rms | c2bcfa07d401c8f06f76fb06180e5d58a8f9733f96e03a1659d34e888447a544

General

Target

Device/HarddiskVolume2/Program Files/VMware/tools/lib/vmaxsvc.exe
Size

17.1MB
MD5

383d6a55625a81ead08705003a6ac105
SHA1

ade79797e95eb9487a272530e9e17f2181e81a45
SHA256

e8b73d39c58fef2b571505bdd69e371c8ff095541528c7bcbbf4120e024a19bb
SHA512

31d1d32d1fdc030a336d6f85a7111ae690f0f740f1a0a9683193faf0e13686d72ae5fb4e6963a57972ec19c9f195b4bab2453b80e25e07ab2da26f5a95bda394

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	vmaxsvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	vmaxsvc.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\2	vmaxsvc.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\0	vmaxsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vmaxsvc.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\16	vmaxsvc.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\1	vmaxsvc.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	vmaxsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	vmaxsvc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4796	vmaxsvc.exe
4796	vmaxsvc.exe
4796	vmaxsvc.exe
4796	vmaxsvc.exe
4796	vmaxsvc.exe
4796	vmaxsvc.exe
4796	vmaxsvc.exe
4796	vmaxsvc.exe
4796	vmaxsvc.exe
4796	vmaxsvc.exe
3900	vmaxsvc.exe
3900	vmaxsvc.exe
3900	vmaxsvc.exe
3900	vmaxsvc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	vmaxsvc.exe
Token: SeDebugPrivilege	4796	vmaxsvc.exe
Token: SeTakeOwnershipPrivilege	3900	vmaxsvc.exe
Token: SeTcbPrivilege	3900	vmaxsvc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4796	vmaxsvc.exe
4796	vmaxsvc.exe
4796	vmaxsvc.exe
4796	vmaxsvc.exe
3900	vmaxsvc.exe
3900	vmaxsvc.exe
3900	vmaxsvc.exe
3900	vmaxsvc.exe

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Program Files\VMware\tools\lib\vmaxsvc.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Program Files\VMware\tools\lib\vmaxsvc.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4796
- C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Program Files\VMware\tools\lib\vmaxsvc.exe
  "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Program Files\VMware\tools\lib\vmaxsvc.exe" -run_agent -second
  2⤵
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3900-117-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/3900-118-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3900-119-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/3900-120-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4796-114-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/4796-116-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4796-115-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads