Overview

overview

10

Static

static

tmp/f82a89...MS.exe

windows7_x64

10

tmp/f82a89...MS.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-12-2021 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp/f82a8911-166d-479a-ade5-cfedc321e48d_RMS.exe

  • Size

    8.3MB

  • MD5

    cb2ffac2a251378cda3f91cd613f453d

  • SHA1

    3a028761638f5aa93b0719c5650c83a138e8abc9

  • SHA256

    10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e

  • SHA512

    1d203540fde5074f0d57e1ecbd9af2ee862b940f8fb58c3e55ad9db5ba029aff82a4468eee24c760b5e55cc96e61244af0fd6f3c46db857824e13e45ec1e802f

Score
10/10
rmsdiscoveryrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp\f82a8911-166d-479a-ade5-cfedc321e48d_RMS.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp\f82a8911-166d-479a-ade5-cfedc321e48d_RMS.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi" /qn
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:604
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
        3⤵
          PID:2004
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding E9BA592E86FCAD5E7157630E4C96A74D
        2⤵
        • Loads dropped DLL
        PID:296
      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:972
      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1524
      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1128
    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
      "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
        2⤵
        • Executes dropped EXE
        PID:1176
      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
          "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: SetClipboardViewer
          PID:972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/972-73-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/972-110-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1100-95-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1128-94-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1176-105-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1524-80-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1604-106-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1640-64-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1796-54-0x0000000075831000-0x0000000075833000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1888-61-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

      Download