Overview

overview

10

Static

static

AB83D0AA6A...AA.exe

windows7_x64

5

AB83D0AA6A...AA.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    16/04/2021, 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AB83D0AA6A9DB035E8AD1D885FFAEC95BE2C54EDE29AA.exe

  • Size

    14.9MB

  • MD5

    9dee1357e73bf18ca611e1b0d758435b

  • SHA1

    aeddcc6022b2f1efdb2b65a558ca930c4b7cbb65

  • SHA256

    ab83d0aa6a9db035e8ad1d885ffaec95be2c54ede29aaea31bd35e7b9459eaa9

  • SHA512

    91feb26965514c1e5ad473460bf807ec1459e6e9f02b07f7720a81fdaf3ba0c67592beb25e86fa158a4df67f388d27733c9a7d32e5027a104559bf82753d30aa

Score
10/10
rmsrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 5 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AB83D0AA6A9DB035E8AD1D885FFAEC95BE2C54EDE29AA.exe
    "C:\Users\Admin\AppData\Local\Temp\AB83D0AA6A9DB035E8AD1D885FFAEC95BE2C54EDE29AA.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:808
  • C:\Users\Admin\AppData\Local\Temp\AB83D0AA6A9DB035E8AD1D885FFAEC95BE2C54EDE29AA.exe
    C:\Users\Admin\AppData\Local\Temp\AB83D0AA6A9DB035E8AD1D885FFAEC95BE2C54EDE29AA.exe
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Users\Admin\AppData\Local\Temp\AB83D0AA6A9DB035E8AD1D885FFAEC95BE2C54EDE29AA.exe
      "C:\Users\Admin\AppData\Local\Temp\AB83D0AA6A9DB035E8AD1D885FFAEC95BE2C54EDE29AA.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\ProgramData\SQLRemote.exe
        "C:\ProgramData\SQLRemote.exe"
        3⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\69110\838192D8E2\rfusclient.exe
          "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\69110\838192D8E2\rfusclient.exe" -run_agent
          4⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\69110\838192D8E2\rutserv.exe
            "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\69110\838192D8E2\rutserv.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3692
            • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\69110\838192D8E2\rutserv.exe
              "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\69110\838192D8E2\rutserv.exe" -second
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1980
              • C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\69110\838192D8E2\rfusclient.exe
                "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\69110\838192D8E2\rfusclient.exe" /tray /user
                7⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1084
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3164

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/736-116-0x00000000001D0000-0x00000000001E6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/808-114-0x0000000001380000-0x000000000142E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1084-168-0x0000000000AF0000-0x0000000000B9E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/1980-136-0x00000000012D0000-0x00000000012D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-124-0x0000000000B40000-0x0000000000B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-120-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3692-127-0x00000000011A0000-0x00000000012EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3800-117-0x00000000013D0000-0x00000000013D1000-memory.dmp

    Filesize

    4KB

    Download