rms | a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6

Analysis

max time kernel
172s
max time network
176s
platform
windows10_x64
resource
win10-en-20211208
submitted
29-01-2022 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
Size

5.0MB
MD5

0068e097219e7fccda11308999e36723
SHA1

d96e97f530c529b58657e0c0c03d74bd1626ab7c
SHA256

a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6
SHA512

e3e457293cec7892d1d773f1d74c26d637c1642a178f259113d9c7da19ae0ab1f3073429777526bc3fca0b4b7b43f58641d88e4e819aff14d42730d0227af0da

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
3728	svshost.exe
3216	svshost.exe
3228	svshost.exe
3240	svshost.exe
3848	upgradewin.exe
2156	upgradewin.exe
3872	upgradewin.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\System64\Russian.lg	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\webmmux.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\webmvorbisencoder.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\English.lg	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\EULA.rtf	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\RIPCServer.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\RIPCServer.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\upgradewin.exe	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\svshost.exe	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\regedit.reg	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\English.lg	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\EULA.rtf	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\install.vbs	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\install.vbs	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\Russian.lg	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\svshost.exe	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\regedit.reg	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\RWLN.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\__tmp_rar_sfx_access_check_259399687	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\install.bat	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\vp8encoder.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\webmmux.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\webmvorbisencoder.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\install.bat	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\RWLN.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\vp8decoder.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File created	C:\Windows\System64\webmvorbisdecoder.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\webmvorbisdecoder.dll	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
File opened for modification	C:\Windows\System64\upgradewin.exe	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2160	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
3936	taskkill.exe
4064	taskkill.exe
2008	taskkill.exe
4036	taskkill.exe
2132	taskkill.exe
3916	taskkill.exe
3268	taskkill.exe
3048	taskkill.exe
2740	taskkill.exe
3652	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1056	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3728	svshost.exe
3728	svshost.exe
3728	svshost.exe
3728	svshost.exe
3728	svshost.exe
3728	svshost.exe
3216	svshost.exe
3216	svshost.exe
3228	svshost.exe
3228	svshost.exe
3240	svshost.exe
3240	svshost.exe
3240	svshost.exe
3240	svshost.exe
3240	svshost.exe
3240	svshost.exe
3848	upgradewin.exe
3848	upgradewin.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3872	upgradewin.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	3268	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeDebugPrivilege	4036	taskkill.exe
Token: SeDebugPrivilege	3728	svshost.exe
Token: SeDebugPrivilege	3228	svshost.exe
Token: SeTakeOwnershipPrivilege	3240	svshost.exe
Token: SeTcbPrivilege	3240	svshost.exe
Token: SeTcbPrivilege	3240	svshost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3728	svshost.exe
3216	svshost.exe
3228	svshost.exe
3240	svshost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 3180	3516	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe	69
PID 3516 wrote to memory of 3180	3516	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe	69
PID 3516 wrote to memory of 3180	3516	a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe	69
PID 3180 wrote to memory of 1180	3180	WScript.exe	70
PID 3180 wrote to memory of 1180	3180	WScript.exe	70
PID 3180 wrote to memory of 1180	3180	WScript.exe	70
PID 1180 wrote to memory of 2132	1180	cmd.exe	72
PID 1180 wrote to memory of 2132	1180	cmd.exe	72
PID 1180 wrote to memory of 2132	1180	cmd.exe	72
PID 1180 wrote to memory of 3916	1180	cmd.exe	74
PID 1180 wrote to memory of 3916	1180	cmd.exe	74
PID 1180 wrote to memory of 3916	1180	cmd.exe	74
PID 1180 wrote to memory of 3936	1180	cmd.exe	75
PID 1180 wrote to memory of 3936	1180	cmd.exe	75
PID 1180 wrote to memory of 3936	1180	cmd.exe	75
PID 1180 wrote to memory of 3268	1180	cmd.exe	76
PID 1180 wrote to memory of 3268	1180	cmd.exe	76
PID 1180 wrote to memory of 3268	1180	cmd.exe	76
PID 1180 wrote to memory of 4064	1180	cmd.exe	77
PID 1180 wrote to memory of 4064	1180	cmd.exe	77
PID 1180 wrote to memory of 4064	1180	cmd.exe	77
PID 1180 wrote to memory of 3048	1180	cmd.exe	78
PID 1180 wrote to memory of 3048	1180	cmd.exe	78
PID 1180 wrote to memory of 3048	1180	cmd.exe	78
PID 1180 wrote to memory of 2740	1180	cmd.exe	79
PID 1180 wrote to memory of 2740	1180	cmd.exe	79
PID 1180 wrote to memory of 2740	1180	cmd.exe	79
PID 1180 wrote to memory of 2008	1180	cmd.exe	80
PID 1180 wrote to memory of 2008	1180	cmd.exe	80
PID 1180 wrote to memory of 2008	1180	cmd.exe	80
PID 1180 wrote to memory of 3652	1180	cmd.exe	81
PID 1180 wrote to memory of 3652	1180	cmd.exe	81
PID 1180 wrote to memory of 3652	1180	cmd.exe	81
PID 1180 wrote to memory of 4036	1180	cmd.exe	82
PID 1180 wrote to memory of 4036	1180	cmd.exe	82
PID 1180 wrote to memory of 4036	1180	cmd.exe	82
PID 1180 wrote to memory of 1276	1180	cmd.exe	83
PID 1180 wrote to memory of 1276	1180	cmd.exe	83
PID 1180 wrote to memory of 1276	1180	cmd.exe	83
PID 1180 wrote to memory of 828	1180	cmd.exe	84
PID 1180 wrote to memory of 828	1180	cmd.exe	84
PID 1180 wrote to memory of 828	1180	cmd.exe	84
PID 1180 wrote to memory of 1056	1180	cmd.exe	85
PID 1180 wrote to memory of 1056	1180	cmd.exe	85
PID 1180 wrote to memory of 1056	1180	cmd.exe	85
PID 1180 wrote to memory of 2160	1180	cmd.exe	86
PID 1180 wrote to memory of 2160	1180	cmd.exe	86
PID 1180 wrote to memory of 2160	1180	cmd.exe	86
PID 1180 wrote to memory of 3728	1180	cmd.exe	87
PID 1180 wrote to memory of 3728	1180	cmd.exe	87
PID 1180 wrote to memory of 3728	1180	cmd.exe	87
PID 1180 wrote to memory of 3216	1180	cmd.exe	88
PID 1180 wrote to memory of 3216	1180	cmd.exe	88
PID 1180 wrote to memory of 3216	1180	cmd.exe	88
PID 1180 wrote to memory of 3228	1180	cmd.exe	89
PID 1180 wrote to memory of 3228	1180	cmd.exe	89
PID 1180 wrote to memory of 3228	1180	cmd.exe	89
PID 3240 wrote to memory of 2156	3240	svshost.exe	91
PID 3240 wrote to memory of 3848	3240	svshost.exe	92
PID 3240 wrote to memory of 2156	3240	svshost.exe	91
PID 3240 wrote to memory of 2156	3240	svshost.exe	91
PID 3240 wrote to memory of 3848	3240	svshost.exe	92
PID 3240 wrote to memory of 3848	3240	svshost.exe	92
PID 1180 wrote to memory of 3156	1180	cmd.exe	93

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3156	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe
"C:\Users\Admin\AppData\Local\Temp\a11ac0447860bc467c32f41bfe223ffcdffce2e87f31c02a1cab3247e43554a6.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System64\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System64\install.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svnhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systemsmss.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svshost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im upgradewin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im updated.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systemswin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systems.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systeminfo.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4036
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\System Corporation Update" /f
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:1056
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:2160
  - - C:\Windows\System64\svshost.exe
      svshost.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3728
  - - C:\Windows\System64\svshost.exe
      svshost.exe /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3216
  - - C:\Windows\System64\svshost.exe
      svshost.exe /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3228
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Windows\System64" /S /D
      4⤵
      Views/modifies file attributes
      PID:3156

C:\Windows\System64\svshost.exe
C:\Windows\System64\svshost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\System64\upgradewin.exe
  C:\Windows\System64\upgradewin.exe /tray
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System64\upgradewin.exe
  C:\Windows\System64\upgradewin.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3848
- - C:\Windows\System64\upgradewin.exe
    C:\Windows\System64\upgradewin.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:3872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2156-221-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3216-204-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/3228-207-0x0000000000AB0000-0x0000000000B5E000-memory.dmp

Filesize
696KB

Download
memory/3240-220-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3848-222-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download