rms | 55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22

General

Target

55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
Size

9.0MB
MD5

1ce3964e4e9cc18639ad2273d54f012a
SHA1

9263790c2cae061094208e7bb8916ff1db22a5df
SHA256

55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22
SHA512

71cc1fe6c920aa5ceb47aadc7affc6faf4e358634bc7c2abbf3713fa5bb41c4cf5583e22e9ac44a6d33a5227803c9d243cec0f58f13412fc4177de86b3093835

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
Token: SeTakeOwnershipPrivilege	3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
Token: SeTcbPrivilege	3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
Token: SeTcbPrivilege	3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
2704	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
3940	55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe

C:\Users\Admin\AppData\Local\Temp\55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
"C:\Users\Admin\AppData\Local\Temp\55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2704
- C:\Users\Admin\AppData\Local\Temp\55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe
  C:\Users\Admin\AppData\Local\Temp\55cea01be9db31d461bd2af148b97b60fda984fce92d0b5580eb0a8400eeda22.exe -second
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2704-118-0x00000000013A0000-0x00000000015AE000-memory.dmp

Filesize
2.1MB

Download
memory/2704-119-0x0000000002E5E000-0x0000000003120000-memory.dmp

Filesize
2.8MB

Download
memory/3940-120-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/3940-122-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/3940-121-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/3940-124-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/3940-123-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/3940-125-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3940-126-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3940-127-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/3940-128-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/3940-129-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/3940-130-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/3940-131-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/3940-132-0x0000000007090000-0x0000000007091000-memory.dmp

Filesize
4KB

Download
memory/3940-134-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/3940-133-0x0000000007460000-0x0000000007531000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing