Analysis
-
max time kernel
119s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
23/03/2025, 15:41
General
-
Target
779c245a7df052facc1af2138f6618b0c6adb8039b81aa4715bb1b800b02e052N.exe
-
Size
4.4MB
-
MD5
c6f1bfd4ba89279e97cdc75ae2ed1510
-
SHA1
694cc750402bb79819fa6d465f664d27ce91661a
-
SHA256
779c245a7df052facc1af2138f6618b0c6adb8039b81aa4715bb1b800b02e052
-
SHA512
f407fca8556300a85e38205579752cc6d436e9ab34b6095bd51f6e844307dcede1a55e9de4d526441d21bf75640f398e41f7861311998d7a4e6f958d4ef9cae9
-
SSDEEP
98304:/4S1Gym+c3UILv5sUuGkz3RQ8Ke+OLFvMXhIHpxfsr:/4mG+ILvsGk9Q8tR9MXhy/sr
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Rms family
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Drops file in System32 directory 16 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\779c245a7df052facc1af2138f6618b0c6adb8039b81aa4715bb1b800b02e052N.exe"C:\Users\Admin\AppData\Local\Temp\779c245a7df052facc1af2138f6618b0c6adb8039b81aa4715bb1b800b02e052N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HavijCracked.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HavijCracked.exeHavijCracked.exe /p12343⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMS.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RMS.exeRMS.exe /p12345⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\SysFilesCatalog\install.vbs"6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\SysFilesCatalog\install.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"8⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\SysFilesCatalog\rutserv.exerutserv.exe /silentinstall8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\SysFilesCatalog\rutserv.exerutserv.exe /firewall8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\SysFilesCatalog\rutserv.exerutserv.exe /start8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\SysFilesCatalog\rutserv.exeC:\Windows\SysWOW64\SysFilesCatalog\rutserv.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exeC:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exeC:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exe /tray3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exeC:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exe /tray2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD5ea5fb7bef8049dd1b276215ac72ba860
SHA1fb0beaf4a9a78e3a596acbac069a99b3adbec602
SHA2566ce14adee0448d4f7f1cf001a45ea1dcfa7c9b9cd0a8a795eeb8b9eee2942813
SHA5122c248ec97d5d150a0a048c43b9dd9532527f7098beaeada9e016dbe4c7e54c1867afcb84d42a005198a1a89c37299d4947f9950bb6df1ba0d79cfab68474252d
-
Filesize
4.2MB
MD521a8be33fb31bd8f4d58b6943f12719c
SHA1411146e9bc09188466051a090348172d6df8a64a
SHA256d5eaa74b76a85c556aa41b7520a2380fb71886950c87be0e227ee23ca4c4a577
SHA5128ddef36e2fe5a93a796a9ae7481ba4b1dfb4644619da2b08f31b221af59541693eb4f6a937390bfe8ef16b6c27c455416b57493ead8430715e8b89ca3a38db4c
-
Filesize
31B
MD53fdb252bee147ef14aa44035b4b6208b
SHA1c13b54b0c29167afac2ace60a47d1b12254476fc
SHA25677e5b000bf7b78f8d5bf81dbd9df8b2c98baebaaf94d218471d680179a131182
SHA5126078de6e59b6ee396b51f24fe625a208c60f544c89d4d2d361e52286ae224a803cfbdb7d8bbef94ff2c717ef8df6113d0b69324752c2d3d2ae932faabd4aab92
-
Filesize
4.1MB
MD56682674116a76c8f9a118782d2e0b334
SHA1b243152e66a1a2b0792bb52b6bb6f053360cc734
SHA25661bf61a4e46b2799e2c7ec674feb5638717883b4df8b823ad25e22b36ffef6a1
SHA512c2c093a192dd80aa447df40a810623e0d8c5f186f98cdeb4ceb3380c321991432f8bef0bcf54a3f59768f2265f0b2e2315eb137aa42dd4025cfb80223a7b635d
-
Filesize
480B
MD599db27d776e103cad354b531ee1f20b9
SHA10b82d146df8528f66d1d14756f211fd3a8b1b91a
SHA256240020a1a1941d1455135b5cb134e502a13b148be16cbb1552482aa03c29f8f3
SHA512bc2ed33495c0a752397b2f1b9b7ba65f94ea5be82dde74c618342c83b68f1b92a4783b672cd427843533799e1af0875e0fd000b12236852e9e2fa93005d7ac69
-
Filesize
117B
MD565fc32766a238ff3e95984e325357dbb
SHA13ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608
-
Filesize
12KB
MD53d0cb95fd41272e7ac77b510b6bad639
SHA1eba5e783fd1b00bb51939ffdfc4831693bb29298
SHA256692960329d595a028149698f6ef762f33df9f21e1e9efb64910686c853231a1a
SHA512588f595c79f420db55e472bcf257d0c5d6ab0abcaff19a48a8234c434ad27a7a88308606710caf07eb19fa8b0c95807872ca42d8efa326278810110b6f3aaaad
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB