rms | 7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2

Analysis

max time kernel
174s
max time network
166s
platform
windows10_x64
resource
win10-en-20211208
submitted
29-01-2022 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
Size

5.0MB
MD5

b0eaabc3ce13ddd873611ed651f40a34
SHA1

747ae815dfd46c8c5a790927c2d13f1eafc8b961
SHA256

7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2
SHA512

e6465845fbf63dba43e41c6b95fe1d399c83625ee774d4c7f414c894f1cbe905ab878139d19e943f3773b1c6f2f2c8cc55ca57530b91812e5c0924e64f295c65

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
3024	svshost.exe
2232	svshost.exe
856	svshost.exe
1424	svshost.exe
1028	upgradewin.exe
2160	upgradewin.exe
3240	upgradewin.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System64\English.lg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\Russian.lg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\vp8decoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\EULA.rtf	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\EULA.rtf	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\webmmux.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\upgradewin.exe	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\install.vbs	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\upgradewin.exe	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\svshost.exe	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\__tmp_rar_sfx_access_check_259400343	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\RIPCServer.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\RWLN.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\RWLN.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\webmmux.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\webmvorbisdecoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\webmvorbisdecoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\regedit.reg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\regedit.reg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\vp8encoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\webmvorbisencoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\RIPCServer.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\webmvorbisencoder.dll	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\install.bat	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\Russian.lg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\English.lg	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\install.bat	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File opened for modification	C:\Windows\System64\install.vbs	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
File created	C:\Windows\System64\svshost.exe	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2872	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
1552	taskkill.exe
4072	taskkill.exe
1860	taskkill.exe
1920	taskkill.exe
504	taskkill.exe
1452	taskkill.exe
2976	taskkill.exe
3236	taskkill.exe
4084	taskkill.exe
2944	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2936	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3024	svshost.exe
3024	svshost.exe
3024	svshost.exe
3024	svshost.exe
3024	svshost.exe
3024	svshost.exe
2232	svshost.exe
2232	svshost.exe
856	svshost.exe
856	svshost.exe
1424	svshost.exe
1424	svshost.exe
1424	svshost.exe
1424	svshost.exe
1424	svshost.exe
1424	svshost.exe
1028	upgradewin.exe
1028	upgradewin.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3240	upgradewin.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	504	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	3024	svshost.exe
Token: SeDebugPrivilege	856	svshost.exe
Token: SeTakeOwnershipPrivilege	1424	svshost.exe
Token: SeTcbPrivilege	1424	svshost.exe
Token: SeTcbPrivilege	1424	svshost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3024	svshost.exe
2232	svshost.exe
856	svshost.exe
1424	svshost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 3988	3184	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe	68
PID 3184 wrote to memory of 3988	3184	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe	68
PID 3184 wrote to memory of 3988	3184	7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe	68
PID 3988 wrote to memory of 1084	3988	WScript.exe	69
PID 3988 wrote to memory of 1084	3988	WScript.exe	69
PID 3988 wrote to memory of 1084	3988	WScript.exe	69
PID 1084 wrote to memory of 3236	1084	cmd.exe	71
PID 1084 wrote to memory of 3236	1084	cmd.exe	71
PID 1084 wrote to memory of 3236	1084	cmd.exe	71
PID 1084 wrote to memory of 4084	1084	cmd.exe	73
PID 1084 wrote to memory of 4084	1084	cmd.exe	73
PID 1084 wrote to memory of 4084	1084	cmd.exe	73
PID 1084 wrote to memory of 4072	1084	cmd.exe	74
PID 1084 wrote to memory of 4072	1084	cmd.exe	74
PID 1084 wrote to memory of 4072	1084	cmd.exe	74
PID 1084 wrote to memory of 1860	1084	cmd.exe	75
PID 1084 wrote to memory of 1860	1084	cmd.exe	75
PID 1084 wrote to memory of 1860	1084	cmd.exe	75
PID 1084 wrote to memory of 2944	1084	cmd.exe	76
PID 1084 wrote to memory of 2944	1084	cmd.exe	76
PID 1084 wrote to memory of 2944	1084	cmd.exe	76
PID 1084 wrote to memory of 504	1084	cmd.exe	77
PID 1084 wrote to memory of 504	1084	cmd.exe	77
PID 1084 wrote to memory of 504	1084	cmd.exe	77
PID 1084 wrote to memory of 1452	1084	cmd.exe	78
PID 1084 wrote to memory of 1452	1084	cmd.exe	78
PID 1084 wrote to memory of 1452	1084	cmd.exe	78
PID 1084 wrote to memory of 1920	1084	cmd.exe	79
PID 1084 wrote to memory of 1920	1084	cmd.exe	79
PID 1084 wrote to memory of 1920	1084	cmd.exe	79
PID 1084 wrote to memory of 1552	1084	cmd.exe	80
PID 1084 wrote to memory of 1552	1084	cmd.exe	80
PID 1084 wrote to memory of 1552	1084	cmd.exe	80
PID 1084 wrote to memory of 2976	1084	cmd.exe	81
PID 1084 wrote to memory of 2976	1084	cmd.exe	81
PID 1084 wrote to memory of 2976	1084	cmd.exe	81
PID 1084 wrote to memory of 2356	1084	cmd.exe	82
PID 1084 wrote to memory of 2356	1084	cmd.exe	82
PID 1084 wrote to memory of 2356	1084	cmd.exe	82
PID 1084 wrote to memory of 2652	1084	cmd.exe	83
PID 1084 wrote to memory of 2652	1084	cmd.exe	83
PID 1084 wrote to memory of 2652	1084	cmd.exe	83
PID 1084 wrote to memory of 2936	1084	cmd.exe	84
PID 1084 wrote to memory of 2936	1084	cmd.exe	84
PID 1084 wrote to memory of 2936	1084	cmd.exe	84
PID 1084 wrote to memory of 2872	1084	cmd.exe	85
PID 1084 wrote to memory of 2872	1084	cmd.exe	85
PID 1084 wrote to memory of 2872	1084	cmd.exe	85
PID 1084 wrote to memory of 3024	1084	cmd.exe	86
PID 1084 wrote to memory of 3024	1084	cmd.exe	86
PID 1084 wrote to memory of 3024	1084	cmd.exe	86
PID 1084 wrote to memory of 2232	1084	cmd.exe	87
PID 1084 wrote to memory of 2232	1084	cmd.exe	87
PID 1084 wrote to memory of 2232	1084	cmd.exe	87
PID 1084 wrote to memory of 856	1084	cmd.exe	88
PID 1084 wrote to memory of 856	1084	cmd.exe	88
PID 1084 wrote to memory of 856	1084	cmd.exe	88
PID 1424 wrote to memory of 1028	1424	svshost.exe	90
PID 1424 wrote to memory of 1028	1424	svshost.exe	90
PID 1424 wrote to memory of 1028	1424	svshost.exe	90
PID 1424 wrote to memory of 2160	1424	svshost.exe	91
PID 1424 wrote to memory of 2160	1424	svshost.exe	91
PID 1424 wrote to memory of 2160	1424	svshost.exe	91
PID 1084 wrote to memory of 516	1084	cmd.exe	92

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
516	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe
"C:\Users\Admin\AppData\Local\Temp\7c3025d17d0afb72d9a8c72576ec49101483281603b51384390c37d0bd6699e2.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System64\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System64\install.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svnhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systemsmss.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im svshost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im upgradewin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im updated.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systemswin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1920
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systems.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im systeminfo.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\System Corporation Update" /f
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:2936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:2872
  - - C:\Windows\System64\svshost.exe
      svshost.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3024
  - - C:\Windows\System64\svshost.exe
      svshost.exe /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2232
  - - C:\Windows\System64\svshost.exe
      svshost.exe /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:856
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Windows\System64" /S /D
      4⤵
      Views/modifies file attributes
      PID:516

C:\Windows\System64\svshost.exe
C:\Windows\System64\svshost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\System64\upgradewin.exe
  C:\Windows\System64\upgradewin.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1028
- - C:\Windows\System64\upgradewin.exe
    C:\Windows\System64\upgradewin.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:3240
- C:\Windows\System64\upgradewin.exe
  C:\Windows\System64\upgradewin.exe /tray
  2⤵
  - Executes dropped EXE
  PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-212-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1028-226-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1424-213-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2160-225-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download