rms | 1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9

General

Target

1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe
Size

14.6MB
MD5

c178f06f0551300180ee4d0ab7e7f09d
SHA1

1bf041b094f5a8f1db87e6b003694fa9b5b7496c
SHA256

1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9
SHA512

e20a870810243af4fae7841d6692764d6e208b52814975bd4a4eab6fdbbab72e1a61220438e887a1ced0c1864469218eb9e363eb73906b35b7c8817326d2d137

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 2 IoCs

pid	Process
2780	sysdisk.exe
3408	sysdisk.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation	sysdisk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation = "C:\\ProgramData\\sysdisk.exe"	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	sysdisk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	sysdisk.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1440	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2780	sysdisk.exe
2780	sysdisk.exe
2780	sysdisk.exe
2780	sysdisk.exe
2780	sysdisk.exe
2780	sysdisk.exe
3408	sysdisk.exe
3408	sysdisk.exe
3408	sysdisk.exe
3408	sysdisk.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2220	powercfg.exe
Token: SeCreatePagefilePrivilege	2220	powercfg.exe
Token: SeShutdownPrivilege	2220	powercfg.exe
Token: SeCreatePagefilePrivilege	2220	powercfg.exe
Token: SeDebugPrivilege	2780	sysdisk.exe
Token: SeTakeOwnershipPrivilege	3408	sysdisk.exe
Token: SeTcbPrivilege	3408	sysdisk.exe
Token: SeTcbPrivilege	3408	sysdisk.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe
2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe
2780	sysdisk.exe
2780	sysdisk.exe
2780	sysdisk.exe
2780	sysdisk.exe
3408	sysdisk.exe
3408	sysdisk.exe
3408	sysdisk.exe
3408	sysdisk.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2700	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	68
PID 2424 wrote to memory of 2700	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	68
PID 2424 wrote to memory of 2700	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	68
PID 2424 wrote to memory of 2728	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	69
PID 2424 wrote to memory of 2728	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	69
PID 2424 wrote to memory of 2728	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	69
PID 2424 wrote to memory of 1440	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	74
PID 2424 wrote to memory of 1440	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	74
PID 2424 wrote to memory of 1440	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	74
PID 2424 wrote to memory of 2220	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	71
PID 2424 wrote to memory of 2220	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	71
PID 2424 wrote to memory of 2220	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	71
PID 2424 wrote to memory of 2780	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	76
PID 2424 wrote to memory of 2780	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	76
PID 2424 wrote to memory of 2780	2424	1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe	76

C:\Users\Admin\AppData\Local\Temp\1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe
"C:\Users\Admin\AppData\Local\Temp\1ae82aa9ca4bfcb909bada0f863b66101794fc903f7b74ac3ba4b5d6273431f9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set opmode mode=disable
  2⤵
  PID:2700
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  PID:2728
- C:\Windows\SysWOW64\powercfg.exe
  powercfg.exe -h off
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\SysWOW64\reg.exe
  reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1440
- C:\ProgramData\sysdisk.exe
  "C:\ProgramData\sysdisk.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2780
- - C:\ProgramData\sysdisk.exe
    C:\ProgramData\sysdisk.exe -second
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2424-118-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2780-121-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/2780-122-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/3408-128-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/3408-132-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/3408-124-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/3408-131-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/3408-130-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3408-129-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/3408-133-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/3408-127-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/3408-134-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/3408-135-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3408-136-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/3408-137-0x0000000007090000-0x0000000007091000-memory.dmp

Filesize
4KB

Download
memory/3408-138-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/3408-139-0x0000000007470000-0x0000000007541000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads