Overview

overview

10

Static

static

8

BBC131FDA4...42.exe

windows7_x64

10

BBC131FDA4...42.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-09-2021 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BBC131FDA4A9D5D10D774F609A121390BB56456F35842.exe

  • Size

    16.2MB

  • MD5

    9d8fd3044460f6a4b876755ab299c634

  • SHA1

    67e66edb8ec5fdbd4662541e57800ba4a5e6b229

  • SHA256

    bbc131fda4a9d5d10d774f609a121390bb56456f358420db95d35ef9760acad9

  • SHA512

    c642098a6affcffda92bb05813482228e5304e1975a75f98ba92f66522b2109dc0d95a988dfc3a4b8621ca86702af9b74288f0996b467b235fff8e4b6a87ab8c

Score
10/10
rmsrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 45 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BBC131FDA4A9D5D10D774F609A121390BB56456F35842.exe
    "C:\Users\Admin\AppData\Local\Temp\BBC131FDA4A9D5D10D774F609A121390BB56456F35842.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rfusclient.exe
      "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rfusclient.exe" -run_agent
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:360
      • C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rutserv.exe
        "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rutserv.exe" -run_agent
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1160
        • C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rutserv.exe" -run_agent -second
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rfusclient.exe
            "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rfusclient.exe" /tray /user
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:3860

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/360-119-0x00000000047D0000-0x00000000047D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/664-114-0x0000000002E70000-0x0000000002E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1160-126-0x0000000003950000-0x0000000003951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1160-128-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1160-129-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-147-0x0000000005390000-0x0000000005391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-152-0x00000000066C0000-0x00000000066C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-142-0x0000000005190000-0x0000000005191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-141-0x0000000005360000-0x0000000005361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-140-0x0000000005310000-0x0000000005311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-148-0x0000000006170000-0x0000000006171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-130-0x00000000019B0000-0x00000000019B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-150-0x0000000006420000-0x0000000006421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-149-0x00000000062D0000-0x00000000062D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-160-0x0000000006520000-0x0000000006521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-151-0x0000000006570000-0x0000000006571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-159-0x0000000006430000-0x0000000006431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-156-0x0000000006010000-0x0000000006011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-157-0x0000000006020000-0x0000000006021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3860-155-0x0000000004790000-0x0000000004791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3860-154-0x0000000004770000-0x0000000004771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3860-158-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3860-153-0x0000000002F80000-0x0000000002F81000-memory.dmp

    Filesize

    4KB

    Download