Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
20-11-2021 00:02
General
-
Target
56CEC810FC6F445E17A04306B653BB3296B55FE481B51.exe
-
Size
15.4MB
-
MD5
7825beab377e9a88cd97cf5d2ccbf81b
-
SHA1
fbaa432a4ce17068a6af7b79134d9004f569e162
-
SHA256
56cec810fc6f445e17a04306b653bb3296b55fe481b518c9aca4b1ef69824a3e
-
SHA512
592be3743297fdb76b05b4faaf7cff77c095ea816ea183a92e8e252ef9098aa34b232987f45b6ba37adcd78bb2e166cc57459bfd03ed1b189ca23e6c68b58bea
Score
10/10
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\56CEC810FC6F445E17A04306B653BB3296B55FE481B51.exe"C:\Users\Admin\AppData\Local\Temp\56CEC810FC6F445E17A04306B653BB3296B55FE481B51.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RMS Agent\70003\B023FD26B4\rfusclient.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70003\B023FD26B4\rfusclient.exe" -run_agent2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RMS Agent\70003\B023FD26B4\rutserv.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70003\B023FD26B4\rutserv.exe" -run_agent3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\RMS Agent\70003\B023FD26B4\rutserv.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70003\B023FD26B4\rutserv.exe" -run_agent -second4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RMS Agent\70003\B023FD26B4\rfusclient.exe"C:\Users\Admin\AppData\Roaming\RMS Agent\70003\B023FD26B4\rfusclient.exe" /tray /user5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB