rms | 96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92

Analysis

max time kernel
152s
max time network
143s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
Size

5.1MB
MD5

ab6a5328c37edd22de33ece56dc8f043
SHA1

e2b28629299d824ae085eb1476f46f92cf364c0a
SHA256

96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92
SHA512

42b8bdad1933408bb556731b6766f34d42aa8fd0df9e1d629a4136586e9ed1bb8d49da2958e7bd8a5179414fee2680c9b909c94ffac0b109cebc0008e67bf6f8

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
1528	svshost.exe
1608	svshost.exe
524	svshost.exe
528	svshost.exe
1144	upgradewin.exe
1160	upgradewin.exe
1496	upgradewin.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Loads dropped DLL 5 IoCs

pid	Process
576	cmd.exe
576	cmd.exe
576	cmd.exe
528	svshost.exe
528	svshost.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\System64\install.bat	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\install.bat	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\Russian.lg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\upgradewin.exe	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\English.lg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\EULA.rtf	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\Russian.lg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\RWLN.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\webmmux.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\webmvorbisdecoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\webmvorbisdecoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\install.vbs	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\webmvorbisencoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\regedit.reg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\RIPCServer.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\RIPCServer.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\vp8encoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\svshost.exe	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\webmmux.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\__tmp_rar_sfx_access_check_259382643	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\vp8decoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\upgradewin.exe	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\svshost.exe	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\EULA.rtf	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\webmvorbisencoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\regedit.reg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\install.vbs	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\English.lg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\RWLN.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
896	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
1844	taskkill.exe
1064	taskkill.exe
1556	taskkill.exe
1160	taskkill.exe
1796	taskkill.exe
844	taskkill.exe
1224	taskkill.exe
1500	taskkill.exe
1184	taskkill.exe
1776	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1364	regedit.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1528	svshost.exe
1528	svshost.exe
1528	svshost.exe
1528	svshost.exe
1608	svshost.exe
1608	svshost.exe
524	svshost.exe
524	svshost.exe
528	svshost.exe
528	svshost.exe
528	svshost.exe
528	svshost.exe
1144	upgradewin.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1496	upgradewin.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	1528	svshost.exe
Token: SeDebugPrivilege	524	svshost.exe
Token: SeTakeOwnershipPrivilege	528	svshost.exe
Token: SeTcbPrivilege	528	svshost.exe
Token: SeTcbPrivilege	528	svshost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1528	svshost.exe
1608	svshost.exe
524	svshost.exe
528	svshost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1120	1452	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe	27
PID 1452 wrote to memory of 1120	1452	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe	27
PID 1452 wrote to memory of 1120	1452	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe	27
PID 1452 wrote to memory of 1120	1452	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe	27
PID 1452 wrote to memory of 1120	1452	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe	27
PID 1452 wrote to memory of 1120	1452	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe	27
PID 1452 wrote to memory of 1120	1452	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe	27
PID 1120 wrote to memory of 576	1120	WScript.exe	28
PID 1120 wrote to memory of 576	1120	WScript.exe	28
PID 1120 wrote to memory of 576	1120	WScript.exe	28
PID 1120 wrote to memory of 576	1120	WScript.exe	28
PID 1120 wrote to memory of 576	1120	WScript.exe	28
PID 1120 wrote to memory of 576	1120	WScript.exe	28
PID 1120 wrote to memory of 576	1120	WScript.exe	28
PID 576 wrote to memory of 1224	576	cmd.exe	30
PID 576 wrote to memory of 1224	576	cmd.exe	30
PID 576 wrote to memory of 1224	576	cmd.exe	30
PID 576 wrote to memory of 1224	576	cmd.exe	30
PID 576 wrote to memory of 1224	576	cmd.exe	30
PID 576 wrote to memory of 1224	576	cmd.exe	30
PID 576 wrote to memory of 1224	576	cmd.exe	30
PID 576 wrote to memory of 1556	576	cmd.exe	32
PID 576 wrote to memory of 1556	576	cmd.exe	32
PID 576 wrote to memory of 1556	576	cmd.exe	32
PID 576 wrote to memory of 1556	576	cmd.exe	32
PID 576 wrote to memory of 1556	576	cmd.exe	32
PID 576 wrote to memory of 1556	576	cmd.exe	32
PID 576 wrote to memory of 1556	576	cmd.exe	32
PID 576 wrote to memory of 1160	576	cmd.exe	33
PID 576 wrote to memory of 1160	576	cmd.exe	33
PID 576 wrote to memory of 1160	576	cmd.exe	33
PID 576 wrote to memory of 1160	576	cmd.exe	33
PID 576 wrote to memory of 1160	576	cmd.exe	33
PID 576 wrote to memory of 1160	576	cmd.exe	33
PID 576 wrote to memory of 1160	576	cmd.exe	33
PID 576 wrote to memory of 1796	576	cmd.exe	34
PID 576 wrote to memory of 1796	576	cmd.exe	34
PID 576 wrote to memory of 1796	576	cmd.exe	34
PID 576 wrote to memory of 1796	576	cmd.exe	34
PID 576 wrote to memory of 1796	576	cmd.exe	34
PID 576 wrote to memory of 1796	576	cmd.exe	34
PID 576 wrote to memory of 1796	576	cmd.exe	34
PID 576 wrote to memory of 1500	576	cmd.exe	35
PID 576 wrote to memory of 1500	576	cmd.exe	35
PID 576 wrote to memory of 1500	576	cmd.exe	35
PID 576 wrote to memory of 1500	576	cmd.exe	35
PID 576 wrote to memory of 1500	576	cmd.exe	35
PID 576 wrote to memory of 1500	576	cmd.exe	35
PID 576 wrote to memory of 1500	576	cmd.exe	35
PID 576 wrote to memory of 844	576	cmd.exe	36
PID 576 wrote to memory of 844	576	cmd.exe	36
PID 576 wrote to memory of 844	576	cmd.exe	36
PID 576 wrote to memory of 844	576	cmd.exe	36
PID 576 wrote to memory of 844	576	cmd.exe	36
PID 576 wrote to memory of 844	576	cmd.exe	36
PID 576 wrote to memory of 844	576	cmd.exe	36
PID 576 wrote to memory of 1184	576	cmd.exe	37
PID 576 wrote to memory of 1184	576	cmd.exe	37
PID 576 wrote to memory of 1184	576	cmd.exe	37
PID 576 wrote to memory of 1184	576	cmd.exe	37
PID 576 wrote to memory of 1184	576	cmd.exe	37
PID 576 wrote to memory of 1184	576	cmd.exe	37
PID 576 wrote to memory of 1184	576	cmd.exe	37
PID 576 wrote to memory of 1844	576	cmd.exe	38

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1652	attrib.exe

C:\Users\Admin\AppData\Local\Temp\96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
"C:\Users\Admin\AppData\Local\Temp\96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System64\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\System64\install.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svnhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systemsmss.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svshost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im upgradewin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im updated.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systemswin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systems.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systeminfo.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\System Corporation Update" /f
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:1364
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:896
  - - C:\Windows\System64\svshost.exe
      svshost.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1528
  - - C:\Windows\System64\svshost.exe
      svshost.exe /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1608
  - - C:\Windows\System64\svshost.exe
      svshost.exe /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Windows\System64" /S /D
      4⤵
      Views/modifies file attributes
      PID:1652

C:\Windows\System64\svshost.exe
C:\Windows\System64\svshost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:528
- C:\Windows\System64\upgradewin.exe
  C:\Windows\System64\upgradewin.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1144
- - C:\Windows\System64\upgradewin.exe
    C:\Windows\System64\upgradewin.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1496
- C:\Windows\System64\upgradewin.exe
  C:\Windows\System64\upgradewin.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-89-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/528-90-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1144-109-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1160-108-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1452-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1496-112-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1528-79-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1608-83-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download