rms | 96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92

Analysis

max time kernel
153s
max time network
153s
platform
windows10_x64
resource
win10-en-20211208
submitted
29-01-2022 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
Size

5.1MB
MD5

ab6a5328c37edd22de33ece56dc8f043
SHA1

e2b28629299d824ae085eb1476f46f92cf364c0a
SHA256

96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92
SHA512

42b8bdad1933408bb556731b6766f34d42aa8fd0df9e1d629a4136586e9ed1bb8d49da2958e7bd8a5179414fee2680c9b909c94ffac0b109cebc0008e67bf6f8

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
2064	svshost.exe
2400	svshost.exe
1688	svshost.exe
2116	svshost.exe
1472	upgradewin.exe
3820	upgradewin.exe
1376	upgradewin.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\System64\RWLN.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\RIPCServer.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\webmvorbisdecoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\upgradewin.exe	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\Russian.lg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\install.vbs	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\install.vbs	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\RIPCServer.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\install.bat	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\upgradewin.exe	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\regedit.reg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\Russian.lg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\English.lg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\EULA.rtf	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\install.bat	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\vp8encoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\webmmux.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\webmvorbisencoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\__tmp_rar_sfx_access_check_259409000	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\RWLN.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\vp8decoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\webmmux.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\webmvorbisdecoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\svshost.exe	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\svshost.exe	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\English.lg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\regedit.reg	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File opened for modification	C:\Windows\System64\webmvorbisencoder.dll	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
File created	C:\Windows\System64\EULA.rtf	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1240	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
1956	taskkill.exe
2632	taskkill.exe
3492	taskkill.exe
1624	taskkill.exe
1740	taskkill.exe
3392	taskkill.exe
2060	taskkill.exe
2924	taskkill.exe
3988	taskkill.exe
1380	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1660	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2064	svshost.exe
2064	svshost.exe
2064	svshost.exe
2064	svshost.exe
2064	svshost.exe
2064	svshost.exe
2400	svshost.exe
2400	svshost.exe
1688	svshost.exe
1688	svshost.exe
2116	svshost.exe
2116	svshost.exe
2116	svshost.exe
2116	svshost.exe
2116	svshost.exe
2116	svshost.exe
1472	upgradewin.exe
1472	upgradewin.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1376	upgradewin.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	3392	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	2064	svshost.exe
Token: SeDebugPrivilege	1688	svshost.exe
Token: SeTakeOwnershipPrivilege	2116	svshost.exe
Token: SeTcbPrivilege	2116	svshost.exe
Token: SeTcbPrivilege	2116	svshost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2064	svshost.exe
2400	svshost.exe
1688	svshost.exe
2116	svshost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 1900	2776	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe	68
PID 2776 wrote to memory of 1900	2776	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe	68
PID 2776 wrote to memory of 1900	2776	96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe	68
PID 1900 wrote to memory of 400	1900	WScript.exe	69
PID 1900 wrote to memory of 400	1900	WScript.exe	69
PID 1900 wrote to memory of 400	1900	WScript.exe	69
PID 400 wrote to memory of 3988	400	cmd.exe	71
PID 400 wrote to memory of 3988	400	cmd.exe	71
PID 400 wrote to memory of 3988	400	cmd.exe	71
PID 400 wrote to memory of 1380	400	cmd.exe	73
PID 400 wrote to memory of 1380	400	cmd.exe	73
PID 400 wrote to memory of 1380	400	cmd.exe	73
PID 400 wrote to memory of 1624	400	cmd.exe	74
PID 400 wrote to memory of 1624	400	cmd.exe	74
PID 400 wrote to memory of 1624	400	cmd.exe	74
PID 400 wrote to memory of 1740	400	cmd.exe	75
PID 400 wrote to memory of 1740	400	cmd.exe	75
PID 400 wrote to memory of 1740	400	cmd.exe	75
PID 400 wrote to memory of 3392	400	cmd.exe	76
PID 400 wrote to memory of 3392	400	cmd.exe	76
PID 400 wrote to memory of 3392	400	cmd.exe	76
PID 400 wrote to memory of 1956	400	cmd.exe	77
PID 400 wrote to memory of 1956	400	cmd.exe	77
PID 400 wrote to memory of 1956	400	cmd.exe	77
PID 400 wrote to memory of 2060	400	cmd.exe	78
PID 400 wrote to memory of 2060	400	cmd.exe	78
PID 400 wrote to memory of 2060	400	cmd.exe	78
PID 400 wrote to memory of 2632	400	cmd.exe	79
PID 400 wrote to memory of 2632	400	cmd.exe	79
PID 400 wrote to memory of 2632	400	cmd.exe	79
PID 400 wrote to memory of 2924	400	cmd.exe	80
PID 400 wrote to memory of 2924	400	cmd.exe	80
PID 400 wrote to memory of 2924	400	cmd.exe	80
PID 400 wrote to memory of 3492	400	cmd.exe	81
PID 400 wrote to memory of 3492	400	cmd.exe	81
PID 400 wrote to memory of 3492	400	cmd.exe	81
PID 400 wrote to memory of 3936	400	cmd.exe	82
PID 400 wrote to memory of 3936	400	cmd.exe	82
PID 400 wrote to memory of 3936	400	cmd.exe	82
PID 400 wrote to memory of 1052	400	cmd.exe	83
PID 400 wrote to memory of 1052	400	cmd.exe	83
PID 400 wrote to memory of 1052	400	cmd.exe	83
PID 400 wrote to memory of 1660	400	cmd.exe	84
PID 400 wrote to memory of 1660	400	cmd.exe	84
PID 400 wrote to memory of 1660	400	cmd.exe	84
PID 400 wrote to memory of 1240	400	cmd.exe	85
PID 400 wrote to memory of 1240	400	cmd.exe	85
PID 400 wrote to memory of 1240	400	cmd.exe	85
PID 400 wrote to memory of 2064	400	cmd.exe	86
PID 400 wrote to memory of 2064	400	cmd.exe	86
PID 400 wrote to memory of 2064	400	cmd.exe	86
PID 400 wrote to memory of 2400	400	cmd.exe	87
PID 400 wrote to memory of 2400	400	cmd.exe	87
PID 400 wrote to memory of 2400	400	cmd.exe	87
PID 400 wrote to memory of 1688	400	cmd.exe	88
PID 400 wrote to memory of 1688	400	cmd.exe	88
PID 400 wrote to memory of 1688	400	cmd.exe	88
PID 2116 wrote to memory of 1472	2116	svshost.exe	91
PID 2116 wrote to memory of 3820	2116	svshost.exe	90
PID 2116 wrote to memory of 1472	2116	svshost.exe	91
PID 2116 wrote to memory of 3820	2116	svshost.exe	90
PID 2116 wrote to memory of 1472	2116	svshost.exe	91
PID 2116 wrote to memory of 3820	2116	svshost.exe	90
PID 400 wrote to memory of 3148	400	cmd.exe	92

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3148	attrib.exe

C:\Users\Admin\AppData\Local\Temp\96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe
"C:\Users\Admin\AppData\Local\Temp\96665b5c55da7633dc0e67240dfbaac0c872fc74f55954d766cee3a1c8682f92.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System64\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System64\install.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svnhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systemsmss.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svshost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im upgradewin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im updated.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systemswin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systems.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systeminfo.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3492
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\System Corporation Update" /f
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:1660
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1240
  - - C:\Windows\System64\svshost.exe
      svshost.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2064
  - - C:\Windows\System64\svshost.exe
      svshost.exe /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2400
  - - C:\Windows\System64\svshost.exe
      svshost.exe /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Windows\System64" /S /D
      4⤵
      Views/modifies file attributes
      PID:3148

C:\Windows\System64\svshost.exe
C:\Windows\System64\svshost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\System64\upgradewin.exe
  C:\Windows\System64\upgradewin.exe /tray
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System64\upgradewin.exe
  C:\Windows\System64\upgradewin.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- - C:\Windows\System64\upgradewin.exe
    C:\Windows\System64\upgradewin.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-283-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1472-280-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1688-266-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2064-261-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2116-267-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2400-263-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3820-281-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download