rms | 9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b

General

Target

9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
Size

2.6MB
MD5

cfda445c91edc137dbfdb6ab8b291308
SHA1

36b814c68e208eb258bbed364dc7a9bfbaccc75d
SHA256

9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b
SHA512

92e7826efaeb611147ee29ebbed8f11c330b93c684647a7c2bea8a61b273a953b938e8737196605fd57d33d369c6f5e885b3fc3f001cb580ba0a95732ac7cc50

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
Token: SeTakeOwnershipPrivilege	3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
Token: SeTcbPrivilege	3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
Token: SeTcbPrivilege	3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3512	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
3576	9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe

C:\Users\Admin\AppData\Local\Temp\9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
"C:\Users\Admin\AppData\Local\Temp\9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3512
- C:\Users\Admin\AppData\Local\Temp\9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe
  C:\Users\Admin\AppData\Local\Temp\9210117e9072e7a182bdb1e03fc0b1054f21f5287d1d32e1b23a41f3f6cae94b.exe -second
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3512-118-0x0000000000E40000-0x0000000000EEE000-memory.dmp

Filesize
696KB

Download
memory/3576-119-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing