rms | b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111

General

Target

b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe
Size

3.0MB
MD5

e722b64756034173c98ace2352df1904
SHA1

8d01e508901935f31931fc9503de053f2a967d5c
SHA256

b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111
SHA512

219ba9831b59b206561cd039317e2ac6286dcee7d37fe98865fa40d7234ac664d1a51841dbea63d612ac925a7868e646d27c45efa080754de2638f92a005ef89

Score

10^/10

rms persistence rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Blocklisted process makes network request 2 IoCs

flow	pid	Process
19	1336	WScript.exe
21	1336	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1404	rutserv.exe
1880	rutserv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001ab1f-201.dat	upx
behavioral2/files/0x000700000001ab1f-202.dat	upx
behavioral2/files/0x000700000001ab1f-203.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation	rutserv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\rutserv.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rutserv.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1800	PING.EXE
2148	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1404	rutserv.exe
1404	rutserv.exe
1404	rutserv.exe
1404	rutserv.exe
1404	rutserv.exe
1404	rutserv.exe
1880	rutserv.exe
1880	rutserv.exe
1880	rutserv.exe
1880	rutserv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	rutserv.exe
Token: SeTakeOwnershipPrivilege	1880	rutserv.exe
Token: SeTcbPrivilege	1880	rutserv.exe
Token: SeTcbPrivilege	1880	rutserv.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1404	rutserv.exe
1404	rutserv.exe
1404	rutserv.exe
1404	rutserv.exe
1880	rutserv.exe
1880	rutserv.exe
1880	rutserv.exe
1880	rutserv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1336	2700	b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe	69
PID 2700 wrote to memory of 1336	2700	b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe	69
PID 2700 wrote to memory of 1336	2700	b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe	69
PID 1336 wrote to memory of 896	1336	WScript.exe	70
PID 1336 wrote to memory of 896	1336	WScript.exe	70
PID 1336 wrote to memory of 896	1336	WScript.exe	70
PID 896 wrote to memory of 1800	896	cmd.exe	72
PID 896 wrote to memory of 1800	896	cmd.exe	72
PID 896 wrote to memory of 1800	896	cmd.exe	72
PID 896 wrote to memory of 2060	896	cmd.exe	73
PID 896 wrote to memory of 2060	896	cmd.exe	73
PID 896 wrote to memory of 2060	896	cmd.exe	73
PID 896 wrote to memory of 1404	896	cmd.exe	74
PID 896 wrote to memory of 1404	896	cmd.exe	74
PID 896 wrote to memory of 1404	896	cmd.exe	74
PID 896 wrote to memory of 2148	896	cmd.exe	75
PID 896 wrote to memory of 2148	896	cmd.exe	75
PID 896 wrote to memory of 2148	896	cmd.exe	75

C:\Users\Admin\AppData\Local\Temp\b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe
"C:\Users\Admin\AppData\Local\Temp\b841d57bbf97cca0445878b8c938c3f6978dc52a42418c3e1db73a77c3cc3111.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\wet.vbs"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd" /silent"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 9 localhost
      4⤵
      Runs ping.exe
      PID:1800
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"
      4⤵
      Adds Run key to start application
      PID:2060
  - - C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1404
    - - C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1880
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-210-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/1880-211-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/1880-204-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1880-213-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/1880-212-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1880-214-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1880-217-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/1880-216-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1880-218-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1880-219-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1880-220-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1880-221-0x0000000007220000-0x00000000072F1000-memory.dmp

Filesize
836KB

Download
memory/1880-222-0x0000000007300000-0x00000000073D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing