Overview

overview

10

Static

static

3

89ba05dd82...c5.exe

windows7-x64

10

89ba05dd82...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2025 04:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89ba05dd82c47779436799efad2651f54e2823b0606a46e984ee7b17881c97c5.exe

  • Size

    10.4MB

  • MD5

    3b792b5759ac51415be1c8405d772ca9

  • SHA1

    b26c53c4082a001a8cce1d7e1f0b7d9266f0e79a

  • SHA256

    89ba05dd82c47779436799efad2651f54e2823b0606a46e984ee7b17881c97c5

  • SHA512

    20ed824e46e460e853b3272bf7e3260ba481e13aa88dd38d3719e5ca6e4639954af4f23dbfde6e66e722e8fb5068756c1bb0c936e4506374a4a641a1323f0154

  • SSDEEP

    196608:AaEXZUCVKZhHIHVJhnpT+IHKPmUU2R79xLkUav4utUcVvD4JTOBopmf5t:QZUCVh1Jhpq6cmUU2NnYpv9UcVvD4sog

Score
10/10
rmsaspackv2discoveryrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Rms family
    rms
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Drops file in System32 directory 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 2 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89ba05dd82c47779436799efad2651f54e2823b0606a46e984ee7b17881c97c5.exe
    "C:\Users\Admin\AppData\Local\Temp\89ba05dd82c47779436799efad2651f54e2823b0606a46e984ee7b17881c97c5.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Users\Admin\AppData\Local\Temp\over1.sfx.exe
        over1.sfx.exe -p12345 -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Users\Admin\AppData\Local\Temp\over1.exe
          "C:\Users\Admin\AppData\Local\Temp\over1.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\program files\java\install.vbs"
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3424
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Program Files\Java\install.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4896
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im rutserv.exe
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2108
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im rfusclient.exe
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1248
              • C:\Windows\SysWOW64\reg.exe
                reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1220
              • C:\Windows\SysWOW64\regedit.exe
                regedit /s "regedit.reg"
                7⤵
                • System Location Discovery: System Language Discovery
                • Runs .reg file with regedit
                PID:1372
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:1184
              • \??\c:\program files\java\rutserv.exe
                rutserv.exe /silentinstall
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:2256
              • \??\c:\program files\java\rutserv.exe
                rutserv.exe /firewall
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:1708
              • \??\c:\program files\java\rutserv.exe
                rutserv.exe /start
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:3952
  • \??\c:\program files\java\rutserv.exe
    "c:\program files\java\rutserv.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4092
    • \??\c:\program files\java\rfusclient.exe
      "c:\program files\java\rfusclient.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3284
      • \??\c:\program files\java\rfusclient.exe
        "c:\program files\java\rfusclient.exe" /tray
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: SetClipboardViewer
        PID:3336
    • \??\c:\program files\java\rfusclient.exe
      "c:\program files\java\rfusclient.exe" /tray
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\install.bat
    Filesize

    290B

    MD5

    9dc2286281a11ee72985dd2041a58ee3

    SHA1

    de55198aa0f697ed77e98e3e61deb4cb70ba3b03

    SHA256

    67f0f1704add831bd00a4977a185a2c97198cc4b3299233f62c3a0820716268a

    SHA512

    ce4443ec8482cdce28bae0169b0d7df688190a596b914df0bbf62ae2598312c9bfc703ffd2d9b6c548e170bf4cb60cef9d4f9494b0e6391cd8cf6d45affa05f6

    Download Submit

  • C:\Program Files\Java\rutserv.exe
    Filesize

    1.7MB

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\File.bat
    Filesize

    30B

    MD5

    fc606dfc559820e8374dd0edd234db27

    SHA1

    d66ed56ffdded46d9b2e1d94867c116e420bdd04

    SHA256

    de27b88f63cd7da78f35f00a5feb6f01a3e83bb117b90a044246a31501be56ef

    SHA512

    0b749672de809ab6739078dba55dc5d67e9507e97699350d4c09176a0169ddf055c8c4c4dd18c4c95fbf99a0853db3c3054f6a981e32820ab893597c58ef3e1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\over1.exe
    Filesize

    3.9MB

    MD5

    dd4209f7493b99118c613d3fcc0566ed

    SHA1

    5854ccbee044c60a36f462d7fb8118b495354963

    SHA256

    9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6

    SHA512

    a9937a88057776ac09dfa67747f1bb738b836823566d317b0190416d257dbb8c26ae89068b1ec6b65990a8e94bae0cebc38938bf909042f9c0a54c7d01afe005

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\over1.sfx.exe
    Filesize

    4.1MB

    MD5

    87f208a270735dd380d70c6a460cbacd

    SHA1

    3909c1d03c23fbd770c1706cfd58f8fc717151bb

    SHA256

    b4638afed7165ed47ec106a76cc6f1fc1222105c47afbc3fa5aaff7886495849

    SHA512

    21049f5a2fe700f19168f5825210b6342171b9dfaa65d3076aeab43386ce57c15eadc430d405325124c0ba8abff4f42120a613cf157a5af3d34b4ecdc70f5ef7

    Download Submit

  • C:\program files\java\install.vbs
    Filesize

    117B

    MD5

    65fc32766a238ff3e95984e325357dbb

    SHA1

    3ac16a2648410be8aa75f3e2817fbf69bb0e8922

    SHA256

    a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

    SHA512

    621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

    Download Submit

  • \??\c:\program files\java\regedit.reg
    Filesize

    11KB

    MD5

    bda99f82ad842497074241baef8c1449

    SHA1

    2fcd176128a8ea66db7796dc7cb3f8fffb9bdad2

    SHA256

    102614d45322c5cc2454bea73a303baf60ad2a4b7bb7594eea9402832d21fe08

    SHA512

    161babfd48688d7748a718282700a95b04115f14ad9041d7ec99d3dfb64b861dea443cdb41b890b8b432eed6e271136f74500aa2a53c8b44c0e4db84b29b6c98

    Download Submit

  • \??\c:\program files\java\rfusclient.exe
    Filesize

    1.5MB

    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

    Download Submit

  • \??\c:\program files\java\vp8decoder.dll
    Filesize

    155KB

    MD5

    88318158527985702f61d169434a4940

    SHA1

    3cc751ba256b5727eb0713aad6f554ff1e7bca57

    SHA256

    4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

    SHA512

    5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

    Download Submit

  • \??\c:\program files\java\vp8encoder.dll
    Filesize

    593KB

    MD5

    6298c0af3d1d563834a218a9cc9f54bd

    SHA1

    0185cd591e454ed072e5a5077b25c612f6849dc9

    SHA256

    81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

    SHA512

    389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

    Download Submit

  • memory/1708-56-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1708-57-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1708-52-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1708-59-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1708-55-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1708-53-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1708-54-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2184-81-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2184-82-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2184-84-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2184-129-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2184-119-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2184-112-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2184-108-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2184-105-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2184-87-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2184-90-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2184-80-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2256-45-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2256-43-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2256-46-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2256-50-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2256-48-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2256-47-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2256-44-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3284-79-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3284-86-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3284-88-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3284-83-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3284-85-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3284-89-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3284-104-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3336-103-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3336-99-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3336-96-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3336-97-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3336-101-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3336-100-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3336-98-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3952-64-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3952-65-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3952-62-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3952-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3952-63-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3952-61-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3952-66-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-72-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-113-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-69-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-106-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-68-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-110-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-73-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-117-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-70-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-120-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-127-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-71-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-130-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4092-134-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download