Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 17:29

General

  • Target

    agent-7.5.1.0.exe

  • Size

    22.2MB

  • MD5

    10612a00f02fcbfee5712b068a66010f

  • SHA1

    c7f33f68c638246f6ae4d744a7e79f23fa152dec

  • SHA256

    2816304558b1408a0f0e59e248991db4dcba8cddda7261dd4bd9ee98b0f725e0

  • SHA512

    2ab5d6f6eb05b7fdb17975cc9b700ee469502fd7b63e198322e378e509a323429fba208170c08222de9503e426081a2ccd1ee083a5f055dced66578dcee1ee14

  • SSDEEP

    393216:4kCtFKS5RA/79u8m3mJA/VClbgY0XDK4U4ht3LVBPqPoqNukogz/AczsL:4tcaoYJ3miClsYYG4H/BPioLSsL

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Embeds OpenSSL 1 IoCs

    Embeds OpenSSL, may be used to circumvent TLS interception.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\agent-7.5.1.0.exe
    "C:\Users\Admin\AppData\Local\Temp\agent-7.5.1.0.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rfusclient.exe
      "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rfusclient.exe" -run_agent
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rutserv.exe
        "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rutserv.exe" -run_agent
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2584
        • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rutserv.exe" -run_agent -second
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rfusclient.exe
            "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rfusclient.exe" /tray /user
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\EULA.rtf

    Filesize

    66KB

    MD5

    3d6750bd2c808e440d189706f9f406b7

    SHA1

    855176109fb57d8539cb903e2371e14065d39d11

    SHA256

    ec91d23f59cdde832db0233416e8864003dc867c801624f16b5931bc8ee6a8a6

    SHA512

    9d42e9bfff537b91fbcb71738f3047defd65b472d3e7a82c32a45b2355216aa3e68da626afbd0c5ba9e2b04c950e6c3d20ddfa36e9874b8c83913b0c14e98f3f

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\eventmsg.dll

    Filesize

    54KB

    MD5

    48c9cc8531e6bf12418eb70bbf593a3e

    SHA1

    21aec8ef6f4e097e444f26464045e110ca10fac6

    SHA256

    ad5fe891daa6d63b6d237591ef513eb07f6f0bb6f536098ad9a5e2ab22a652ee

    SHA512

    076eb39c85c0b4d307391044f46d0300833d0ff33c45b8e37e1d364e3bfb884e30fdb1211cba58abc6879a8763c95aba837859414fadb3d6a079b8c7c3b943a8

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\libasset32.dll

    Filesize

    8.8MB

    MD5

    5f41cb1e50cafbdb30e02613bb83a60f

    SHA1

    ca6438816e27188b4916ea91da76dc64bbf5f668

    SHA256

    bc4632709edb2c87d6d0ad55b9b9690d64bda6c52d375a62379bc62c89b1abf2

    SHA512

    2de95df54f9fccb2270f9bef90323432f7c7df0155844b2534be03dd8f8f9a9313491c45ef69f01b4ee35e918ff7d34cee0567a376fd79efce9cf8b56ea03588

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\libcodec32.dll

    Filesize

    6.8MB

    MD5

    08f23be58208183bb16892c804e52259

    SHA1

    eec18af2d72035203a5e4f24e05273d9b7ee12b9

    SHA256

    0c927c4d21e400770d2a4573defcf8e887079f73bc88385446d5d8b5467ef0e3

    SHA512

    192029eac41b208f1d2ce3f94dc57412bb8b96ec202ef4f2ec5d36a68b5412feae57bb54530137612667776ed40828ced09ad78b4abbd04b1f4f133559ae5f6a

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\privacy_policy.rtf

    Filesize

    139KB

    MD5

    b6d5dd2e4b2b3163f6bad087aa9f2ba4

    SHA1

    a9ef4821812d21c6bd93c9bc262494331d8eb130

    SHA256

    1fcb0c18d74b4157752a5776ca47bf31f893453b4bcb82ba67b402769d054c26

    SHA512

    06b30fa94a1177c08dbcdf2251f2e48640bfe6403849d99af5522e0dd6e6978d9d30abc3d1023498b51cd9833ef9dc9845b73310cad2cd29650379f6f7c80b9b

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rfusclient.exe

    Filesize

    10.8MB

    MD5

    0af8a4933b51f175939ff0a7ce1a3e42

    SHA1

    697a29dee604a9621a619dc9f5783ef6f6b12ddc

    SHA256

    ed8f2eb7e9f628b57025cfdab1b81466c9a4e0ba618655d3a1050de2bfc0c8c9

    SHA512

    cc3705bcf6b668b8180b5ea0862a7ca95f6bf3bba869dd12c9ff54a86b6adf27f34cf8c9eb8da9d55bef7766fa91bc2e4b8154d0c88005d022dceb0def7336a4

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\rutserv.exe

    Filesize

    20.9MB

    MD5

    f5d4ae78842dc0d7d61424d19a2ea8ed

    SHA1

    06f911958e8e94a68f9220960321095080134336

    SHA256

    98032ce81a7ff261b8172934be4b6d09d790c9cb5a1976bace90b2d1f98bd27b

    SHA512

    8c16ba5b4be47cb9398f7e3a10b1440221a11d5048b4d56cebf3c7c706ff8fa2a64e5979040c13e2e713db791ba1fe618afa0ffe3a4b4008c8f3de3ccf8ead33

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\vp8decoder.dll

    Filesize

    380KB

    MD5

    c14000f68306f1cf0ec799df9568ae01

    SHA1

    788d8d7a0ba86ba6c7ef4f7ae50cdc65ddb348ff

    SHA256

    53b040341ce80f246c8437a99df5252a48801e2154eb94dc50af54a75d8d85ac

    SHA512

    2d4769949832794ce310474f843b696ea8eeb819554ecd72c449981988a6f8fbc5155d84a97d8a4c015348b3dfe6708f88c64b257d4a4d0d4a03dd068dda4113

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\vp8encoder.dll

    Filesize

    1.6MB

    MD5

    30448db0aac5ac16d7ad789011bf8d20

    SHA1

    457a43f6d2a0120c138dd9d57bcb64b21f84d9d7

    SHA256

    d781088435617ca1facf74c1304f82afcb388813a75c8cb32213541d35b21832

    SHA512

    300e3ae2ac133e2494c449354582ad9be51731d3e92d161b998db14262cc08436eeddb2b73a2f47cb4d1245348055f19e02721638a64a0630f513d4919b359dd

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\webmmux.dll

    Filesize

    260KB

    MD5

    5e8673834662ac42b8363e19bc719282

    SHA1

    bb1c1ed731830a03db47d232e748df4e4d196db9

    SHA256

    a64a113955ec0d89ae6ff357f9bb1063c7dd29fe5610ee516a94ac17b11172c2

    SHA512

    3cf558b2d3ca03aed1ef0cfe36fb7ff3fe7a3af63a4c3b0cb6cf13c58baacae17e5a01bad743affae8c4f5b9f5425dd4a97755aca2ded99e70d782f699a9e225

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\webmvorbisdecoder.dll

    Filesize

    365KB

    MD5

    95d30b282132fb591fd5fdd94e52af05

    SHA1

    eb7abe2f02c19ee41e4efc2506337288141d70ed

    SHA256

    e6c04dc8359b2c76f765fce37ec123d33acbc5ce93e60022ba88eb7c867ac3f6

    SHA512

    9e4ea23519d243d6d3ae93d2501f05f35aa1cc6264adb8f180f8a255bd35fb7996e110ac0ec7960fa0b93062be45eb0c0922d9597e76ee8180781cc5c9a9c792

  • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70510\BC518FA3B1\webmvorbisencoder.dll

    Filesize

    860KB

    MD5

    a663e7ef3f3cd7a1d4790b4ebf491c27

    SHA1

    bfe086e653d0bc8d20acae61990ba4fa33f2a1f7

    SHA256

    8b1f95d7c0fdf25a6278347afda2f5ac4c86045c7fc530a330be885d8a87ea68

    SHA512

    e78460c287646f509a50b878a34392546e01803a46c389e942073013a8292e3653713f2b6067842ecccb09b7cdc13d1d9fff76065aa61910fc3cebe6a1c20c47

  • memory/1800-108-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-123-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-168-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-163-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-158-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-153-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-148-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-143-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-138-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-133-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-104-0x0000000074530000-0x0000000074BDA000-memory.dmp

    Filesize

    6.7MB

  • memory/1800-103-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-128-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-118-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/1800-113-0x0000000001240000-0x0000000001DBD000-memory.dmp

    Filesize

    11.5MB

  • memory/2368-25-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

  • memory/2368-63-0x0000000003400000-0x0000000003410000-memory.dmp

    Filesize

    64KB

  • memory/2368-24-0x0000000000260000-0x0000000003223000-memory.dmp

    Filesize

    47.8MB

  • memory/2368-69-0x0000000000260000-0x0000000003223000-memory.dmp

    Filesize

    47.8MB

  • memory/2580-102-0x0000000074530000-0x0000000074BDA000-memory.dmp

    Filesize

    6.7MB

  • memory/2580-146-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-106-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-131-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-101-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-136-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-111-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-141-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-116-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-126-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-166-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-151-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-121-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-156-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2580-161-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2584-84-0x00000000744D0000-0x0000000074B7A000-memory.dmp

    Filesize

    6.7MB

  • memory/2584-83-0x0000000000340000-0x00000000018ED000-memory.dmp

    Filesize

    21.7MB

  • memory/2944-81-0x00000000744D0000-0x0000000074B7A000-memory.dmp

    Filesize

    6.7MB

  • memory/2944-79-0x0000000000A40000-0x00000000015BD000-memory.dmp

    Filesize

    11.5MB