Overview

overview

10

Static

static

cb7f487a64...6c.exe

windows7_x64

10

cb7f487a64...6c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-02-2022 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe

  • Size

    7.0MB

  • MD5

    48cfce9208c54152ff881406ffbd537a

  • SHA1

    04dacfa4e3a9e2dd57f4cab92a8d11b9e6ee4901

  • SHA256

    cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c

  • SHA512

    2505c1d48373fbf7ddc708a8b5b912028edec94abbea4b103d37b3e240d12582c31f846caebc378f69ec5a06e7e9387b93184edd1edf5e90b50fd072716f2dc0

Score
10/10
rmsevasionrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • UAC bypass 3 TTPs
    evasiontrojan
  • Executes dropped EXE 9 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Allows Network login with blank passwords 1 TTPs 1 IoCs

    Allows local user accounts with blank passwords to access device from the network.

  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 15 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 11 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1940
    • C:\Windows\SysWOW64\regedit.exe
      regedit /s "C:\Program Files\RMS\regedit.reg"
      2⤵
      • Runs .reg file with regedit
      PID:336
    • C:\Program Files\RMS\rutserg.exe
      "C:\Program Files\RMS\rutserg.exe" /silentinstall
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1064
    • C:\Program Files\RMS\rutserg.exe
      "C:\Program Files\RMS\rutserg.exe" /firewall
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1648
    • C:\Windows\SysWOW64\regedit.exe
      regedit /s "C:\Program Files\RMS\regedit.reg"
      2⤵
      • Runs .reg file with regedit
      PID:2012
    • C:\Program Files\RMS\rutserg.exe
      "C:\Program Files\RMS\rutserg.exe" /start
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1184
    • C:\Program Files\RMS\sys.exe
      "C:\Program Files\RMS\sys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Roaming\Services\run.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
          4⤵
            PID:2040
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
            4⤵
              PID:572
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
              4⤵
                PID:108
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v limitblankpassworduse /t REG_DWORD /d 0 /f
                4⤵
                • Allows Network login with blank passwords
                PID:520
              • C:\Windows\SysWOW64\netsh.exe
                netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                4⤵
                  PID:488
              • C:\Users\Admin\AppData\Roaming\Services\run.exe
                C:\Users\Admin\AppData\Roaming\Services\run.exe
                3⤵
                • Executes dropped EXE
                PID:1724
          • C:\Program Files\RMS\rutserg.exe
            "C:\Program Files\RMS\rutserg.exe"
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1336
            • C:\Program Files\RMS\rfusclient.exe
              "C:\Program Files\RMS\rfusclient.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1200
              • C:\Program Files\RMS\rfusclient.exe
                "C:\Program Files\RMS\rfusclient.exe" /tray
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: SetClipboardViewer
                PID:1340
            • C:\Program Files\RMS\rfusclient.exe
              "C:\Program Files\RMS\rfusclient.exe" /tray
              2⤵
              • Executes dropped EXE
              PID:924

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/924-96-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-98-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1336-97-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1340-103-0x00000000001C0000-0x00000000001C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1712-92-0x00000000022B0000-0x00000000025D6000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/1712-94-0x0000000000290000-0x0000000000296000-memory.dmp

            Filesize

            24KB

            Download

          • memory/1712-93-0x00000000003C0000-0x00000000003C3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1712-90-0x0000000000401000-0x0000000000742000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1712-84-0x0000000000400000-0x0000000000933562-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/1724-100-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1940-91-0x0000000000400000-0x0000000000DE7000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1940-56-0x0000000000400000-0x0000000000DE7000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1940-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

            Filesize

            8KB

            Download