rms | 5f6c5640c86a69d41538e7781c1dc06c577d126fb66abb8d6eed72513fabc2c9

Analysis

max time kernel
142s
max time network
151s
platform
windows7_x64
resource
win7-en-20211104
submitted
23-11-2021 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe
Size

13.7MB
MD5

f426b66b0ce498193c27bef3df1ed9cc
SHA1

ae7fc9a0345e80ec36812ff6464d9ade1020315a
SHA256

5f6c5640c86a69d41538e7781c1dc06c577d126fb66abb8d6eed72513fabc2c9
SHA512

d922ef3ad2610c0caf1f9f99d80acf931eb79161ea295dd9b46a5a88433c8309194f79a5e971550b3fde2fcb86362fc727e8c538cd616d8c1caca7c46a0b7326

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 8 IoCs

pid	Process
616	start.exe
316	rutserv.exe
540	rutserv.exe
2036	rutserv.exe
992	rutserv.exe
1656	rfusclient.exe
1708	rfusclient.exe
1868	rfusclient.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Deletes itself 1 IoCs

pid	Process
1984	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe
1000	cmd.exe
1000	cmd.exe
1000	cmd.exe
992	rutserv.exe
992	rutserv.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1700	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1800	taskkill.exe
1648	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1940	regedit.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
316	rutserv.exe
316	rutserv.exe
316	rutserv.exe
316	rutserv.exe
540	rutserv.exe
540	rutserv.exe
2036	rutserv.exe
2036	rutserv.exe
992	rutserv.exe
992	rutserv.exe
992	rutserv.exe
992	rutserv.exe
1708	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1868	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	316	rutserv.exe
Token: SeDebugPrivilege	2036	rutserv.exe
Token: SeTakeOwnershipPrivilege	992	rutserv.exe
Token: SeTcbPrivilege	992	rutserv.exe
Token: SeTcbPrivilege	992	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
316	rutserv.exe
540	rutserv.exe
2036	rutserv.exe
992	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 616	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	28
PID 860 wrote to memory of 616	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	28
PID 860 wrote to memory of 616	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	28
PID 860 wrote to memory of 616	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	28
PID 860 wrote to memory of 616	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	28
PID 860 wrote to memory of 616	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	28
PID 860 wrote to memory of 616	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	28
PID 616 wrote to memory of 1832	616	start.exe	29
PID 616 wrote to memory of 1832	616	start.exe	29
PID 616 wrote to memory of 1832	616	start.exe	29
PID 616 wrote to memory of 1832	616	start.exe	29
PID 616 wrote to memory of 1832	616	start.exe	29
PID 616 wrote to memory of 1832	616	start.exe	29
PID 616 wrote to memory of 1832	616	start.exe	29
PID 1832 wrote to memory of 1000	1832	WScript.exe	30
PID 1832 wrote to memory of 1000	1832	WScript.exe	30
PID 1832 wrote to memory of 1000	1832	WScript.exe	30
PID 1832 wrote to memory of 1000	1832	WScript.exe	30
PID 1832 wrote to memory of 1000	1832	WScript.exe	30
PID 1832 wrote to memory of 1000	1832	WScript.exe	30
PID 1832 wrote to memory of 1000	1832	WScript.exe	30
PID 1000 wrote to memory of 1800	1000	cmd.exe	32
PID 1000 wrote to memory of 1800	1000	cmd.exe	32
PID 1000 wrote to memory of 1800	1000	cmd.exe	32
PID 1000 wrote to memory of 1800	1000	cmd.exe	32
PID 1000 wrote to memory of 1800	1000	cmd.exe	32
PID 1000 wrote to memory of 1800	1000	cmd.exe	32
PID 1000 wrote to memory of 1800	1000	cmd.exe	32
PID 860 wrote to memory of 1984	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	33
PID 860 wrote to memory of 1984	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	33
PID 860 wrote to memory of 1984	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	33
PID 860 wrote to memory of 1984	860	5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe	33
PID 1000 wrote to memory of 1648	1000	cmd.exe	36
PID 1000 wrote to memory of 1648	1000	cmd.exe	36
PID 1000 wrote to memory of 1648	1000	cmd.exe	36
PID 1000 wrote to memory of 1648	1000	cmd.exe	36
PID 1000 wrote to memory of 1648	1000	cmd.exe	36
PID 1000 wrote to memory of 1648	1000	cmd.exe	36
PID 1000 wrote to memory of 1648	1000	cmd.exe	36
PID 1000 wrote to memory of 1056	1000	cmd.exe	37
PID 1000 wrote to memory of 1056	1000	cmd.exe	37
PID 1000 wrote to memory of 1056	1000	cmd.exe	37
PID 1000 wrote to memory of 1056	1000	cmd.exe	37
PID 1000 wrote to memory of 1056	1000	cmd.exe	37
PID 1000 wrote to memory of 1056	1000	cmd.exe	37
PID 1000 wrote to memory of 1056	1000	cmd.exe	37
PID 1000 wrote to memory of 1940	1000	cmd.exe	38
PID 1000 wrote to memory of 1940	1000	cmd.exe	38
PID 1000 wrote to memory of 1940	1000	cmd.exe	38
PID 1000 wrote to memory of 1940	1000	cmd.exe	38
PID 1000 wrote to memory of 1940	1000	cmd.exe	38
PID 1000 wrote to memory of 1940	1000	cmd.exe	38
PID 1000 wrote to memory of 1940	1000	cmd.exe	38
PID 1000 wrote to memory of 1700	1000	cmd.exe	39
PID 1000 wrote to memory of 1700	1000	cmd.exe	39
PID 1000 wrote to memory of 1700	1000	cmd.exe	39
PID 1000 wrote to memory of 1700	1000	cmd.exe	39
PID 1000 wrote to memory of 1700	1000	cmd.exe	39
PID 1000 wrote to memory of 1700	1000	cmd.exe	39
PID 1000 wrote to memory of 1700	1000	cmd.exe	39
PID 1000 wrote to memory of 316	1000	cmd.exe	40
PID 1000 wrote to memory of 316	1000	cmd.exe	40
PID 1000 wrote to memory of 316	1000	cmd.exe	40
PID 1000 wrote to memory of 316	1000	cmd.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1136	attrib.exe
1508	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe
"C:\Users\Admin\AppData\Local\Temp\5F6C5640C86A69D41538E7781C1DC06C577D126FB66AB.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860
- C:\WIN\System\start.exe
  C:\WIN\System\start.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\WIN\System\start.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\WIN\System\start.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1000
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        5⤵
        
        PID:1056
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "regedit.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:1940
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:1700
    - - C:\WIN\System\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:316
    - - C:\WIN\System\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:540
    - - C:\WIN\System\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2036
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +a +s +h "C:\WIN\System" /S /D
        5⤵
        Views/modifies file attributes
        
        PID:1136
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +a +s +h "C:\WIN" /S /D
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del.cmd
  2⤵
  - Deletes itself
  PID:1984

C:\WIN\System\rutserv.exe
C:\WIN\System\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:992
- C:\WIN\System\rfusclient.exe
  C:\WIN\System\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- - C:\WIN\System\rfusclient.exe
    C:\WIN\System\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1868
- C:\WIN\System\rfusclient.exe
  C:\WIN\System\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-85-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/540-96-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/616-59-0x0000000076351000-0x0000000076353000-memory.dmp

Filesize
8KB

Download
memory/860-55-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/992-98-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1656-115-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1708-114-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2036-97-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download