rms | 55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22

General

Target

55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
Size

9.0MB
MD5

1ce3964e4e9cc18639ad2273d54f012a
SHA1

9263790c2cae061094208e7bb8916ff1db22a5df
SHA256

55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22
SHA512

71cc1fe6c920aa5ceb47aadc7affc6faf4e358634bc7c2abbf3713fa5bb41c4cf5583e22e9ac44a6d33a5227803c9d243cec0f58f13412fc4177de86b3093835

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1516	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
1516	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
1516	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
1516	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
1516	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
Token: SeTakeOwnershipPrivilege	520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
Token: SeTcbPrivilege	520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
Token: SeTcbPrivilege	520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1516	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
1516	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
1516	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
1516	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
520	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe

C:\Users\Admin\AppData\Local\Temp\55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
"C:\Users\Admin\AppData\Local\Temp\55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1516
- C:\Users\Admin\AppData\Local\Temp\55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
  C:\Users\Admin\AppData\Local\Temp\55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe -second
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-64-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/520-59-0x0000000002540000-0x0000000002B00000-memory.dmp

Filesize
5.8MB

Download
memory/520-71-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/520-57-0x0000000002540000-0x0000000002B00000-memory.dmp

Filesize
5.8MB

Download
memory/520-63-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/520-67-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/520-66-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/520-62-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/520-58-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/520-70-0x0000000005C60000-0x0000000005C61000-memory.dmp

Filesize
4KB

Download
memory/520-65-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/520-61-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/520-60-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/520-68-0x0000000005830000-0x0000000005940000-memory.dmp

Filesize
1.1MB

Download
memory/520-69-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/1516-55-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1516-54-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing