Overview

overview

10

Static

static

e88222cf5d...0b.exe

windows7_x64

5

e88222cf5d...0b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    13-02-2022 09:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe

  • Size

    5.3MB

  • MD5

    099e0502c814215f447660a9fc591361

  • SHA1

    a2917fbe5157fee9e2a70258a96f66aa2498c733

  • SHA256

    e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b

  • SHA512

    e6519b42ff0ed5feafe6bb92d578417468456b849cddce29043835bfa63108f45bd12c35fb5a2f7b2baea3c7bb7c5381c979d6a759232964d64a07edda33fffa

Score
10/10
rmsrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • autoit_exe 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe
    "C:\Users\Admin\AppData\Local\Temp\e88222cf5d0cb1814f581b37a3aad63e7e17d25d308281960b7551a8295d030b.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /TN "XPS Rasterization Service Component" /TR "C:\PROGRA~2\XPSRAS~1\xservice.exe" /RL HIGHEST
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /SC ONLOGON /TN "XPS Rasterization Service Component" /TR "C:\PROGRA~2\XPSRAS~1\xservice.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1996
    • C:\PROGRA~2\XPSRAS~1\xservice.exe
      "C:\PROGRA~2\XPSRAS~1\xservice.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe
        "C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe" -second
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2740
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:744
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/744-132-0x000001E0A0790000-0x000001E0A0794000-memory.dmp

    Filesize

    16KB

    Download

  • memory/744-131-0x000001E09E120000-0x000001E09E130000-memory.dmp

    Filesize

    64KB

    Download

  • memory/744-130-0x000001E09DB60000-0x000001E09DB70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2740-137-0x0000000000030000-0x0000000000034000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2740-140-0x0000000000400000-0x0000000000B06000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/2740-146-0x0000000002860000-0x0000000002861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3928-138-0x00000000001F0000-0x00000000001F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3928-139-0x0000000000870000-0x0000000000E36000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/4460-145-0x00000000000A0000-0x0000000000213000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4460-147-0x0000000001010000-0x0000000001012000-memory.dmp

    Filesize

    8KB

    Download