rms | 9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36

Analysis

max time kernel
155s
max time network
172s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe
Size

9.3MB
MD5

9d5501a42d0e63e0689909ff81326f38
SHA1

9d0ea6c305ea69146be1d5174235a665eb787a79
SHA256

9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36
SHA512

b8c4e113285df71331ee89b11051fd686444bd2ee319664b07edfa928a7de0ed4750ef5e8ec7fdfaeb47723882d95b11ce9183da959a554783f9a6af50e22670

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 4 IoCs

pid	Process
1632	snpt.exe
2004	snpt.exe
884	snpt.exe
1748	snpt.exe

Loads dropped DLL 3 IoCs

pid	Process
524	cmd.exe
524	cmd.exe
524	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1888	timeout.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
852	taskkill.exe
2012	taskkill.exe
548	taskkill.exe
1788	taskkill.exe
1160	taskkill.exe
1836	taskkill.exe
832	taskkill.exe
1532	taskkill.exe
912	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1760	regedit.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1632	snpt.exe
1632	snpt.exe
1632	snpt.exe
1632	snpt.exe
2004	snpt.exe
2004	snpt.exe
884	snpt.exe
884	snpt.exe
1748	snpt.exe
1748	snpt.exe
1748	snpt.exe
1748	snpt.exe
1748	snpt.exe
1748	snpt.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1632	snpt.exe
Token: SeDebugPrivilege	884	snpt.exe
Token: SeTakeOwnershipPrivilege	1748	snpt.exe
Token: SeTcbPrivilege	1748	snpt.exe
Token: SeTcbPrivilege	1748	snpt.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1632	snpt.exe
2004	snpt.exe
884	snpt.exe
1748	snpt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 524	1576	9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe	27
PID 1576 wrote to memory of 524	1576	9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe	27
PID 1576 wrote to memory of 524	1576	9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe	27
PID 1576 wrote to memory of 524	1576	9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe	27
PID 524 wrote to memory of 548	524	cmd.exe	29
PID 524 wrote to memory of 548	524	cmd.exe	29
PID 524 wrote to memory of 548	524	cmd.exe	29
PID 524 wrote to memory of 548	524	cmd.exe	29
PID 524 wrote to memory of 1788	524	cmd.exe	31
PID 524 wrote to memory of 1788	524	cmd.exe	31
PID 524 wrote to memory of 1788	524	cmd.exe	31
PID 524 wrote to memory of 1788	524	cmd.exe	31
PID 524 wrote to memory of 1160	524	cmd.exe	32
PID 524 wrote to memory of 1160	524	cmd.exe	32
PID 524 wrote to memory of 1160	524	cmd.exe	32
PID 524 wrote to memory of 1160	524	cmd.exe	32
PID 524 wrote to memory of 1836	524	cmd.exe	33
PID 524 wrote to memory of 1836	524	cmd.exe	33
PID 524 wrote to memory of 1836	524	cmd.exe	33
PID 524 wrote to memory of 1836	524	cmd.exe	33
PID 524 wrote to memory of 832	524	cmd.exe	34
PID 524 wrote to memory of 832	524	cmd.exe	34
PID 524 wrote to memory of 832	524	cmd.exe	34
PID 524 wrote to memory of 832	524	cmd.exe	34
PID 524 wrote to memory of 1532	524	cmd.exe	35
PID 524 wrote to memory of 1532	524	cmd.exe	35
PID 524 wrote to memory of 1532	524	cmd.exe	35
PID 524 wrote to memory of 1532	524	cmd.exe	35
PID 524 wrote to memory of 852	524	cmd.exe	36
PID 524 wrote to memory of 852	524	cmd.exe	36
PID 524 wrote to memory of 852	524	cmd.exe	36
PID 524 wrote to memory of 852	524	cmd.exe	36
PID 524 wrote to memory of 912	524	cmd.exe	37
PID 524 wrote to memory of 912	524	cmd.exe	37
PID 524 wrote to memory of 912	524	cmd.exe	37
PID 524 wrote to memory of 912	524	cmd.exe	37
PID 524 wrote to memory of 2012	524	cmd.exe	38
PID 524 wrote to memory of 2012	524	cmd.exe	38
PID 524 wrote to memory of 2012	524	cmd.exe	38
PID 524 wrote to memory of 2012	524	cmd.exe	38
PID 524 wrote to memory of 1432	524	cmd.exe	39
PID 524 wrote to memory of 1432	524	cmd.exe	39
PID 524 wrote to memory of 1432	524	cmd.exe	39
PID 524 wrote to memory of 1432	524	cmd.exe	39
PID 524 wrote to memory of 1760	524	cmd.exe	40
PID 524 wrote to memory of 1760	524	cmd.exe	40
PID 524 wrote to memory of 1760	524	cmd.exe	40
PID 524 wrote to memory of 1760	524	cmd.exe	40
PID 524 wrote to memory of 1888	524	cmd.exe	41
PID 524 wrote to memory of 1888	524	cmd.exe	41
PID 524 wrote to memory of 1888	524	cmd.exe	41
PID 524 wrote to memory of 1888	524	cmd.exe	41
PID 524 wrote to memory of 1632	524	cmd.exe	42
PID 524 wrote to memory of 1632	524	cmd.exe	42
PID 524 wrote to memory of 1632	524	cmd.exe	42
PID 524 wrote to memory of 1632	524	cmd.exe	42
PID 524 wrote to memory of 2004	524	cmd.exe	43
PID 524 wrote to memory of 2004	524	cmd.exe	43
PID 524 wrote to memory of 2004	524	cmd.exe	43
PID 524 wrote to memory of 2004	524	cmd.exe	43
PID 524 wrote to memory of 884	524	cmd.exe	44
PID 524 wrote to memory of 884	524	cmd.exe	44
PID 524 wrote to memory of 884	524	cmd.exe	44
PID 524 wrote to memory of 884	524	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe
"C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Windows.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im svnhost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im systemsmss.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im svshost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im systemswin.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im systems.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im systeminfo.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1760
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\snpt.exe
    snpt.exe /silentinstall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\snpt.exe
    snpt.exe /firewall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\snpt.exe
    snpt.exe /start
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:884

C:\Users\Admin\AppData\Local\Temp\snpt.exe
C:\Users\Admin\AppData\Local\Temp\snpt.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1576-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1576-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1632-63-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1748-73-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2004-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download