Analysis
-
max time kernel
57s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/03/2025, 01:43
General
-
Target
1fae3ad968bff6ea3c7635133395c778acf01e0c65b3e37164c03dd9df319173.exe
-
Size
18.0MB
-
MD5
f462b66d97b03251101a54d3c79482f7
-
SHA1
706bfebbac24813ee622f2bd0112a9af091ebf7a
-
SHA256
1fae3ad968bff6ea3c7635133395c778acf01e0c65b3e37164c03dd9df319173
-
SHA512
053987a1dc75d9145de3a1e7f935bb2c73ba0017df45d343d04d3c66fa2857e42026caff6763427f00514ba12b51542c1fdaecc16a7a4a0732a1243a1ff2a40d
-
SSDEEP
393216:H+Xs2+MAwkdkDqQwsUVxTwiws6Bxxz4IHFCeastdbPXeQ+AeDvLiGY:XwkdkWx8sMjz4I0eaIrxBx
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Rms family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 14 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 30 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 47 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 4 IoCs
-
Kills process with taskkill 10 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fae3ad968bff6ea3c7635133395c778acf01e0c65b3e37164c03dd9df319173.exe"C:\Users\Admin\AppData\Local\Temp\1fae3ad968bff6ea3c7635133395c778acf01e0c65b3e37164c03dd9df319173.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\QSoftGroup\QtMessenger\Qmesseger.exe"C:\Program Files (x86)\QSoftGroup\QtMessenger\Qmesseger.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\programdata\temp\1.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\programdata\temp\QMessDLL.sfx.exeQMessDLL.sfx -p123 -dc:\programdata\temp4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\programdata\temp\QMessDLL.exe"C:\programdata\temp\QMessDLL.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Log\run.vbs"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Log\pause.bat" "7⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Log\Rar.exe"Rar.exe" e -p4354726 db.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout 58⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run9⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Log\install.bat" "10⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe11⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe11⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im systemc.exe11⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im drivemanag.exe11⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im dumprep.exe11⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winlogs.exe11⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im svnhost.exe11⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im svcservice.exe11⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\net.exenet stop RManService11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RManService12⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f11⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f11⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f11⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"11⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 111⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Folder58\svnhost.exesvnhost.exe /silentinstall11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Folder58\svnhost.exesvnhost.exe /firewall11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s regedit.reg11⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Folder58\svnhost.exesvnhost.exe /start11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/100011⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own11⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "RManService"11⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout 211⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Folder58\*.*"11⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Folder58"11⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Log"11⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rar.exe11⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rar.exe11⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run9⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
-
C:\programdata\temp\QMessenger.exe"C:\programdata\temp\QMessenger.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Folder58\svnhost.exeC:\Folder58\svnhost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Folder58\svcservice.exeC:\Folder58\svcservice.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Folder58\svcservice.exeC:\Folder58\svcservice.exe /tray3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\Folder58\svcservice.exeC:\Folder58\svcservice.exe /tray2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD52687795ac5c0521cb8004c536bd48792
SHA144f04f5124f797059dca45693096877cb7bb0ec0
SHA256525441a2d1e7e5dff1cbbde9d12b36e1a9d99c00989107d7d08a2d1c32325419
SHA512de68aaa6ab8391655b7c16f648123125a97138ecf451266545c157d5b65881fbfb1387d66733f6cd363489434fb2a82502836907c96ecba6b745c4232c28df00
-
Filesize
1KB
MD59e38327024cce4ac9170a83835a7ead7
SHA14f5ed75da06682aa5cd2a01a98f79027eb34e55c
SHA25639475571aa38717d4d627d51056a4a92fe329c219f9233ef290c8d064ff1eb03
SHA5121377828d39a0d794f2619f18e98dff0b8af4b40dab31a98d65fa887caba5ab12b65048da55d7ea2bab60f1e0a868d36a67b12b0ad27e064f14fb88d42fb914b4
-
Filesize
983B
MD5bf03918136de8296d2aed65b4edd7750
SHA1c48c32657feb787263b12cceb25563e85b470be0
SHA256a98be256938ed29524fc13a78fad13643a60031467cd7b0d35b226f8201ef02e
SHA5127c744a24df6d1e10d08e7fc331d9015e998a51edb43e20310b307df78e2d60b0f720eb8128f22cbd20b746dbd7d658aea140e0fba5fe90d87f8f9ab448c526d3
-
Filesize
288B
MD55036aedc56baa2ade69ff9402a32a43b
SHA1c7b347532fc95ae995f5ecf59121b4dacaf36773
SHA2568dcaf1ec21f1dd2014e519d426a8016011ac1f8bbc850bf51b3e842f9ce496bf
SHA512cb7105bf31fa36ff926a2d18eea01857f9c57c4ae33ca203b91ce4146409f2aa2c358717fc5d058431a90735bb21a115cdfdce7dd91739ca7433bb559390e103
-
Filesize
12KB
MD55a2891da1e888e0f91819add8efdd84b
SHA123fd5f48b2e9177514ba188a423b40cd96bcfa52
SHA25658e2e6036ad80b9f14e58b4909377339cdf8dd6379361301d002f8aa598a055a
SHA5126e780e4933e12180a28865c2583fb112e6d73ca8b88d0c41ba8dc447a8cb5ef53d9a58213b594f118cf84ef47e0a762c4c9bed4775b18f927e46214f8a016a2f
-
Filesize
84B
MD56a5f5a48072a1adae96d2bd88848dcff
SHA1b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c
-
Filesize
1.3MB
MD56ac02eb47f8b1d1af1bf26b8f843ad17
SHA189e9e750ff3c2ca3c9e5025ac02eb8c59e583c17
SHA2563bed087290575fd87f3b7f6f2f22c173b8a27c9c3fd9719f0ed23a68ae61f94d
SHA512ba8a8c6d5390c992d6cec945c856e6049795055d63e689f94345f2aff4fe65de87edde90b1471f9d5c82071369a83037c1e1ed87a11f9fe1583c060a69622bf4
-
Filesize
1.5MB
MD55a0d4307f6abeae89c8ec57edab8e5e5
SHA15272f340b3e15a9033665cb1e7a6b780d5aa196f
SHA2562e4f4ce575e21aead48f5c5323191b34cc5c32a6b58fdeeb10791721e7020410
SHA5129e652f955aeee7c99686dde1339bee988e406a701eb13f788979f2047138e5fc76cfe5b0d6048acab2322e538fc0c23ee006974131e8fc9356089c4c2abb1c7e
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
40B
MD5cc6e667291c9cb9c7c5c61112e5ebfab
SHA11c9af11860d859c39e8869870b06bf2aab0e7c85
SHA2563bea3174fc00ceccb2ac4538534317eba62504953822ce8dfbe7fd2dde36bb33
SHA512491ac95ebf774c66f479bf15addba582bc2c7a8cc9e2ebfea1e76af8c40383dd761297f78182c91668a89b1968dab4ea6fd6e6d912a30e6f2e718e1e4f66267a
-
Filesize
4.0MB
MD548f970de8507f30620d63a8f0c96611a
SHA103e9bc7c6cccdfb8e8f34e82605f8cd6a16c0061
SHA256596ea8ce19a50377c6081831dbc64fdcdf093730dfe4caa7eede0301910ed143
SHA512fb4baba9496683dfc939b9a913afcff9851d92930924ad6c188829ef99ce67f872efe94b1cbc11dc5e9c23c9b0d33fb6579ef03df5cea4f7703e38786f5dd754
-
Filesize
8.0MB
MD54e178e9e3dacb3d49c676d94d8c388df
SHA18f41b9ffac3b95e64690ff8f1cd7ef347b670f6b
SHA256ed8976b3a262638447f1218aa26c6fb26197af40315af35b9ddbf4530155e529
SHA5123367b101feddafe0af04c50b54ff344f41dc25bfce8990d3f3d10be3dfcd05c5a4fd6c3b9f1ed3417a3cbacbb139b01c915a692a6fbe68376543f67146dc7262
-
Filesize
1.7MB
MD5895d9f73ee2a9e0cbe39466bd0a9e8fd
SHA1fae47e4e8b48e6ed0e3786ef1006483651ea1697
SHA2569577123132dfb14f4ebdfb693eb208552f9a32cfef45347e19a7dbc74e5a0a41
SHA512fc4595d564a0ee4e90713ce2054d9ad6379834692879910b52fc76b421e401e871f6e57f5614fd703df00d0fad1cce2ae8bd7549eee227e24f178eafc11d8c69
-
Filesize
370KB
MD52e86a9862257a0cf723ceef3868a1a12
SHA1a4324281823f0800132bf13f5ad3860e6b5532c6
SHA2562356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA5123a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de
-
Filesize
7.6MB
MD5ddebcd8a802e676b64fe1fc7e12f4dea
SHA1d87a8245ec8d10d32da3a0cc79edb5403dc0e818
SHA2568b310bbccd4c13c80d8578d7d1542592b7a45396371a9ec245c93ce449e12b98
SHA512b431c521139f0dfb9bce9c13d49070e7f95f1bf0aa35c46f59d930e322c8abecd781c78bbb3bbc2f00536f397f85539154e02d23ac7c4adb511c7d45b1be459e
-
Filesize
3.9MB
MD5de592969de5805467111f82f85ae88ee
SHA1f2cf7d3785aa590b9669b4abc99a3e5ecd003523
SHA256b3b5dcc06529b4d4be89147e601df3703792f598fb9e86a08964ee7eb8d0c3b4
SHA512440ef9e46bbd2037ebe5d48910a2a7920866313be977dca4c70802affb6ab235f2911fc0cf7254cd1b96b6be4423bc473c008792fe2840963746d8b3ba14c5c9
-
Filesize
7.3MB
MD5024367b75395ff8976bb4f5577fcb22f
SHA1a1e9bd003c61795678e89c49f11996b2ccab33a7
SHA256a3f73814d92c8aba08d7a1a706e58647e480bf330490d2488e4ea5cda418ac54
SHA5124b8b69d7ae2593fd3e26ff38e8712d32a9e4174bb593063f60d521ffa7268c096b1efb70f3ba05ba49dceaff678ad38e8a04c61641842e2a0124d23e387c2715
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
268KB
-
Filesize
5.7MB
-
Filesize
5.7MB