Overview

overview

10

Static

static

7

60ec502046...26.exe

windows7-x64

10

60ec502046...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60ec502046b8c0d787ad3b5e431c9126.exe

  • Size

    16.4MB

  • MD5

    60ec502046b8c0d787ad3b5e431c9126

  • SHA1

    125ca02f6f2e66c3ed1eeb10d78239af3e1c6fbd

  • SHA256

    0c41e02ef1c8837307ffbfe5e3c97116808ced2214d34a5517ac732bc2c3baa7

  • SHA512

    b2073538d267b31f9fabfa84160cccc2a308e83ee0d4d92881738fc5fd1765c53363ae32cf9c078daf95582328be33f7a8ce45f4e5af8685ea5919b721ed8fe5

  • SSDEEP

    393216:afdWj7p4qc0/Elt1VBqqZGi/h3AxlcVtXzo:aFWfp4qc0w7VBqqRNVtXzo

Score
10/10
rmsdiscoveryrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60ec502046b8c0d787ad3b5e431c9126.exe
    "C:\Users\Admin\AppData\Local\Temp\60ec502046b8c0d787ad3b5e431c9126.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\rfusclient.exe
      "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\rfusclient.exe" -run_agent
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\rutserv.exe
        "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\rutserv.exe" -run_agent
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2636
        • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\rutserv.exe" -run_agent -second
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:320
          • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\rfusclient.exe
            "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\rfusclient.exe" /tray /user
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\EULA.rtf
    Filesize

    69KB

    MD5

    e6b99144ea133a583f2964fdaa0c514a

    SHA1

    a9ab6b4ad60bd60c798e9909be801dad725497de

    SHA256

    b137e38facdd1cdfc9730856675f4b531366d7af54b605209cb2158a58deb1ef

    SHA512

    a4f6e9663163e7a85251e129983251698b2c98070d2044f6402804d92779d77e477cb63c703b72a6ea20e19fc0d443a2a4f7fcf9d181a1e0ef0c0276297bf072

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\branding.ini
    Filesize

    216B

    MD5

    e1024ec1abcc039d7120d0f6f1c07e66

    SHA1

    5edc44c49ae18eb062e68bd77d7f92ae9422279a

    SHA256

    cbb3e1eb3714776ccfbfdc8f8fe66a6db2880f39cdd9ab53fb6ca6d86b98fb07

    SHA512

    bb8ee31eb620f62ca3b41cf5039b5f96149e5a208f675ec0cfc4efa23fe39980d03ca40eade896262bec4285019995a8fe08f8bd85042d217865bcfd82ac1866

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\eventmsg.dll
    Filesize

    51KB

    MD5

    ca8a4346b37cdd0220792885c5937b30

    SHA1

    eef05f4b7fb5f8aabfb93d10a6451cc77b489864

    SHA256

    ccd5b9e5947f956e880bd2285a6091dc9f1ee9b0eb8df627ec4e72b451a1c745

    SHA512

    c286b0fa9d24a85fe63d3a3d801f135d12409736742c4fc16ba1dc15529df136577dc8975736146437dd56467576fdedb4ac50cf05ab054547504f3dc5ca0c35

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\libeay32.dll
    Filesize

    1.3MB

    MD5

    0d51927274281007657c7f3e0df7becb

    SHA1

    6de3746d9d0980f5715cec6c676a8eb53b5efc49

    SHA256

    dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

    SHA512

    eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\logo.png
    Filesize

    57KB

    MD5

    09ddf08d88dbd240de9704da196e7264

    SHA1

    9f25e23079cf1cfa86e519aeff4ed72510f95fb3

    SHA256

    b022cea1a3caeb02da1334f5f1ac7afdb3ae4fca1cd4ccd9ae106a0c9457613b

    SHA512

    7ce5ae872d9678254f7b227199ff5880502f66ccbcc6d13024a6c1f916c6ec57ed2a10a4ed13915e4f85c6b04880c77e5e104dd5c297015bb808e4633689cc2e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\rfusclient.exe
    Filesize

    11.2MB

    MD5

    43cc976800c506662c325478eb8bf9ea

    SHA1

    6d18795469c3a0ac6e4b8bb0024fffba51c45c60

    SHA256

    41ea3c0b8421ebdea1eb6a508a38e120b1fbb38b9a2e1379deabc5a167a87408

    SHA512

    396a97698a815316b1bd1b927f089c1d4934ea9fb8b31be72941e46030059978f98866cc19c5daf36722d5a768af007434c875de53b3f3ab9497b6a2bcd9dd54

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\rutserv.exe
    Filesize

    18.0MB

    MD5

    6c6ba57be4b7b2fb661a99fea872f6b8

    SHA1

    aa95f1662a80e2c31fc24e60a9168b6df93c42e7

    SHA256

    ce5ba1e5d70d95d52b89a1b8278ff8dd4d1e25c38c90ca202b43bdc014795d78

    SHA512

    15d89d9b89bf585acef483212c3e0cd37ee5c680e03d5e4e9f6ae73e058e5ece0ff6e52df36f695a2aed20c5115e1b1ab6eb6afa580e7349d4871ad4c079c37f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\settings.dat
    Filesize

    8KB

    MD5

    bb31b030afb8e40feac28217b00d3d6a

    SHA1

    319ddd5828ac73ec6b159985c4cdfe7b3f483583

    SHA256

    202fc5f1f030a19911f9405629f1d3ac082c2742b4b49a60e1b5a59d869fee4b

    SHA512

    dc833aa168c31242562e041d22d6fa8d852fede9e9fcc3d27f1bd7a94b4b7ae937e5014166050cc362a22469769aa6a66ba21a64c8faa88bcbce115a04303ffa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\ssleay32.dll
    Filesize

    337KB

    MD5

    197da919e4c91125656bf905877c9b5a

    SHA1

    9574ec3e87bb0f7acce72d4d59d176296741aa83

    SHA256

    303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

    SHA512

    33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\vp8decoder.dll
    Filesize

    380KB

    MD5

    41acd8b6d9d80a61f2f686850e3d676a

    SHA1

    38428a08915cf72dd2eca25b3d87613d9aa027dd

    SHA256

    36993fc3312ce757c8adeca3e5969e1fcc11d5b51b12c458ba8d54d73b64d4e7

    SHA512

    d174638965ec781cbcb2927ceafb295c3176dc78da8938467faca3e512a42fe71a9dc1070f23e1c95f0b7c157fff3b00a8b572c39e4670713564f1310360ed23

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\vp8encoder.dll
    Filesize

    1.6MB

    MD5

    2ac39d6990170ca37a735f2f15f970e8

    SHA1

    8148a9cdc6b3fe6492281ebad79636433a6064ab

    SHA256

    0961d83cb25e1a50d5c0ec2f9fb0d17f2504dae0b22a865f6e1ea8e987e1c6fa

    SHA512

    7e30fde909d5f8efd6c2e40e125525697267273163ac35cf53561a2bd32e5dad8e4fba32905f53e422c9c73b8ad9a0c151f8d36042c5f156b50bf42dc21a9cee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\webmmux.dll
    Filesize

    260KB

    MD5

    8a683f90a78778fba037565588a6f752

    SHA1

    011939c1fa7b73272db340c32386a13e140adc6a

    SHA256

    bd520007864b44e0bda7a466384d12c3c3f328326cf3549ba1853a58ccdbc99d

    SHA512

    9280fbb121f8b94f57560d1be3bcfe5e7c308d54dac278f13ea6c00256444fb9f17f543dd0d32c9844460818c1a50d83b26ce51c79698e9ca7a304652a3f5ea9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\webmvorbisdecoder.dll
    Filesize

    365KB

    MD5

    c9d412c1d30abb9d61151a10371f4140

    SHA1

    87120faa6b859f5e23f7344f9547b2fc228af15b

    SHA256

    f3465ce8a23db5e8228eed5a60a6f7a096d1a9adf3012c39bc6d81d4e57e8e9e

    SHA512

    1c020afa89cdae55f4dcb80a455dc1b352f40455142f3947ed29c3e3d51fbd465b6e0ea16cd103186c252783a3f2a7f7c417e4df5727d9b2db511b650308face

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\A5110FEF53\webmvorbisencoder.dll
    Filesize

    860KB

    MD5

    a59f69797c42324540e26c7c7998c18c

    SHA1

    7f7bc5bc62a8744f87a7d2e30cc6dd74c72e19b4

    SHA256

    83e1c1eb55bfd0f2d85d41c1e4dee65046b064ccb263ec7f412a5f329c75cfd1

    SHA512

    837f244e6b70658974506ac35bd3ee2d413b89fe4b26e75f4a61cc7bec63e999c9c2cffb690ad567f74962bab13f2f5471300cd0e0cfe61bb1084072cb55c38b

    Download Submit

  • memory/320-116-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-122-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-151-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-148-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-145-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-142-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-109-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-139-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-112-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-136-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-133-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-130-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-119-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/320-125-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2024-128-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-137-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-120-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-152-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-117-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-131-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-149-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-134-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-113-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-123-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-110-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-140-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-146-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2024-143-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2172-80-0x0000000000400000-0x0000000002843000-memory.dmp

    Filesize

    36.3MB

    Download

  • memory/2172-0-0x0000000000400000-0x0000000002843000-memory.dmp

    Filesize

    36.3MB

    Download

  • memory/2172-73-0x00000000029F0000-0x0000000002A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2172-1-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2616-87-0x0000000000400000-0x0000000000FCE000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2636-93-0x0000000000400000-0x00000000016BA000-memory.dmp

    Filesize

    18.7MB

    Download