Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
27-09-2021 00:03
General
-
Target
BBC131FDA4A9D5D10D774F609A121390BB56456F35842.exe
-
Size
16.2MB
-
MD5
9d8fd3044460f6a4b876755ab299c634
-
SHA1
67e66edb8ec5fdbd4662541e57800ba4a5e6b229
-
SHA256
bbc131fda4a9d5d10d774f609a121390bb56456f358420db95d35ef9760acad9
-
SHA512
c642098a6affcffda92bb05813482228e5304e1975a75f98ba92f66522b2109dc0d95a988dfc3a4b8621ca86702af9b74288f0996b467b235fff8e4b6a87ab8c
Score
10/10
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BBC131FDA4A9D5D10D774F609A121390BB56456F35842.exe"C:\Users\Admin\AppData\Local\Temp\BBC131FDA4A9D5D10D774F609A121390BB56456F35842.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rfusclient.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rfusclient.exe" -run_agent2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rutserv.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rutserv.exe" -run_agent3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rutserv.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rutserv.exe" -run_agent -second4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rfusclient.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2BF24577ED\rfusclient.exe" /tray /user5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB