rms | 7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2

Analysis

max time kernel
156s
max time network
152s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
Size

5.0MB
MD5

b0eaabc3ce13ddd873611ed651f40a34
SHA1

747ae815dfd46c8c5a790927c2d13f1eafc8b961
SHA256

7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2
SHA512

e6465845fbf63dba43e41c6b95fe1d399c83625ee774d4c7f414c894f1cbe905ab878139d19e943f3773b1c6f2f2c8cc55ca57530b91812e5c0924e64f295c65

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
1708	svshost.exe
1684	svshost.exe
1984	svshost.exe
1404	svshost.exe
1552	upgradewin.exe
2016	upgradewin.exe
1756	upgradewin.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Loads dropped DLL 4 IoCs

pid	Process
1408	cmd.exe
1408	cmd.exe
1408	cmd.exe
1404	svshost.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\System64\vp8encoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\webmvorbisencoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\svshost.exe	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\regedit.reg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\install.vbs	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\RWLN.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\EULA.rtf	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\RIPCServer.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\RIPCServer.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\Russian.lg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\upgradewin.exe	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\upgradewin.exe	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\__tmp_rar_sfx_access_check_259407167	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\install.bat	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\Russian.lg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\RWLN.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\webmmux.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\webmvorbisdecoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\webmvorbisencoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\English.lg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\EULA.rtf	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\install.vbs	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\webmmux.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\webmvorbisdecoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\English.lg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\install.bat	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\svshost.exe	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\regedit.reg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\vp8decoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1580	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
800	taskkill.exe
596	taskkill.exe
2032	taskkill.exe
752	taskkill.exe
1712	taskkill.exe
1188	taskkill.exe
1704	taskkill.exe
1968	taskkill.exe
1484	taskkill.exe
676	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
884	regedit.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1708	svshost.exe
1708	svshost.exe
1708	svshost.exe
1708	svshost.exe
1684	svshost.exe
1684	svshost.exe
1984	svshost.exe
1984	svshost.exe
1404	svshost.exe
1404	svshost.exe
1404	svshost.exe
1404	svshost.exe
1552	upgradewin.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1756	upgradewin.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1708	svshost.exe
Token: SeDebugPrivilege	1984	svshost.exe
Token: SeTakeOwnershipPrivilege	1404	svshost.exe
Token: SeTcbPrivilege	1404	svshost.exe
Token: SeTcbPrivilege	1404	svshost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1708	svshost.exe
1684	svshost.exe
1984	svshost.exe
1404	svshost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 792	1116	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe	27
PID 1116 wrote to memory of 792	1116	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe	27
PID 1116 wrote to memory of 792	1116	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe	27
PID 1116 wrote to memory of 792	1116	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe	27
PID 1116 wrote to memory of 792	1116	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe	27
PID 1116 wrote to memory of 792	1116	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe	27
PID 1116 wrote to memory of 792	1116	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe	27
PID 792 wrote to memory of 1408	792	WScript.exe	28
PID 792 wrote to memory of 1408	792	WScript.exe	28
PID 792 wrote to memory of 1408	792	WScript.exe	28
PID 792 wrote to memory of 1408	792	WScript.exe	28
PID 792 wrote to memory of 1408	792	WScript.exe	28
PID 792 wrote to memory of 1408	792	WScript.exe	28
PID 792 wrote to memory of 1408	792	WScript.exe	28
PID 1408 wrote to memory of 596	1408	cmd.exe	30
PID 1408 wrote to memory of 596	1408	cmd.exe	30
PID 1408 wrote to memory of 596	1408	cmd.exe	30
PID 1408 wrote to memory of 596	1408	cmd.exe	30
PID 1408 wrote to memory of 596	1408	cmd.exe	30
PID 1408 wrote to memory of 596	1408	cmd.exe	30
PID 1408 wrote to memory of 596	1408	cmd.exe	30
PID 1408 wrote to memory of 2032	1408	cmd.exe	32
PID 1408 wrote to memory of 2032	1408	cmd.exe	32
PID 1408 wrote to memory of 2032	1408	cmd.exe	32
PID 1408 wrote to memory of 2032	1408	cmd.exe	32
PID 1408 wrote to memory of 2032	1408	cmd.exe	32
PID 1408 wrote to memory of 2032	1408	cmd.exe	32
PID 1408 wrote to memory of 2032	1408	cmd.exe	32
PID 1408 wrote to memory of 1968	1408	cmd.exe	33
PID 1408 wrote to memory of 1968	1408	cmd.exe	33
PID 1408 wrote to memory of 1968	1408	cmd.exe	33
PID 1408 wrote to memory of 1968	1408	cmd.exe	33
PID 1408 wrote to memory of 1968	1408	cmd.exe	33
PID 1408 wrote to memory of 1968	1408	cmd.exe	33
PID 1408 wrote to memory of 1968	1408	cmd.exe	33
PID 1408 wrote to memory of 752	1408	cmd.exe	34
PID 1408 wrote to memory of 752	1408	cmd.exe	34
PID 1408 wrote to memory of 752	1408	cmd.exe	34
PID 1408 wrote to memory of 752	1408	cmd.exe	34
PID 1408 wrote to memory of 752	1408	cmd.exe	34
PID 1408 wrote to memory of 752	1408	cmd.exe	34
PID 1408 wrote to memory of 752	1408	cmd.exe	34
PID 1408 wrote to memory of 1484	1408	cmd.exe	35
PID 1408 wrote to memory of 1484	1408	cmd.exe	35
PID 1408 wrote to memory of 1484	1408	cmd.exe	35
PID 1408 wrote to memory of 1484	1408	cmd.exe	35
PID 1408 wrote to memory of 1484	1408	cmd.exe	35
PID 1408 wrote to memory of 1484	1408	cmd.exe	35
PID 1408 wrote to memory of 1484	1408	cmd.exe	35
PID 1408 wrote to memory of 676	1408	cmd.exe	36
PID 1408 wrote to memory of 676	1408	cmd.exe	36
PID 1408 wrote to memory of 676	1408	cmd.exe	36
PID 1408 wrote to memory of 676	1408	cmd.exe	36
PID 1408 wrote to memory of 676	1408	cmd.exe	36
PID 1408 wrote to memory of 676	1408	cmd.exe	36
PID 1408 wrote to memory of 676	1408	cmd.exe	36
PID 1408 wrote to memory of 1712	1408	cmd.exe	37
PID 1408 wrote to memory of 1712	1408	cmd.exe	37
PID 1408 wrote to memory of 1712	1408	cmd.exe	37
PID 1408 wrote to memory of 1712	1408	cmd.exe	37
PID 1408 wrote to memory of 1712	1408	cmd.exe	37
PID 1408 wrote to memory of 1712	1408	cmd.exe	37
PID 1408 wrote to memory of 1712	1408	cmd.exe	37
PID 1408 wrote to memory of 1188	1408	cmd.exe	38

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
"C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System64\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\System64\install.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svnhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systemsmss.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svshost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im upgradewin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im updated.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systemswin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systems.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systeminfo.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\System Corporation Update" /f
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:884
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1580
  - - C:\Windows\System64\svshost.exe
      svshost.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1708
  - - C:\Windows\System64\svshost.exe
      svshost.exe /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1684
  - - C:\Windows\System64\svshost.exe
      svshost.exe /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Windows\System64" /S /D
      4⤵
      Views/modifies file attributes
      PID:1732

C:\Windows\System64\svshost.exe
C:\Windows\System64\svshost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1404
- C:\Windows\System64\upgradewin.exe
  C:\Windows\System64\upgradewin.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- - C:\Windows\System64\upgradewin.exe
    C:\Windows\System64\upgradewin.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1756
- C:\Windows\System64\upgradewin.exe
  C:\Windows\System64\upgradewin.exe /tray
  2⤵
  - Executes dropped EXE
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-55-0x0000000076511000-0x0000000076513000-memory.dmp

Filesize
8KB

Download
memory/1404-89-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1552-106-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1684-82-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1984-88-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2016-107-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download