rms | 513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b

Analysis

max time kernel
147s
max time network
158s
platform
windows10_x64
resource
win10v20210408
submitted
15-05-2021 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b.exe
Size

4.1MB
MD5

2a13baea0cf11e3e7eb303649d46d6be
SHA1

0c0c8002304e1fd5a08adf1d51958eab9c9ff0f6
SHA256

513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b
SHA512

50cbe15785eb43524873f161be7fdb35abb7a394c18074adf240ac305dd99e6e404f20a9fc3b229e7dbe5f1e83e0b2929fec1caa5b57548a6ffdc35d8a60e73a

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 7 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

3460 rutserv.exe
2636 rutserv.exe
3996 rutserv.exe
2540 rutserv.exe
1956 rfusclient.exe
3740 rfusclient.exe
500 rfusclient.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Drops file in System32 directory 3 IoCs

Processes:

rutserv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

3424 timeout.exe
3972 timeout.exe
212 timeout.exe

pid	process
3424	timeout.exe
3972	timeout.exe
212	timeout.exe

Modifies registry class 1 IoCs

Processes:

513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

2316 regedit.exe

pid	process
2316	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
3460	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
2636	rutserv.exe
2636	rutserv.exe
3996	rutserv.exe
3996	rutserv.exe
2540	rutserv.exe
2540	rutserv.exe
2540	rutserv.exe
2540	rutserv.exe
2540	rutserv.exe
2540	rutserv.exe
3740	rfusclient.exe
3740	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

500 rfusclient.exe

pid	process
500	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rutserv.exerutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	3460	rutserv.exe
Token: SeDebugPrivilege	3996	rutserv.exe
Token: SeTakeOwnershipPrivilege	2540	rutserv.exe
Token: SeTcbPrivilege	2540	rutserv.exe
Token: SeTcbPrivilege	2540	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exe

pid process

3460 rutserv.exe
2636 rutserv.exe
3996 rutserv.exe
2540 rutserv.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b.exeWScript.execmd.exerutserv.exerfusclient.exe

description	pid	process	target process
PID 900 wrote to memory of 3184	900	513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b.exe	WScript.exe
PID 900 wrote to memory of 3184	900	513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b.exe	WScript.exe
PID 900 wrote to memory of 3184	900	513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b.exe	WScript.exe
PID 3184 wrote to memory of 3672	3184	WScript.exe	cmd.exe
PID 3184 wrote to memory of 3672	3184	WScript.exe	cmd.exe
PID 3184 wrote to memory of 3672	3184	WScript.exe	cmd.exe
PID 3672 wrote to memory of 632	3672	cmd.exe	reg.exe
PID 3672 wrote to memory of 632	3672	cmd.exe	reg.exe
PID 3672 wrote to memory of 632	3672	cmd.exe	reg.exe
PID 3672 wrote to memory of 416	3672	cmd.exe	reg.exe
PID 3672 wrote to memory of 416	3672	cmd.exe	reg.exe
PID 3672 wrote to memory of 416	3672	cmd.exe	reg.exe
PID 3672 wrote to memory of 196	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 196	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 196	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 3796	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 3796	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 3796	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 2316	3672	cmd.exe	regedit.exe
PID 3672 wrote to memory of 2316	3672	cmd.exe	regedit.exe
PID 3672 wrote to memory of 2316	3672	cmd.exe	regedit.exe
PID 3672 wrote to memory of 3424	3672	cmd.exe	timeout.exe
PID 3672 wrote to memory of 3424	3672	cmd.exe	timeout.exe
PID 3672 wrote to memory of 3424	3672	cmd.exe	timeout.exe
PID 3672 wrote to memory of 3972	3672	cmd.exe	timeout.exe
PID 3672 wrote to memory of 3972	3672	cmd.exe	timeout.exe
PID 3672 wrote to memory of 3972	3672	cmd.exe	timeout.exe
PID 3672 wrote to memory of 1332	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 1332	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 1332	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 2104	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 2104	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 2104	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 1648	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 1648	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 1648	3672	cmd.exe	attrib.exe
PID 3672 wrote to memory of 3460	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 3460	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 3460	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 2636	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 2636	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 2636	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 3996	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 3996	3672	cmd.exe	rutserv.exe
PID 3672 wrote to memory of 3996	3672	cmd.exe	rutserv.exe
PID 2540 wrote to memory of 1956	2540	rutserv.exe	rfusclient.exe
PID 2540 wrote to memory of 1956	2540	rutserv.exe	rfusclient.exe
PID 2540 wrote to memory of 1956	2540	rutserv.exe	rfusclient.exe
PID 2540 wrote to memory of 3740	2540	rutserv.exe	rfusclient.exe
PID 2540 wrote to memory of 3740	2540	rutserv.exe	rfusclient.exe
PID 2540 wrote to memory of 3740	2540	rutserv.exe	rfusclient.exe
PID 3672 wrote to memory of 212	3672	cmd.exe	timeout.exe
PID 3672 wrote to memory of 212	3672	cmd.exe	timeout.exe
PID 3672 wrote to memory of 212	3672	cmd.exe	timeout.exe
PID 3740 wrote to memory of 500	3740	rfusclient.exe	rfusclient.exe
PID 3740 wrote to memory of 500	3740	rfusclient.exe	rfusclient.exe
PID 3740 wrote to memory of 500	3740	rfusclient.exe	rfusclient.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

3796 attrib.exe
1332 attrib.exe
2104 attrib.exe
1648 attrib.exe
196 attrib.exe

pid	process
3796	attrib.exe
1332	attrib.exe
2104	attrib.exe
1648	attrib.exe
196	attrib.exe

C:\Users\Admin\AppData\Local\Temp\513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b.exe
"C:\Users\Admin\AppData\Local\Temp\513fc6732361895ddf4477f737f3bcc12c514257415021eecf1117453fcacd5b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Log\Windows\hiscomponent\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
4⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f
4⤵
PID:416

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "D:\Remote Manipulator System"
4⤵
- Views/modifies file attributes
PID:196

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Log"
4⤵
- Views/modifies file attributes
PID:3796

C:\Windows\SysWOW64\regedit.exe
regedit /s "Windows\hiscomponent\regedit.reg"
4⤵
- Runs .reg file with regedit
PID:2316

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:3424

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:3972

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "D:\Remote Manipulator System\*.*"
4⤵
- Views/modifies file attributes
PID:1332

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "D:\Remote Manipulator System\rfusclient.exe"
4⤵
- Views/modifies file attributes
PID:2104

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "D:\Remote Manipulator System\rutserv.exe"
4⤵
- Views/modifies file attributes
PID:1648

C:\Log\rutserv.exe
rutserv.exe /silentinstall
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Log\rutserv.exe
rutserv.exe /firewall
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Log\rutserv.exe
rutserv.exe /start
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:212

C:\Log\rutserv.exe
C:\Log\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540

C:\Log\rfusclient.exe
C:\Log\rfusclient.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740

C:\Log\rfusclient.exe
C:\Log\rfusclient.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:500

C:\Log\rfusclient.exe
C:\Log\rfusclient.exe /tray
2⤵
- Executes dropped EXE
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Log\Windows\hiscomponent\install.bat
MD5
2ae74c01b89deada073a8bfa04412608

SHA1
a0f2c77961bcc44754a0ce20ba7126d5a36cc412

SHA256
7a13e8b3271addf2e0a4cd0f284f0eabb21572d3bc9dac914ca35acce52ab8f4

SHA512
6e7e288cd58b630a6b5aabade0980d08c7a95c4aa316a825fbd7fb3d26e375ca56b586b69a5f57aebe50b31512b6ed815cabf9a1ae6b9597c78dc6d9b86cc24d

Download Submit
C:\Log\Windows\hiscomponent\regedit.reg
MD5
6c3b1d116c4d37e1d40ece244436669c

SHA1
38e3641d727a49217b45eb75eff586e8ced62d55

SHA256
0f38e2c56e54e3996cf1d461b924fcfbf8df8708cae2ba61983b9ace70b2971c

SHA512
079ba24964c535fe1552b795758489336494d50f2dd52eac76456d550f62ab9f1489529043c57249d6f7101e201994cd41e4b45556941f32f54c29701821358b

Download Submit
C:\Log\install.vbs
MD5
bc5fa1fff095d50d252cb327ccd6661b

SHA1
8263ea4ab762f188df0f2902297cc46baf816c5c

SHA256
e8bd8b6ff5f0653e82c7239bfdb2894fbd509b45e581c2458bd84c2fd3d84886

SHA512
1eb5a0bc2b3c3ffa6f0967803239313110cd1c3293ecbb6a1f1c2d9d717a2f5aaf042dd28af8520ef63639f291e083c511527515489a45732e6191ad521f544d

Download Submit
C:\Log\rfusclient.exe
MD5
caea06010be1fd215c89276a78064c79

SHA1
8f89c8d6b90b75385dacb83821f750bbc1325274

SHA256
e53966fbb8d23f56a6c9d215ac51e9a58578f7c17e4122b3b892f587d30bd479

SHA512
24a8453d5bb46dd4c3dba3e8419b0aae62f20491da26b06a6de17ab286578bd4832e309455de230814756446ae845ccf97acc27bd7db02142cdf6da48f877af6

Download Submit
C:\Log\rfusclient.exe
MD5
caea06010be1fd215c89276a78064c79

SHA1
8f89c8d6b90b75385dacb83821f750bbc1325274

SHA256
e53966fbb8d23f56a6c9d215ac51e9a58578f7c17e4122b3b892f587d30bd479

SHA512
24a8453d5bb46dd4c3dba3e8419b0aae62f20491da26b06a6de17ab286578bd4832e309455de230814756446ae845ccf97acc27bd7db02142cdf6da48f877af6

Download Submit
C:\Log\rfusclient.exe
MD5
caea06010be1fd215c89276a78064c79

SHA1
8f89c8d6b90b75385dacb83821f750bbc1325274

SHA256
e53966fbb8d23f56a6c9d215ac51e9a58578f7c17e4122b3b892f587d30bd479

SHA512
24a8453d5bb46dd4c3dba3e8419b0aae62f20491da26b06a6de17ab286578bd4832e309455de230814756446ae845ccf97acc27bd7db02142cdf6da48f877af6

Download Submit
C:\Log\rfusclient.exe
MD5
caea06010be1fd215c89276a78064c79

SHA1
8f89c8d6b90b75385dacb83821f750bbc1325274

SHA256
e53966fbb8d23f56a6c9d215ac51e9a58578f7c17e4122b3b892f587d30bd479

SHA512
24a8453d5bb46dd4c3dba3e8419b0aae62f20491da26b06a6de17ab286578bd4832e309455de230814756446ae845ccf97acc27bd7db02142cdf6da48f877af6

Download Submit
C:\Log\rutserv.exe
MD5
0a6ff2d35e08f6ab51de1e08ac1c00e9

SHA1
7cc1b01aa1bfaa43265b6b8142fb0d7f5b31aa76

SHA256
e5ec03622ffabb1a05c38b8b5bb79d03ebd7aab448582ab2f5a4b27725d7aa90

SHA512
9ac53f4ac7722e8a15112460d97dc3cea3189660ed51a25fb6b4694bec5433c58dc9cdfffaffa78bf93fd1a53625fc38745bfb4f89c9bc999d16a063c9cfb887

Download Submit
C:\Log\rutserv.exe
MD5
0a6ff2d35e08f6ab51de1e08ac1c00e9

SHA1
7cc1b01aa1bfaa43265b6b8142fb0d7f5b31aa76

SHA256
e5ec03622ffabb1a05c38b8b5bb79d03ebd7aab448582ab2f5a4b27725d7aa90

SHA512
9ac53f4ac7722e8a15112460d97dc3cea3189660ed51a25fb6b4694bec5433c58dc9cdfffaffa78bf93fd1a53625fc38745bfb4f89c9bc999d16a063c9cfb887

Download Submit
C:\Log\rutserv.exe
MD5
0a6ff2d35e08f6ab51de1e08ac1c00e9

SHA1
7cc1b01aa1bfaa43265b6b8142fb0d7f5b31aa76

SHA256
e5ec03622ffabb1a05c38b8b5bb79d03ebd7aab448582ab2f5a4b27725d7aa90

SHA512
9ac53f4ac7722e8a15112460d97dc3cea3189660ed51a25fb6b4694bec5433c58dc9cdfffaffa78bf93fd1a53625fc38745bfb4f89c9bc999d16a063c9cfb887

Download Submit
C:\Log\rutserv.exe
MD5
0a6ff2d35e08f6ab51de1e08ac1c00e9

SHA1
7cc1b01aa1bfaa43265b6b8142fb0d7f5b31aa76

SHA256
e5ec03622ffabb1a05c38b8b5bb79d03ebd7aab448582ab2f5a4b27725d7aa90

SHA512
9ac53f4ac7722e8a15112460d97dc3cea3189660ed51a25fb6b4694bec5433c58dc9cdfffaffa78bf93fd1a53625fc38745bfb4f89c9bc999d16a063c9cfb887

Download Submit
C:\Log\rutserv.exe
MD5
0a6ff2d35e08f6ab51de1e08ac1c00e9

SHA1
7cc1b01aa1bfaa43265b6b8142fb0d7f5b31aa76

SHA256
e5ec03622ffabb1a05c38b8b5bb79d03ebd7aab448582ab2f5a4b27725d7aa90

SHA512
9ac53f4ac7722e8a15112460d97dc3cea3189660ed51a25fb6b4694bec5433c58dc9cdfffaffa78bf93fd1a53625fc38745bfb4f89c9bc999d16a063c9cfb887

Download Submit
C:\Log\vp8decoder.dll
MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Log\vp8encoder.dll
MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
memory/196-120-0x0000000000000000-mapping.dmp

Download
memory/212-148-0x0000000000000000-mapping.dmp

Download
memory/416-119-0x0000000000000000-mapping.dmp

Download
memory/500-151-0x0000000000000000-mapping.dmp

Download
memory/500-153-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/632-118-0x0000000000000000-mapping.dmp

Download
memory/1332-130-0x0000000000000000-mapping.dmp

Download
memory/1648-132-0x0000000000000000-mapping.dmp

Download
memory/1956-144-0x0000000000000000-mapping.dmp

Download
memory/1956-149-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2104-131-0x0000000000000000-mapping.dmp

Download
memory/2316-122-0x0000000000000000-mapping.dmp

Download
memory/2540-143-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2636-140-0x0000000000BE0000-0x0000000000D2A000-memory.dmp

Filesize
1.3MB

Download
memory/2636-135-0x0000000000000000-mapping.dmp

Download
memory/3184-114-0x0000000000000000-mapping.dmp

Download
memory/3424-124-0x0000000000000000-mapping.dmp

Download
memory/3460-138-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/3460-133-0x0000000000000000-mapping.dmp

Download
memory/3672-117-0x0000000000000000-mapping.dmp

Download
memory/3740-145-0x0000000000000000-mapping.dmp

Download
memory/3740-150-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/3796-121-0x0000000000000000-mapping.dmp

Download
memory/3972-125-0x0000000000000000-mapping.dmp

Download
memory/3996-142-0x0000000000AB0000-0x0000000000B5E000-memory.dmp

Filesize
696KB

Download
memory/3996-137-0x0000000000000000-mapping.dmp

Download