Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 01:15
Behavioral task
behavioral1
Sample
413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exe
Resource
win7-20240903-en
General
-
Target
413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exe
-
Size
16.9MB
-
MD5
8447cd76c56cb7c13dc31d3aaadff615
-
SHA1
0b2d53a0699add6ad76c5141eeb67ac77277cd14
-
SHA256
413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7
-
SHA512
666a8d64a5815e9fedb568db02ce31c7f7e76764503976cfa1301fbc70cef7c37dacf3e00d957227f745e4bc96b6fa8bda10fb418ddcf9ce12564f9e55a1f590
-
SSDEEP
393216:p5JgVAku1srrXq2YczV7xxdTgKzmes9mK:HeApu7zV7dTgUmeUT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rfusclient.exerutserv.exerfusclient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation rfusclient.exe Key value queried \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation rutserv.exe Key value queried \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation rfusclient.exe -
Executes dropped EXE 4 IoCs
Processes:
rfusclient.exerutserv.exerutserv.exerfusclient.exepid process 2608 rfusclient.exe 2628 rutserv.exe 2648 rutserv.exe 1112 rfusclient.exe -
Loads dropped DLL 9 IoCs
Processes:
413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exerfusclient.exerutserv.exerutserv.exepid process 2252 413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exe 2608 rfusclient.exe 2608 rfusclient.exe 2608 rfusclient.exe 2608 rfusclient.exe 2628 rutserv.exe 2628 rutserv.exe 2648 rutserv.exe 2648 rutserv.exe -
Processes:
resource yara_rule behavioral1/memory/2252-0-0x0000000000400000-0x00000000028EB000-memory.dmp upx behavioral1/memory/2252-65-0x0000000000400000-0x00000000028EB000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rutserv.exerfusclient.exe413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exerfusclient.exerutserv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
rutserv.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\SysWOW64\ieframe.dll,-5723 = "The Internet" rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" rutserv.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rfusclient.exerutserv.exerutserv.exerfusclient.exepid process 2608 rfusclient.exe 2608 rfusclient.exe 2628 rutserv.exe 2628 rutserv.exe 2628 rutserv.exe 2628 rutserv.exe 2628 rutserv.exe 2628 rutserv.exe 2648 rutserv.exe 2648 rutserv.exe 2648 rutserv.exe 2648 rutserv.exe 2648 rutserv.exe 2648 rutserv.exe 1112 rfusclient.exe 1112 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 2628 rutserv.exe Token: SeTakeOwnershipPrivilege 2648 rutserv.exe Token: SeTcbPrivilege 2648 rutserv.exe Token: SeTcbPrivilege 2648 rutserv.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rfusclient.exepid process 1112 rfusclient.exe 1112 rfusclient.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
rfusclient.exepid process 1112 rfusclient.exe 1112 rfusclient.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
rutserv.exerutserv.exepid process 2628 rutserv.exe 2628 rutserv.exe 2628 rutserv.exe 2628 rutserv.exe 2648 rutserv.exe 2648 rutserv.exe 2648 rutserv.exe 2648 rutserv.exe 2648 rutserv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exerfusclient.exerutserv.exedescription pid process target process PID 2252 wrote to memory of 2608 2252 413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exe rfusclient.exe PID 2252 wrote to memory of 2608 2252 413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exe rfusclient.exe PID 2252 wrote to memory of 2608 2252 413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exe rfusclient.exe PID 2252 wrote to memory of 2608 2252 413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exe rfusclient.exe PID 2608 wrote to memory of 2628 2608 rfusclient.exe rutserv.exe PID 2608 wrote to memory of 2628 2608 rfusclient.exe rutserv.exe PID 2608 wrote to memory of 2628 2608 rfusclient.exe rutserv.exe PID 2608 wrote to memory of 2628 2608 rfusclient.exe rutserv.exe PID 2648 wrote to memory of 1112 2648 rutserv.exe rfusclient.exe PID 2648 wrote to memory of 1112 2648 rutserv.exe rfusclient.exe PID 2648 wrote to memory of 1112 2648 rutserv.exe rfusclient.exe PID 2648 wrote to memory of 1112 2648 rutserv.exe rfusclient.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exe"C:\Users\Admin\AppData\Local\Temp\413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe" -run_agent2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe" -run_agent3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2628 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe" -run_agent -second4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe" /tray /user5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1112
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5e6b99144ea133a583f2964fdaa0c514a
SHA1a9ab6b4ad60bd60c798e9909be801dad725497de
SHA256b137e38facdd1cdfc9730856675f4b531366d7af54b605209cb2158a58deb1ef
SHA512a4f6e9663163e7a85251e129983251698b2c98070d2044f6402804d92779d77e477cb63c703b72a6ea20e19fc0d443a2a4f7fcf9d181a1e0ef0c0276297bf072
-
Filesize
51KB
MD5ca8a4346b37cdd0220792885c5937b30
SHA1eef05f4b7fb5f8aabfb93d10a6451cc77b489864
SHA256ccd5b9e5947f956e880bd2285a6091dc9f1ee9b0eb8df627ec4e72b451a1c745
SHA512c286b0fa9d24a85fe63d3a3d801f135d12409736742c4fc16ba1dc15529df136577dc8975736146437dd56467576fdedb4ac50cf05ab054547504f3dc5ca0c35
-
Filesize
1.3MB
MD5d9871a6ba02aacf3d51e6c168d9c6066
SHA142012a0116a9e8aed16c7298bd43cb1206a0f0cd
SHA2567975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95
SHA512ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f
-
Filesize
10.3MB
MD5aaf8ce35de73ae8277454e5d56c6ea3a
SHA1917da0204367be210e65a4ad1848ab2c3ab9b545
SHA2565d98abca0c45a45d3308d6b86df7a4ad855eeb7ab2ab63bcf5541da973f8722b
SHA512880a538912db42acc20ffef242c94d9a5d02047a2cfb4fa34ee04655666f1e0479ed318abc5dd43d8fbad60b9cf521448c82981bc5a62bcc8198e94a2750f561
-
Filesize
19.6MB
MD521c7ef02914ab2c0eb555287f844c5ce
SHA105620f3523b1c7706b39d1a594e8a7f754ed80a7
SHA25667fcbe4a6f2599d6899654a05f66d8a2846ed50de51171f7d7315c055f76aef7
SHA512f30f9eec09c648521fc69ed32f893ecc402ed3cbc9cb1d14eeaa3f91f205694347db6d525486243565a98e7fb44469d4cacd39a476a061aa5500969538f97ad0
-
Filesize
337KB
MD5fe6d8feaeae983513e0a9a223604041b
SHA1efa54892735d331a24b707068040e5a697455cee
SHA256af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0
SHA512a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d
-
Filesize
380KB
MD541acd8b6d9d80a61f2f686850e3d676a
SHA138428a08915cf72dd2eca25b3d87613d9aa027dd
SHA25636993fc3312ce757c8adeca3e5969e1fcc11d5b51b12c458ba8d54d73b64d4e7
SHA512d174638965ec781cbcb2927ceafb295c3176dc78da8938467faca3e512a42fe71a9dc1070f23e1c95f0b7c157fff3b00a8b572c39e4670713564f1310360ed23
-
Filesize
1.6MB
MD52ac39d6990170ca37a735f2f15f970e8
SHA18148a9cdc6b3fe6492281ebad79636433a6064ab
SHA2560961d83cb25e1a50d5c0ec2f9fb0d17f2504dae0b22a865f6e1ea8e987e1c6fa
SHA5127e30fde909d5f8efd6c2e40e125525697267273163ac35cf53561a2bd32e5dad8e4fba32905f53e422c9c73b8ad9a0c151f8d36042c5f156b50bf42dc21a9cee
-
Filesize
260KB
MD58a683f90a78778fba037565588a6f752
SHA1011939c1fa7b73272db340c32386a13e140adc6a
SHA256bd520007864b44e0bda7a466384d12c3c3f328326cf3549ba1853a58ccdbc99d
SHA5129280fbb121f8b94f57560d1be3bcfe5e7c308d54dac278f13ea6c00256444fb9f17f543dd0d32c9844460818c1a50d83b26ce51c79698e9ca7a304652a3f5ea9
-
Filesize
365KB
MD5c9d412c1d30abb9d61151a10371f4140
SHA187120faa6b859f5e23f7344f9547b2fc228af15b
SHA256f3465ce8a23db5e8228eed5a60a6f7a096d1a9adf3012c39bc6d81d4e57e8e9e
SHA5121c020afa89cdae55f4dcb80a455dc1b352f40455142f3947ed29c3e3d51fbd465b6e0ea16cd103186c252783a3f2a7f7c417e4df5727d9b2db511b650308face
-
Filesize
860KB
MD5a59f69797c42324540e26c7c7998c18c
SHA17f7bc5bc62a8744f87a7d2e30cc6dd74c72e19b4
SHA25683e1c1eb55bfd0f2d85d41c1e4dee65046b064ccb263ec7f412a5f329c75cfd1
SHA512837f244e6b70658974506ac35bd3ee2d413b89fe4b26e75f4a61cc7bec63e999c9c2cffb690ad567f74962bab13f2f5471300cd0e0cfe61bb1084072cb55c38b