rms | c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea

Analysis

max time kernel
154s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe
Size

4.2MB
MD5

eaf87c7f8adf7bdcd2878ccb350676f9
SHA1

beef0ee9397b01855c6daa2bff8002db4899b121
SHA256

c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea
SHA512

b81481f05f0817085cf7f91b9a269e7723d653e50d34925dd422cf60e250212a76af6dfb95eb812ffc735d6e264cdf6fe953e41727a08c5f94b0b8ee9a68a650

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 9 IoCs

pid	Process
780	winchk32.exe
768	winchk32.exe
1128	winchk32.exe
1476	winchk32.exe
840	winchk64.exe
1360	Explorer.EXE
1700	rutserv.exe
1908	rutserv.exe
1596	rfusclient.exe

Loads dropped DLL 9 IoCs

pid	Process
964	c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe
964	c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe
964	c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe
780	winchk32.exe
1944	cmd.exe
1128	winchk32.exe
992	cmd.exe
1840	cmd.exe
1908	rutserv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 780 set thread context of 768	780	winchk32.exe	28
PID 1128 set thread context of 1476	1128	winchk32.exe	35

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	winchk32.exe
768	winchk32.exe
768	winchk32.exe
768	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
840	winchk64.exe
1476	winchk32.exe
1360	Explorer.EXE
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
1476	winchk32.exe
840	winchk64.exe
840	winchk64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	winchk32.exe
Token: SeDebugPrivilege	1476	winchk32.exe
Token: SeDebugPrivilege	840	winchk64.exe
Token: SeDebugPrivilege	1700	rutserv.exe
Token: SeTakeOwnershipPrivilege	1908	rutserv.exe
Token: SeTcbPrivilege	1908	rutserv.exe
Token: SeTcbPrivilege	1908	rutserv.exe
Token: SeShutdownPrivilege	1360	Explorer.EXE
Token: SeShutdownPrivilege	1360	Explorer.EXE
Token: SeShutdownPrivilege	1360	Explorer.EXE
Token: SeShutdownPrivilege	1360	Explorer.EXE
Token: SeShutdownPrivilege	1360	Explorer.EXE
Token: SeShutdownPrivilege	1360	Explorer.EXE
Token: SeShutdownPrivilege	1360	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1700	rutserv.exe
1908	rutserv.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 780	964	c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe	27
PID 964 wrote to memory of 780	964	c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe	27
PID 964 wrote to memory of 780	964	c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe	27
PID 964 wrote to memory of 780	964	c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe	27
PID 964 wrote to memory of 780	964	c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe	27
PID 964 wrote to memory of 780	964	c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe	27
PID 964 wrote to memory of 780	964	c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe	27
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 780 wrote to memory of 768	780	winchk32.exe	28
PID 768 wrote to memory of 1828	768	winchk32.exe	29
PID 768 wrote to memory of 1828	768	winchk32.exe	29
PID 768 wrote to memory of 1828	768	winchk32.exe	29
PID 768 wrote to memory of 1828	768	winchk32.exe	29
PID 768 wrote to memory of 1828	768	winchk32.exe	29
PID 768 wrote to memory of 1828	768	winchk32.exe	29
PID 768 wrote to memory of 1828	768	winchk32.exe	29
PID 1828 wrote to memory of 1560	1828	cmd.exe	31
PID 1828 wrote to memory of 1560	1828	cmd.exe	31
PID 1828 wrote to memory of 1560	1828	cmd.exe	31
PID 1828 wrote to memory of 1560	1828	cmd.exe	31
PID 1828 wrote to memory of 1560	1828	cmd.exe	31
PID 1828 wrote to memory of 1560	1828	cmd.exe	31
PID 1828 wrote to memory of 1560	1828	cmd.exe	31
PID 768 wrote to memory of 1944	768	winchk32.exe	32
PID 768 wrote to memory of 1944	768	winchk32.exe	32
PID 768 wrote to memory of 1944	768	winchk32.exe	32
PID 768 wrote to memory of 1944	768	winchk32.exe	32
PID 768 wrote to memory of 1944	768	winchk32.exe	32
PID 768 wrote to memory of 1944	768	winchk32.exe	32
PID 768 wrote to memory of 1944	768	winchk32.exe	32
PID 1944 wrote to memory of 1128	1944	cmd.exe	34
PID 1944 wrote to memory of 1128	1944	cmd.exe	34
PID 1944 wrote to memory of 1128	1944	cmd.exe	34
PID 1944 wrote to memory of 1128	1944	cmd.exe	34
PID 1944 wrote to memory of 1128	1944	cmd.exe	34
PID 1944 wrote to memory of 1128	1944	cmd.exe	34
PID 1944 wrote to memory of 1128	1944	cmd.exe	34
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1128 wrote to memory of 1476	1128	winchk32.exe	35
PID 1476 wrote to memory of 992	1476	winchk32.exe	37
PID 1476 wrote to memory of 992	1476	winchk32.exe	37
PID 1476 wrote to memory of 992	1476	winchk32.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360
- C:\Users\Admin\AppData\Local\Temp\c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe
  "C:\Users\Admin\AppData\Local\Temp\c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
        6⤵
        Enumerates system info in registry
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
        8⤵
        Loads dropped DLL
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user
        11⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
        8⤵
        Loads dropped DLL
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/768-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/768-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/768-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/768-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/768-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/768-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/768-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/768-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/780-64-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/964-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1360-104-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1596-125-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1700-117-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1908-120-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download