Overview

overview

10

Static

static

e66e0ee41b...2e.exe

windows7_x64

10

e66e0ee41b...2e.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    08-05-2021 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe

  • Size

    6.4MB

  • MD5

    41253bfee19b9631d3c508621fc9deb6

  • SHA1

    045398163ddb346eca0636bc7f9acc58f993c1e9

  • SHA256

    e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e

  • SHA512

    851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5

Score
10/10
rmspersistencerattrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe
    "C:\Users\Admin\AppData\Local\Temp\e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Roaming\System64\1systemsmss.exe
      "C:\Users\Admin\AppData\Roaming\System64\1systemsmss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Roaming\Zont911\Regedit.reg"
        3⤵
        • Runs .reg file with regedit
        PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\System64\1systemsmss.exe
    MD5

    41253bfee19b9631d3c508621fc9deb6

    SHA1

    045398163ddb346eca0636bc7f9acc58f993c1e9

    SHA256

    e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e

    SHA512

    851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\System64\1systemsmss.exe
    MD5

    41253bfee19b9631d3c508621fc9deb6

    SHA1

    045398163ddb346eca0636bc7f9acc58f993c1e9

    SHA256

    e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e

    SHA512

    851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Zont911\Regedit.reg
    MD5

    f7fa0118ed5d484dc43be5b3f1fb23a1

    SHA1

    dc344a3ed842e1bb0e1c8b6cff9dbc497118619e

    SHA256

    9d0af58f891458994cba9daffaa3508cc643911503ffd2890cdc124f414cf3c1

    SHA512

    44d3e5a7f116e540af4efb328b5d820774f3e9e65dcafb0e54e37b7aff46a872752a1e8c9a42aa0dc389cb036a8f8c3b385562578a47400e3ca313231b8c529b

    Download Submit
  • \Users\Admin\AppData\Roaming\System64\1systemsmss.exe
    MD5

    41253bfee19b9631d3c508621fc9deb6

    SHA1

    045398163ddb346eca0636bc7f9acc58f993c1e9

    SHA256

    e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e

    SHA512

    851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5

    Download Submit
  • \Users\Admin\AppData\Roaming\System64\1systemsmss.exe
    MD5

    41253bfee19b9631d3c508621fc9deb6

    SHA1

    045398163ddb346eca0636bc7f9acc58f993c1e9

    SHA256

    e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e

    SHA512

    851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5

    Download Submit
  • \Users\Admin\AppData\Roaming\System64\1systemsmss.exe
    MD5

    41253bfee19b9631d3c508621fc9deb6

    SHA1

    045398163ddb346eca0636bc7f9acc58f993c1e9

    SHA256

    e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e

    SHA512

    851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5

    Download Submit
  • memory/1100-59-0x0000000075A31000-0x0000000075A33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1100-60-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1536-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1708-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1708-66-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download