rms | 6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-en-20211208
submitted
13-02-2022 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe
Size

2.8MB
MD5

77fbf45826b6dccfcdd40eba740d4c16
SHA1

014ccf125bae774fc3f49798050f0d2672afa10b
SHA256

6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500
SHA512

aab791168304aca292e31ca82249444d95aeac87b8ed0e1861853debd1aba4a9145f3202db8a0e7d6f7002725ee32e236871dde5b30a52937d8fffd4a71e3edc

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 2 IoCs

pid	Process
1364	data.exe
1896	rutserv.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Loads dropped DLL 5 IoCs

pid	Process
1528	6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe
1528	6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe
1528	6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe
1208	cmd.exe
1208	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\4w5tb68h7t987093f4trq893f4rw89etw.txt	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1748	timeout.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1960	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1896	rutserv.exe
1896	rutserv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1896	rutserv.exe
Token: SeTcbPrivilege	1896	rutserv.exe
Token: SeTcbPrivilege	1896	rutserv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1896	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 1364	1528	6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe	27
PID 1528 wrote to memory of 1364	1528	6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe	27
PID 1528 wrote to memory of 1364	1528	6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe	27
PID 1528 wrote to memory of 1364	1528	6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe	27
PID 1528 wrote to memory of 1364	1528	6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe	27
PID 1528 wrote to memory of 1364	1528	6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe	27
PID 1528 wrote to memory of 1364	1528	6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe	27
PID 1364 wrote to memory of 884	1364	data.exe	28
PID 1364 wrote to memory of 884	1364	data.exe	28
PID 1364 wrote to memory of 884	1364	data.exe	28
PID 1364 wrote to memory of 884	1364	data.exe	28
PID 1364 wrote to memory of 884	1364	data.exe	28
PID 1364 wrote to memory of 884	1364	data.exe	28
PID 1364 wrote to memory of 884	1364	data.exe	28
PID 884 wrote to memory of 1136	884	WScript.exe	29
PID 884 wrote to memory of 1136	884	WScript.exe	29
PID 884 wrote to memory of 1136	884	WScript.exe	29
PID 884 wrote to memory of 1136	884	WScript.exe	29
PID 884 wrote to memory of 1136	884	WScript.exe	29
PID 884 wrote to memory of 1136	884	WScript.exe	29
PID 884 wrote to memory of 1136	884	WScript.exe	29
PID 884 wrote to memory of 704	884	WScript.exe	30
PID 884 wrote to memory of 704	884	WScript.exe	30
PID 884 wrote to memory of 704	884	WScript.exe	30
PID 884 wrote to memory of 704	884	WScript.exe	30
PID 884 wrote to memory of 704	884	WScript.exe	30
PID 884 wrote to memory of 704	884	WScript.exe	30
PID 884 wrote to memory of 704	884	WScript.exe	30
PID 884 wrote to memory of 1508	884	WScript.exe	31
PID 884 wrote to memory of 1508	884	WScript.exe	31
PID 884 wrote to memory of 1508	884	WScript.exe	31
PID 884 wrote to memory of 1508	884	WScript.exe	31
PID 884 wrote to memory of 1508	884	WScript.exe	31
PID 884 wrote to memory of 1508	884	WScript.exe	31
PID 884 wrote to memory of 1508	884	WScript.exe	31
PID 884 wrote to memory of 284	884	WScript.exe	32
PID 884 wrote to memory of 284	884	WScript.exe	32
PID 884 wrote to memory of 284	884	WScript.exe	32
PID 884 wrote to memory of 284	884	WScript.exe	32
PID 884 wrote to memory of 284	884	WScript.exe	32
PID 884 wrote to memory of 284	884	WScript.exe	32
PID 884 wrote to memory of 284	884	WScript.exe	32
PID 884 wrote to memory of 980	884	WScript.exe	33
PID 884 wrote to memory of 980	884	WScript.exe	33
PID 884 wrote to memory of 980	884	WScript.exe	33
PID 884 wrote to memory of 980	884	WScript.exe	33
PID 884 wrote to memory of 980	884	WScript.exe	33
PID 884 wrote to memory of 980	884	WScript.exe	33
PID 884 wrote to memory of 980	884	WScript.exe	33
PID 884 wrote to memory of 436	884	WScript.exe	34
PID 884 wrote to memory of 436	884	WScript.exe	34
PID 884 wrote to memory of 436	884	WScript.exe	34
PID 884 wrote to memory of 436	884	WScript.exe	34
PID 884 wrote to memory of 436	884	WScript.exe	34
PID 884 wrote to memory of 436	884	WScript.exe	34
PID 884 wrote to memory of 436	884	WScript.exe	34
PID 884 wrote to memory of 1544	884	WScript.exe	35
PID 884 wrote to memory of 1544	884	WScript.exe	35
PID 884 wrote to memory of 1544	884	WScript.exe	35
PID 884 wrote to memory of 1544	884	WScript.exe	35
PID 884 wrote to memory of 1544	884	WScript.exe	35
PID 884 wrote to memory of 1544	884	WScript.exe	35
PID 884 wrote to memory of 1544	884	WScript.exe	35
PID 1508 wrote to memory of 1208	1508	wscript.exe	36

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1976	attrib.exe
1708	attrib.exe
1564	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe
"C:\Users\Admin\AppData\Local\Temp\6016d62ee9ee6150f925bfa2369509d66f244c7912a9a3e0f44f15fd29054500.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe" -p284579G45398T745398T
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:1136
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:704
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Log\Windows\hiscomponent\install.bat" "
        5⤵
        Loads dropped DLL
        
        PID:1208
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Log"
        6⤵
        Views/modifies file attributes
        
        PID:1976
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        6⤵
        
        PID:1724
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f
        6⤵
        
        PID:2036
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f
        6⤵
        
        PID:1092
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "Windows\hiscomponent\regedit.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:1960
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:1748
      - C:\Folder768\rutserv.exe
        
        rutserv.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1896
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Folder768\*.*"
        6⤵
        Views/modifies file attributes
        
        PID:1708
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Folder768"
        6⤵
        Views/modifies file attributes
        
        PID:1564
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:284
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run
      4⤵
      PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1896-99-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1896-98-0x0000000000400000-0x0000000000A97000-memory.dmp

Filesize
6.6MB

Download
memory/1896-100-0x0000000000A96000-0x0000000000A97000-memory.dmp

Filesize
4KB

Download
memory/1896-101-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download