rms | 50cd2bd36f33ef5c39ded6f3229eaf465998996f65310b5774dcbf4fb0b9dbaa

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe
Size

2.0MB
MD5

9ab586cecb3a5464abd24e04161e55aa
SHA1

f72e7caeccecdae86bcbe3a738d10a8aa36c9b40
SHA256

50cd2bd36f33ef5c39ded6f3229eaf465998996f65310b5774dcbf4fb0b9dbaa
SHA512

5eedaeb66a7a72b33bca6090a1f9b303d22fc46299ac857197efbb6edb3184f68bcd7d9cae7bf4a0f17019bbe05c7e4170f245367a1eee6d17330a5a8576eb36
SSDEEP

49152:GZV+NYQ4mRe7nGpK90HYA1qM6g+geS1LICzwqY4G:GZm1PRe7G4aH1MCY

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2336 attrib.exe
2136 attrib.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1804 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

SearchFilterHost.exeSearchFilterHost.exe

pid process

2744 SearchFilterHost.exe
2776 SearchFilterHost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2328 cmd.exe

pid	process
2336	attrib.exe
2136	attrib.exe

pid	process
1804	cmd.exe

pid	process
2744	SearchFilterHost.exe
2776	SearchFilterHost.exe

pid	process
2328	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Stored = "C:\\Users\\Admin\\AppData\\Roaming\\SearchFilterHost.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1740	taskkill.exe
2404	taskkill.exe
2472	taskkill.exe
1940	taskkill.exe
2856	taskkill.exe
1480	taskkill.exe
2888	taskkill.exe
1056	taskkill.exe
2832	taskkill.exe
2836	taskkill.exe
2496	taskkill.exe
1780	taskkill.exe
2252	taskkill.exe
876	taskkill.exe
1864	taskkill.exe
2936	taskkill.exe
2764	taskkill.exe
2624	taskkill.exe
2376	taskkill.exe
1576	taskkill.exe
2808	taskkill.exe
1132	taskkill.exe
1476	taskkill.exe
1900	taskkill.exe
1384	taskkill.exe
844	taskkill.exe
2548	taskkill.exe
1724	taskkill.exe
2196	taskkill.exe
2620	taskkill.exe
1596	taskkill.exe
2980	taskkill.exe
1760	taskkill.exe
1912	taskkill.exe
2932	taskkill.exe
2420	taskkill.exe
864	taskkill.exe
2548	taskkill.exe
2920	taskkill.exe
1204	taskkill.exe
2156	taskkill.exe
2132	taskkill.exe
3036	taskkill.exe
2728	taskkill.exe
2960	taskkill.exe
1860	taskkill.exe
3028	taskkill.exe
2564	taskkill.exe
2260	taskkill.exe
2340	taskkill.exe
2836	taskkill.exe
2404	taskkill.exe
2036	taskkill.exe
1840	taskkill.exe
1888	taskkill.exe
2856	taskkill.exe
2764	taskkill.exe
2624	taskkill.exe
2976	taskkill.exe
1980	taskkill.exe
2128	taskkill.exe
2880	taskkill.exe
348	taskkill.exe
2564	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2656 reg.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

SearchFilterHost.exeSearchFilterHost.exe

pid process

2744 SearchFilterHost.exe
2744 SearchFilterHost.exe
2744 SearchFilterHost.exe
2776 SearchFilterHost.exe
2776 SearchFilterHost.exe

pid	process
2656	reg.exe

pid	process
2744	SearchFilterHost.exe
2744	SearchFilterHost.exe
2744	SearchFilterHost.exe
2776	SearchFilterHost.exe
2776	SearchFilterHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeSearchFilterHost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeSearchFilterHost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	2744	SearchFilterHost.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeTakeOwnershipPrivilege	2776	SearchFilterHost.exe
Token: SeTcbPrivilege	2776	SearchFilterHost.exe
Token: SeTcbPrivilege	2776	SearchFilterHost.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SearchFilterHost.exeSearchFilterHost.exe

pid process

2744 SearchFilterHost.exe
2776 SearchFilterHost.exe

pid	process
2744	SearchFilterHost.exe
2776	SearchFilterHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 836 wrote to memory of 2328	836	9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe	cmd.exe
PID 836 wrote to memory of 2328	836	9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe	cmd.exe
PID 836 wrote to memory of 2328	836	9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe	cmd.exe
PID 836 wrote to memory of 2328	836	9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe	cmd.exe
PID 2328 wrote to memory of 2336	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 2336	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 2336	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 2336	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 2136	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 2136	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 2136	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 2136	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 2656	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 2656	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 2656	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 2656	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 2744	2328	cmd.exe	SearchFilterHost.exe
PID 2328 wrote to memory of 2744	2328	cmd.exe	SearchFilterHost.exe
PID 2328 wrote to memory of 2744	2328	cmd.exe	SearchFilterHost.exe
PID 2328 wrote to memory of 2744	2328	cmd.exe	SearchFilterHost.exe
PID 2328 wrote to memory of 2764	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2764	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2764	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2764	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2548	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2548	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2548	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2548	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2856	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2856	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2856	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2856	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2624	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2624	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2624	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2624	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2564	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2564	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2564	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2564	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2976	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2976	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2976	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2976	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2728	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2728	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2728	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2728	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2736	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2736	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2736	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2736	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2836	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2836	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2836	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2836	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2960	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2960	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2960	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2960	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2404	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2404	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2404	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 2404	2328	cmd.exe	taskkill.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2336 attrib.exe
2136 attrib.exe

pid	process
2336	attrib.exe
2136	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\stmgr.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Roaming\SearchFilterHost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2336
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Roaming\settings.dat"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2136
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Stored" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SearchFilterHost.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2656
- - C:\Users\Admin\AppData\Roaming\SearchFilterHost.exe
    "C:\Users\Admin\AppData\Roaming\SearchFilterHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2744
  - - C:\Users\Admin\AppData\Roaming\SearchFilterHost.exe
      C:\Users\Admin\AppData\Roaming\SearchFilterHost.exe -second
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:2260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:2920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:2980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:2932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:2420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
264B

MD5
c022a3eebd6f670fabb8c7d16e64bb42

SHA1
18319221b13b29615798c03704416b90d388dedf

SHA256
9bf6bffbee25604ff43ba7d0bdee9c30d0fbbd1d8e02987b678551574f2a90ff

SHA512
822a0ee31487765e3e250b3bd6bcfe10a36fc2b4ff7ea4fa458cffdf948fba8251722c221a29aff155a4f69bd15811d033caff957e41d773a1f97aee060ff8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SJP.dat

Filesize
5.8MB

MD5
3d8fd988b92d630074b323a0a4dcee91

SHA1
6218115b123823f504f090decedbb1be0d7cd52a

SHA256
27d696583bb3fab2acffed2b8cf701e0d76ead5197e117cee603fdeb9a0aa48d

SHA512
9f5813efc5845f282ab9c41b1094f3b06a7822a2b37ceca593c9f896d8d30fe94ccb651a569c47b899c3f08648fade9864182ec83b61e2657346be8f7fbeafd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

Filesize
2KB

MD5
eb494b1f02010d3543a09c2be3669d5c

SHA1
33341912b50607203561ad716bb80fc87a46105b

SHA256
34bacf4f22e644149e8bf0b66c178230f49f95f25fceb9228563cf5f54ccb6b1

SHA512
b52e24f4cc0b646387042a577a99c7fd595c9f73d28908b02395fb7fef2e6067701e7766c918592e9ed46d1546018849e6d474c1c68c6852bb94c2117656cf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\stmgr.cmd

Filesize
2KB

MD5
83e488da8485829e6f71e239c17ec895

SHA1
7a7f01f249cdeaca51df86210de4b8227797bbeb

SHA256
6df6e3e9beec30042dd7e14cd1cd517205e6cbcb0d9b88604f5821e18f11a815

SHA512
7fcf42ff4c8ad77db9dafa459a097dbd6a5ad314343c7407334f3c6c46a3fb2c5858ad9cef05532af0bb1b89a7564b100eff27ff848c4345fa5c13cb056847f8

Download Submit
C:\Users\Admin\AppData\Roaming\RUT_settings\Logs\rms_log_2024-06.html

Filesize
8KB

MD5
7b101da754981ac803c3a61968246ce2

SHA1
3f179898b652e2038ac977b28dac0bfdfe59d3b9

SHA256
bee0160ab03118db3b80d0db4549c97b705fe152ecb909345cb134b8ed343339

SHA512
0e3a736cfbb9ee68db0e2a0bd59bc56bd9df98b9d8d4e39696197423fa52f86c7dc33897e1a12de87622513c3bfce4136af76e38636a48e678526a2377ae3e8a

Download Submit
memory/2744-35-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/2776-36-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/2776-39-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/2776-41-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/2776-44-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/2776-47-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/2776-49-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download