Overview

overview

10

Static

static

43f99c7803...in.exe

windows7_x64

10

43f99c7803...in.exe

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    16-04-2021 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe

  • Size

    11.2MB

  • MD5

    885048c2a7156ec45ad6ea9cb3e31fba

  • SHA1

    e9c35853bed083c1b16c9004bb0120b57ab3e425

  • SHA256

    43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5

  • SHA512

    de1c4f1c70253d3123e5d6b458846610457f994ecc8e63ab26b5e65b28d509d9b76065640e30705629e8db606532a15f24eed738b77d8734559fd78c4fe18507

Score
10/10
rmsrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe
      C:\Users\Admin\AppData\Local\Temp\43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5.bin.exe -second
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4032
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2204-114-0x0000000001190000-0x0000000001191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4032-115-0x0000000000000000-mapping.dmp
    Download
  • memory/4032-116-0x0000000001140000-0x0000000001141000-memory.dmp
    Filesize

    4KB

    Download