Analysis
-
max time kernel
127s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-04-2021 11:11
General
-
Target
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe
-
Size
11.2MB
-
MD5
885048c2a7156ec45ad6ea9cb3e31fba
-
SHA1
e9c35853bed083c1b16c9004bb0120b57ab3e425
-
SHA256
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5
-
SHA512
de1c4f1c70253d3123e5d6b458846610457f994ecc8e63ab26b5e65b28d509d9b76065640e30705629e8db606532a15f24eed738b77d8734559fd78c4fe18507
Score
10/10
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe"C:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exeC:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe -second2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/552-62-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/1848-59-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1848-60-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB