Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 17:29
Behavioral task
behavioral1
Sample
agent-7.5.1.0.exe
Resource
win7-20240708-en
General
-
Target
agent-7.5.1.0.exe
-
Size
22.2MB
-
MD5
10612a00f02fcbfee5712b068a66010f
-
SHA1
c7f33f68c638246f6ae4d744a7e79f23fa152dec
-
SHA256
2816304558b1408a0f0e59e248991db4dcba8cddda7261dd4bd9ee98b0f725e0
-
SHA512
2ab5d6f6eb05b7fdb17975cc9b700ee469502fd7b63e198322e378e509a323429fba208170c08222de9503e426081a2ccd1ee083a5f055dced66578dcee1ee14
-
SSDEEP
393216:4kCtFKS5RA/79u8m3mJA/VClbgY0XDK4U4ht3LVBPqPoqNukogz/AczsL:4tcaoYJ3miClsYYG4H/BPioLSsL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rfusclient.exerutserv.exerfusclient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation rfusclient.exe Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation rutserv.exe Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation rfusclient.exe -
Executes dropped EXE 4 IoCs
Processes:
rfusclient.exerutserv.exerutserv.exerfusclient.exepid process 2944 rfusclient.exe 2584 rutserv.exe 2580 rutserv.exe 1800 rfusclient.exe -
Loads dropped DLL 9 IoCs
Processes:
agent-7.5.1.0.exerfusclient.exerutserv.exerutserv.exerfusclient.exepid process 2368 agent-7.5.1.0.exe 2944 rfusclient.exe 2944 rfusclient.exe 2944 rfusclient.exe 2944 rfusclient.exe 2944 rfusclient.exe 2584 rutserv.exe 2580 rutserv.exe 1800 rfusclient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rutserv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\AgentRunOnce = "C:\\Users\\Admin\\AppData\\Roaming\\Remote Utilities Agent\\70510\\BC518FA3B1\\rutserv.exe" rutserv.exe -
Processes:
resource yara_rule behavioral1/memory/2368-24-0x0000000000260000-0x0000000003223000-memory.dmp upx behavioral1/memory/2368-69-0x0000000000260000-0x0000000003223000-memory.dmp upx -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\libasset32.dll embeds_openssl -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
agent-7.5.1.0.exerfusclient.exerutserv.exerutserv.exerfusclient.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agent-7.5.1.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
rutserv.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\SysWOW64\ieframe.dll,-5723 = "The Internet" rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" rutserv.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
rfusclient.exerutserv.exerutserv.exerfusclient.exepid process 2944 rfusclient.exe 2944 rfusclient.exe 2584 rutserv.exe 2584 rutserv.exe 2584 rutserv.exe 2584 rutserv.exe 2584 rutserv.exe 2580 rutserv.exe 2580 rutserv.exe 2580 rutserv.exe 2580 rutserv.exe 1800 rfusclient.exe 1800 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 2584 rutserv.exe Token: SeTakeOwnershipPrivilege 2580 rutserv.exe Token: SeTcbPrivilege 2580 rutserv.exe Token: SeTcbPrivilege 2580 rutserv.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rfusclient.exepid process 1800 rfusclient.exe 1800 rfusclient.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
rfusclient.exepid process 1800 rfusclient.exe 1800 rfusclient.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
rutserv.exerutserv.exepid process 2584 rutserv.exe 2584 rutserv.exe 2584 rutserv.exe 2584 rutserv.exe 2580 rutserv.exe 2580 rutserv.exe 2580 rutserv.exe 2580 rutserv.exe 2580 rutserv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
agent-7.5.1.0.exerfusclient.exerutserv.exedescription pid process target process PID 2368 wrote to memory of 2944 2368 agent-7.5.1.0.exe rfusclient.exe PID 2368 wrote to memory of 2944 2368 agent-7.5.1.0.exe rfusclient.exe PID 2368 wrote to memory of 2944 2368 agent-7.5.1.0.exe rfusclient.exe PID 2368 wrote to memory of 2944 2368 agent-7.5.1.0.exe rfusclient.exe PID 2944 wrote to memory of 2584 2944 rfusclient.exe rutserv.exe PID 2944 wrote to memory of 2584 2944 rfusclient.exe rutserv.exe PID 2944 wrote to memory of 2584 2944 rfusclient.exe rutserv.exe PID 2944 wrote to memory of 2584 2944 rfusclient.exe rutserv.exe PID 2580 wrote to memory of 1800 2580 rutserv.exe rfusclient.exe PID 2580 wrote to memory of 1800 2580 rutserv.exe rfusclient.exe PID 2580 wrote to memory of 1800 2580 rutserv.exe rfusclient.exe PID 2580 wrote to memory of 1800 2580 rutserv.exe rfusclient.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\agent-7.5.1.0.exe"C:\Users\Admin\AppData\Local\Temp\agent-7.5.1.0.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rfusclient.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rfusclient.exe" -run_agent2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rutserv.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rutserv.exe" -run_agent3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2584 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rutserv.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rutserv.exe" -run_agent -second4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rfusclient.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rfusclient.exe" /tray /user5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD53d6750bd2c808e440d189706f9f406b7
SHA1855176109fb57d8539cb903e2371e14065d39d11
SHA256ec91d23f59cdde832db0233416e8864003dc867c801624f16b5931bc8ee6a8a6
SHA5129d42e9bfff537b91fbcb71738f3047defd65b472d3e7a82c32a45b2355216aa3e68da626afbd0c5ba9e2b04c950e6c3d20ddfa36e9874b8c83913b0c14e98f3f
-
Filesize
54KB
MD548c9cc8531e6bf12418eb70bbf593a3e
SHA121aec8ef6f4e097e444f26464045e110ca10fac6
SHA256ad5fe891daa6d63b6d237591ef513eb07f6f0bb6f536098ad9a5e2ab22a652ee
SHA512076eb39c85c0b4d307391044f46d0300833d0ff33c45b8e37e1d364e3bfb884e30fdb1211cba58abc6879a8763c95aba837859414fadb3d6a079b8c7c3b943a8
-
Filesize
8.8MB
MD55f41cb1e50cafbdb30e02613bb83a60f
SHA1ca6438816e27188b4916ea91da76dc64bbf5f668
SHA256bc4632709edb2c87d6d0ad55b9b9690d64bda6c52d375a62379bc62c89b1abf2
SHA5122de95df54f9fccb2270f9bef90323432f7c7df0155844b2534be03dd8f8f9a9313491c45ef69f01b4ee35e918ff7d34cee0567a376fd79efce9cf8b56ea03588
-
Filesize
6.8MB
MD508f23be58208183bb16892c804e52259
SHA1eec18af2d72035203a5e4f24e05273d9b7ee12b9
SHA2560c927c4d21e400770d2a4573defcf8e887079f73bc88385446d5d8b5467ef0e3
SHA512192029eac41b208f1d2ce3f94dc57412bb8b96ec202ef4f2ec5d36a68b5412feae57bb54530137612667776ed40828ced09ad78b4abbd04b1f4f133559ae5f6a
-
Filesize
139KB
MD5b6d5dd2e4b2b3163f6bad087aa9f2ba4
SHA1a9ef4821812d21c6bd93c9bc262494331d8eb130
SHA2561fcb0c18d74b4157752a5776ca47bf31f893453b4bcb82ba67b402769d054c26
SHA51206b30fa94a1177c08dbcdf2251f2e48640bfe6403849d99af5522e0dd6e6978d9d30abc3d1023498b51cd9833ef9dc9845b73310cad2cd29650379f6f7c80b9b
-
Filesize
10.8MB
MD50af8a4933b51f175939ff0a7ce1a3e42
SHA1697a29dee604a9621a619dc9f5783ef6f6b12ddc
SHA256ed8f2eb7e9f628b57025cfdab1b81466c9a4e0ba618655d3a1050de2bfc0c8c9
SHA512cc3705bcf6b668b8180b5ea0862a7ca95f6bf3bba869dd12c9ff54a86b6adf27f34cf8c9eb8da9d55bef7766fa91bc2e4b8154d0c88005d022dceb0def7336a4
-
Filesize
20.9MB
MD5f5d4ae78842dc0d7d61424d19a2ea8ed
SHA106f911958e8e94a68f9220960321095080134336
SHA25698032ce81a7ff261b8172934be4b6d09d790c9cb5a1976bace90b2d1f98bd27b
SHA5128c16ba5b4be47cb9398f7e3a10b1440221a11d5048b4d56cebf3c7c706ff8fa2a64e5979040c13e2e713db791ba1fe618afa0ffe3a4b4008c8f3de3ccf8ead33
-
Filesize
380KB
MD5c14000f68306f1cf0ec799df9568ae01
SHA1788d8d7a0ba86ba6c7ef4f7ae50cdc65ddb348ff
SHA25653b040341ce80f246c8437a99df5252a48801e2154eb94dc50af54a75d8d85ac
SHA5122d4769949832794ce310474f843b696ea8eeb819554ecd72c449981988a6f8fbc5155d84a97d8a4c015348b3dfe6708f88c64b257d4a4d0d4a03dd068dda4113
-
Filesize
1.6MB
MD530448db0aac5ac16d7ad789011bf8d20
SHA1457a43f6d2a0120c138dd9d57bcb64b21f84d9d7
SHA256d781088435617ca1facf74c1304f82afcb388813a75c8cb32213541d35b21832
SHA512300e3ae2ac133e2494c449354582ad9be51731d3e92d161b998db14262cc08436eeddb2b73a2f47cb4d1245348055f19e02721638a64a0630f513d4919b359dd
-
Filesize
260KB
MD55e8673834662ac42b8363e19bc719282
SHA1bb1c1ed731830a03db47d232e748df4e4d196db9
SHA256a64a113955ec0d89ae6ff357f9bb1063c7dd29fe5610ee516a94ac17b11172c2
SHA5123cf558b2d3ca03aed1ef0cfe36fb7ff3fe7a3af63a4c3b0cb6cf13c58baacae17e5a01bad743affae8c4f5b9f5425dd4a97755aca2ded99e70d782f699a9e225
-
Filesize
365KB
MD595d30b282132fb591fd5fdd94e52af05
SHA1eb7abe2f02c19ee41e4efc2506337288141d70ed
SHA256e6c04dc8359b2c76f765fce37ec123d33acbc5ce93e60022ba88eb7c867ac3f6
SHA5129e4ea23519d243d6d3ae93d2501f05f35aa1cc6264adb8f180f8a255bd35fb7996e110ac0ec7960fa0b93062be45eb0c0922d9597e76ee8180781cc5c9a9c792
-
Filesize
860KB
MD5a663e7ef3f3cd7a1d4790b4ebf491c27
SHA1bfe086e653d0bc8d20acae61990ba4fa33f2a1f7
SHA2568b1f95d7c0fdf25a6278347afda2f5ac4c86045c7fc530a330be885d8a87ea68
SHA512e78460c287646f509a50b878a34392546e01803a46c389e942073013a8292e3653713f2b6067842ecccb09b7cdc13d1d9fff76065aa61910fc3cebe6a1c20c47