Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 11:05
Behavioral task
behavioral1
Sample
agent-7.6.2.0.exe
Resource
win7-20240903-en
General
-
Target
agent-7.6.2.0.exe
-
Size
22.3MB
-
MD5
c1b51dbd3b3b55a8af24abbf3ef8050b
-
SHA1
cb0f2984d2b91f6b9cc408ef9aaa676d364daeb7
-
SHA256
3b328d4649eae2d574eab7ef71cf38a249b78d8b5fed20b3a1c549c361580027
-
SHA512
5ef84faabb32e974e874e5f12df0b7e5f0d8ed7102ce90bd2239484a52d9c49c87c1c61cb1ce95d9eacc7004df52551b5da86ecc0b844f84d5eefb8f46ea40c7
-
SSDEEP
393216:HkCtFKocM21vr0SkISu8mzhTx8r1mmuBka7Z+jXmoU4zJHTJRykR1dHA4L9WMVNe:Htcm2vJzhTx8QPT7QXNnVTb5DLjNWnz
Malware Config
Signatures
-
Rms family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\AgentRunOnce = "C:\\Users\\Admin\\AppData\\Roaming\\Remote Utilities Agent\\70620\\AF0B95CED3\\rutserv.exe" rutserv.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation rfusclient.exe Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation rutserv.exe Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation rfusclient.exe -
resource yara_rule behavioral1/memory/2860-28-0x0000000000290000-0x0000000003275000-memory.dmp upx behavioral1/memory/2860-73-0x0000000000290000-0x0000000003275000-memory.dmp upx -
Executes dropped EXE 4 IoCs
pid Process 2804 rfusclient.exe 2652 rutserv.exe 1492 rutserv.exe 1880 rfusclient.exe -
Loads dropped DLL 9 IoCs
pid Process 2860 agent-7.6.2.0.exe 2804 rfusclient.exe 2804 rfusclient.exe 2804 rfusclient.exe 2804 rfusclient.exe 2804 rfusclient.exe 2652 rutserv.exe 1492 rutserv.exe 1880 rfusclient.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral1/files/0x0007000000016de8-56.dat embeds_openssl -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agent-7.6.2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\SysWOW64\ieframe.dll,-5723 = "The Internet" rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" rutserv.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" rutserv.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2804 rfusclient.exe 2804 rfusclient.exe 2652 rutserv.exe 2652 rutserv.exe 2652 rutserv.exe 1492 rutserv.exe 1492 rutserv.exe 1880 rfusclient.exe 1880 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2652 rutserv.exe Token: SeTakeOwnershipPrivilege 1492 rutserv.exe Token: SeTcbPrivilege 1492 rutserv.exe Token: SeTcbPrivilege 1492 rutserv.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1880 rfusclient.exe 1880 rfusclient.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1880 rfusclient.exe 1880 rfusclient.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2652 rutserv.exe 2652 rutserv.exe 2652 rutserv.exe 2652 rutserv.exe 1492 rutserv.exe 1492 rutserv.exe 1492 rutserv.exe 1492 rutserv.exe 1492 rutserv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2804 2860 agent-7.6.2.0.exe 30 PID 2860 wrote to memory of 2804 2860 agent-7.6.2.0.exe 30 PID 2860 wrote to memory of 2804 2860 agent-7.6.2.0.exe 30 PID 2860 wrote to memory of 2804 2860 agent-7.6.2.0.exe 30 PID 2804 wrote to memory of 2652 2804 rfusclient.exe 31 PID 2804 wrote to memory of 2652 2804 rfusclient.exe 31 PID 2804 wrote to memory of 2652 2804 rfusclient.exe 31 PID 2804 wrote to memory of 2652 2804 rfusclient.exe 31 PID 1492 wrote to memory of 1880 1492 rutserv.exe 34 PID 1492 wrote to memory of 1880 1492 rutserv.exe 34 PID 1492 wrote to memory of 1880 1492 rutserv.exe 34 PID 1492 wrote to memory of 1880 1492 rutserv.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\agent-7.6.2.0.exe"C:\Users\Admin\AppData\Local\Temp\agent-7.6.2.0.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70620\AF0B95CED3\rfusclient.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70620\AF0B95CED3\rfusclient.exe" -run_agent2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70620\AF0B95CED3\rutserv.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70620\AF0B95CED3\rutserv.exe" -run_agent3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2652 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70620\AF0B95CED3\rutserv.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70620\AF0B95CED3\rutserv.exe" -run_agent -second4⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70620\AF0B95CED3\rfusclient.exe"C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70620\AF0B95CED3\rfusclient.exe" /tray /user5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1880
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5382f1f40ace9eb75f55400d4bea1dbf6
SHA194176ea4b9529c377bbdec1cb70458691b2efade
SHA256badd947460e6ac9ef7d9abc286054b5b73e17ab5694f827f26d56203974f1ea2
SHA5123816d67e85ebf3b23c2094c1647f41f8b1ceff6ae864ea406aa9c4c481a10ce30ed0aede90af536c6a80edf9a62abdece29517035419706257d0a0c1c0ac802c
-
Filesize
8.8MB
MD5ec1498f406642076468424ef2f45c452
SHA14ab87728753c802273ad96f5567ecabfe1274465
SHA256c127f79b4996890a01986f88b4e2076ff7cdb8b6de01092c548b3f28aeda35dd
SHA512df23385529ccf209478ab64756971e242caeb6c9157605bfc4c8b77bbc8af588f54c90b9fd3814372dd7f226edffb4425516eba296881ef5230bb5a9d591f60a
-
Filesize
6.8MB
MD557d6a827675eebf81b140724fd7c6754
SHA1ebd29678e93aeef160bac2d62d5112823bfca54e
SHA2567c12b161b9f1be77a852cab4979fc0dc85f0e895d59d2f82622e573b9b00f860
SHA5128fafc097f194fb63086765ffec8aa110ac50774d340fb683181072e76b23e87dbc6ae22cd7247a2aadbb52a00f871b5bef847b51009326d0eaf78e2ee335e757
-
Filesize
19KB
MD511b4de5dc2e474660c966c79bbcc0704
SHA1b921b50c8e4f68e2cdc76e00bbbfbdf479610b41
SHA2564ef24da2e7933364af0c7918207927283d0b7664c615b888cc80843d7a62faa4
SHA51222e6a9254249647858e5e2c6f324cf0b7dcc9fcad9438453a0b966813f14102fb73bc9c40a037da9a1edea6c1f4ebca4ab71e69219730dd57affaa0ed9c83512
-
Filesize
139KB
MD5b6d5dd2e4b2b3163f6bad087aa9f2ba4
SHA1a9ef4821812d21c6bd93c9bc262494331d8eb130
SHA2561fcb0c18d74b4157752a5776ca47bf31f893453b4bcb82ba67b402769d054c26
SHA51206b30fa94a1177c08dbcdf2251f2e48640bfe6403849d99af5522e0dd6e6978d9d30abc3d1023498b51cd9833ef9dc9845b73310cad2cd29650379f6f7c80b9b
-
Filesize
10.8MB
MD56b9f07a3ee75fb38eb7fd9bc8a96ae02
SHA14c14f38f2d92bbbc3269dadfed870246eba2ebfe
SHA2566a9cd931c9e8c4fcd39dcbfe09d7b94d367f31d22ed153239bd6fdece6e58377
SHA5125d5c1adefb0d21b03410de27a9de337028b3084ae9fa357708b0f8ec096cc6785aa7289c8ac05a8ea50e48b23f8ba6d4186d5b7da9ab1fe80af8289f74bed76f
-
Filesize
21.0MB
MD59193d8f7d011b0687ab90a8cd9b8fa5b
SHA162358120d0e3c9602f97ff529f6ba50c82903284
SHA256e3d1f9b01467d3013ae4612ccf577830a68b5e2e3b55c7fecba47cb88a031275
SHA51245eea8d4a36ca8f215bd2cba0bb603ac95d181be4f188f56cdaa429d8e8c0523747d136fd5f9876bd8465b68f04c5e7c3fcfdd0de13d65c087e14d2e74d33205
-
Filesize
384KB
MD58e643fba05dbd17e52b0f57930a2b759
SHA155e11d1cc910700da3a35ba55dc2985f3795c4be
SHA256851093c801f9f2f3ba670ff2c14c0a673b17efd72731c28a49ca3dcb64b57718
SHA512266067cc095889c4431b7d2f7eb773bb023a6c9f920d9f66a3af27e75d704091d797c3b489ad4b92d1e10a6cf6ec4bea14db654ace5f7a97e1085298acf3dff6
-
Filesize
1.6MB
MD5e58922447d2d0a9c007ccdca2a37cd81
SHA156dfa225585db1e31bea28a8225dfce18a4c0625
SHA2561fad67e1677401751b4c1ef7d18167174f72c247d8656e99a91104901d1b1400
SHA512cf1e9928bf2002c189c8667050fce9606a2338aefe29d7542ae21514417e623b8e2e2a83426b3d27755daa0868ed8aa6d4c82870a6abb8155214f8f45603eb82
-
Filesize
264KB
MD5696b0057893c38580911c0579a9909b0
SHA159c22298a5c37ca26999acac9e16822247cdfc47
SHA2561a1b4441fc6fdaf8b9d4a5de3e5855e15217e3810f4aca21a5ca9bb70afab5b4
SHA51238236ca4c1e2e032172535a4f2aec6bbda231f951007b7316dbc787374d16296ba11e2d080989ca17964e5450e61de2ea3010b0d38cde20d4de1a30ab294759b
-
Filesize
369KB
MD5170c0540946feeb20199d9a594e11879
SHA1ee1e065d9c5fcb7af4f4d2f6809a1ee01dfcd0bd
SHA2562d2a368c897f3aadeb4a8d0f46016f0148799fdc7b18059f1a6cce62883ae7de
SHA51233e26e8083833aa8f9864ac38517581ccde33fa4a293e1779f32e2ad1d7782437836cb27598d837e7ecdf53e18716a54caf7e7d588347850d40674a3917cf6aa
-
Filesize
864KB
MD57a8acedc516cc199f7b56ca09def1ab0
SHA1f0579f76bae11358f4efa0d4a2aa46a7c667865c
SHA256f858c62cac8d5063a3cffb8a7beb241725b94ab326e0bd2442dacb8e70461721
SHA5125b028c87c515ed32b6291c9b68bb66452f2e2b0a2aeffd62c07f87d62e517aa129199f49b9a3f7e926de790164f4f1e3251aad8dfcebe65b5f824ced1af6490f