rms | 99de2f7653107a227a79993aeb03b1bb443b66376c49ec590cf3a91d6cf184c8

General

Target

rutserv.exe
Size

6.2MB
MD5

90e027b39d2786d5b465a9dc53bf040e
SHA1

5a9d6b1fcdaf4b2818a6eeca4f1c16a5c24dd9cf
SHA256

99de2f7653107a227a79993aeb03b1bb443b66376c49ec590cf3a91d6cf184c8
SHA512

097264ae7a20e90aaacda0546082c466aa90922c9242044cdb08d81953022164cda439c7fa9cbd989f73beafbd4d58b54fc1db6afa66f8ad4d446d06c17fc779

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 728 created 3956	728	svchost.exe	57

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rutserv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rutserv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rutserv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rutserv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rutserv.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3956	rutserv.exe
3956	rutserv.exe
3956	rutserv.exe
3956	rutserv.exe
1176	rutserv.exe
1176	rutserv.exe
3848	rutserv.exe
3848	rutserv.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3956	rutserv.exe
Token: SeTcbPrivilege	728	svchost.exe
Token: SeTcbPrivilege	728	svchost.exe
Token: SeTakeOwnershipPrivilege	1176	rutserv.exe
Token: SeTcbPrivilege	1176	rutserv.exe
Token: SeTcbPrivilege	1176	rutserv.exe
Token: SeTakeOwnershipPrivilege	3848	rutserv.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3956	rutserv.exe
1176	rutserv.exe
3848	rutserv.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 1176	728	svchost.exe	75
PID 728 wrote to memory of 1176	728	svchost.exe	75
PID 728 wrote to memory of 1176	728	svchost.exe	75
PID 1176 wrote to memory of 3848	1176	rutserv.exe	81
PID 1176 wrote to memory of 3848	1176	rutserv.exe	81
PID 1176 wrote to memory of 3848	1176	rutserv.exe	81

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3956
- C:\Users\Admin\AppData\Local\Temp\rutserv.exe
  C:\Users\Admin\AppData\Local\Temp\rutserv.exe -second
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\rutserv.exe
    "C:\Users\Admin\AppData\Local\Temp\rutserv.exe" /config /user
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3848

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-116-0x0000000000AE0000-0x0000000000B8E000-memory.dmp

Filesize
696KB

Download
memory/3848-118-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3956-114-0x0000000000B70000-0x0000000000CBA000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing