHA1

    38428a08915cf72dd2eca25b3d87613d9aa027dd

    SHA256

    36993fc3312ce757c8adeca3e5969e1fcc11d5b51b12c458ba8d54d73b64d4e7

    SHA512

    d174638965ec781cbcb2927ceafb295c3176dc78da8938467faca3e512a42fe71a9dc1070f23e1c95f0b7c157fff3b00a8b572c39e4670713564f1310360ed23

    Download Submit
  • C:\Program Files (x86)\Remote Utilities - Host\vp8encoder.dll
    Filesize

    1.6MB

    MD5

    2ac39d6990170ca37a735f2f15f970e8

    SHA1

    8148a9cdc6b3fe6492281ebad79636433a6064ab

    SHA256

    0961d83cb25e1a50d5c0ec2f9fb0d17f2504dae0b22a865f6e1ea8e987e1c6fa

    SHA512

    7e30fde909d5f8efd6c2e40e125525697267273163ac35cf53561a2bd32e5dad8e4fba32905f53e422c9c73b8ad9a0c151f8d36042c5f156b50bf42dc21a9cee

    Download Submit
  • C:\Program Files (x86)\Remote Utilities - Host\webmmux.dll
    Filesize

    260KB

    MD5

    8a683f90a78778fba037565588a6f752

    SHA1

    011939c1fa7b73272db340c32386a13e140adc6a

    SHA256

    bd520007864b44e0bda7a466384d12c3c3f328326cf3549ba1853a58ccdbc99d

    SHA512

    9280fbb121f8b94f57560d1be3bcfe5e7c308d54dac278f13ea6c00256444fb9f17f543dd0d32c9844460818c1a50d83b26ce51c79698e9ca7a304652a3f5ea9

    Download Submit
  • C:\Program Files (x86)\Remote Utilities - Host\webmvorbisdecoder.dll
    Filesize

    365KB

    MD5

    c9d412c1d30abb9d61151a10371f4140

    SHA1

    87120faa6b859f5e23f7344f9547b2fc228af15b

    SHA256

    f3465ce8a23db5e8228eed5a60a6f7a096d1a9adf3012c39bc6d81d4e57e8e9e

    SHA512

    1c020afa89cdae55f4dcb80a455dc1b352f40455142f3947ed29c3e3d51fbd465b6e0ea16cd103186c252783a3f2a7f7c417e4df5727d9b2db511b650308face

    Download Submit
  • C:\Program Files (x86)\Remote Utilities - Host\webmvorbisencoder.dll
    Filesize

    860KB

    MD5

    a59f69797c42324540e26c7c7998c18c

    SHA1

    7f7bc5bc62a8744f87a7d2e30cc6dd74c72e19b4

    SHA256

    83e1c1eb55bfd0f2d85d41c1e4dee65046b064ccb263ec7f412a5f329c75cfd1

    SHA512

    837f244e6b70658974506ac35bd3ee2d413b89fe4b26e75f4a61cc7bec63e999c9c2cffb690ad567f74962bab13f2f5471300cd0e0cfe61bb1084072cb55c38b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RUT.msi
    Filesize

    21.5MB

    MD5

    80e61e367f4eaafff79b82849ab40ccd

    SHA1

    70aa7a8ca5f774c3cbee55277eafdfafdf4c9155

    SHA256

    346926866d193881de8a86bc4793194195f7751d2d3fe6b02fed5e9199890795

    SHA512

    913152b6b32c314ce9c587f6991cd9b284859b8a347dfdef63050c1db5eaf536159b042c1670bafe2a9f35350059d7c136e6a1b760b0f7688b8b660ff9b2c2bc

    Download Submit
  • C:\Windows\Installer\MSIA79A.tmp
    Filesize

    165KB

    MD5

    b5adf92090930e725510e2aafe97434f

    SHA1

    eb9aff632e16fcb0459554979d3562dcf5652e21

    SHA256

    1f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b

    SHA512

    1076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509

    Download Submit
  • memory/1288-149-0x0000000000400000-0x0000000000F17000-memory.dmp
    Filesize

    11.1MB

    Download
  • memory/1792-97-0x0000000000400000-0x0000000000F17000-memory.dmp
    Filesize

    11.1MB

    Download
  • memory/2036-143-0x0000000000400000-0x0000000000F17000-memory.dmp
    Filesize

    11.1MB

    Download
  • memory/2280-142-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/3772-150-0x0000000000400000-0x0000000000F17000-memory.dmp
    Filesize

    11.1MB

    Download
  • memory/3888-110-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-167-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-156-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-178-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-175-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-152-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-154-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-148-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-159-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-170-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-173-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4264-163-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download
  • memory/4384-126-0x0000000000450000-0x00000000019E6000-memory.dmp
    Filesize

    21.6MB

    Download
  • memory/4384-8-0x0000000000450000-0x00000000019E6000-memory.dmp
    Filesize

    21.6MB

    Download
  • memory/4536-114-0x0000000000400000-0x0000000001896000-memory.dmp
    Filesize

    20.6MB

    Download