Managed XDR

appdata-remote-utiliti...fd00e34b6b-rutserv.exe (RMS) — malware analysis report

File info

Filename
appdata-remote-utilities-agent-69111-fd00e34b6b-rutserv.exe
File type
PE32 executable (GUI) Intel 80386, for MS Windows
File size
12.6 MB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
3146fd3656a56051422652f4eb7e809a8878f09a
SHA256
f268d1157a7342ae3c88e9ccbf9fb9e04ecfbc17f07dc763f5434f9e9113ec2a
MD5
c319b599dcee0764bc7bc87e6bb41a29

Malwares

  • RMS

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036.001 invalid_authenticode: Digital signature of the executable file has failed the verification
T1497.001 antisandbox_productid: Obtains Windows ProductID, probably to fingerprint a sandbox
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1027.002 packer_entropy: Probably contains compressed or encrypted data

Discovery

T1497.001 antisandbox_productid: Obtains Windows ProductID, probably to fingerprint a sandbox
T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)
T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
process_crashed: One of the processes has failed
no_graphical_activity: No graphic activity
pe_overlay: PE file contains overlay
open_winlogon_process: Trying to open winlogon process

Related reports