rms | 09fedab0a9fa3fb1df61aa984c9891261b9e15c4ad7bea3de045711f7b081230

Analysis

max time kernel
165s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
13-02-2022 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09fedab0a9fa3fb1df61aa984c9891261b9e15c4ad7bea3de045711f7b081230.exe
Size

10.2MB
MD5

febef1b6e8b7bf8579dacaa6798f73fe
SHA1

012e2cfd33f6d43c427d005201488f2a02a078aa
SHA256

09fedab0a9fa3fb1df61aa984c9891261b9e15c4ad7bea3de045711f7b081230
SHA512

09fb12a8769ba8789d0472933f0aa33c0f44453809bfe3793bd20a9901bf91fbd0d087efb0802beac18d25b14e1245c2ceefeecbc12f805cf44be947f25e12cc

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
2300	rutserv.exe
376	rutserv.exe
2996	rutserv.exe
3124	rutserv.exe
3132	rfusclient.exe
4808	rfusclient.exe
4136	rfusclient.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	09fedab0a9fa3fb1df61aa984c9891261b9e15c4ad7bea3de045711f7b081230.exe

Loads dropped DLL 14 IoCs

pid	Process
2300	rutserv.exe
2300	rutserv.exe
376	rutserv.exe
376	rutserv.exe
2996	rutserv.exe
2996	rutserv.exe
3124	rutserv.exe
3124	rutserv.exe
3132	rfusclient.exe
3132	rfusclient.exe
4808	rfusclient.exe
4808	rfusclient.exe
4136	rfusclient.exe
4136	rfusclient.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rfusclient.exe	cmd.exe
File created	C:\Windows\SysWOW64\dsfOggMux.dll	cmd.exe
File created	C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest	cmd.exe
File created	C:\Windows\SysWOW64\msvcp80.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\msvcp80.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\HookDrv.dll	cmd.exe
File created	C:\Windows\SysWOW64\rversionlib.dll	cmd.exe
File created	C:\Windows\SysWOW64\dsfTheoraEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dsfTheoraEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dsfVorbisEncoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\HookDrv.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.exe	cmd.exe
File created	C:\Windows\SysWOW64\dsfVorbisEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest	cmd.exe
File created	C:\Windows\SysWOW64\rfusclient.exe	cmd.exe
File created	C:\Windows\SysWOW64\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dsfOggMux.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rversionlib.dll	cmd.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
648	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3124	rutserv.exe
3124	rutserv.exe
3124	rutserv.exe
3124	rutserv.exe
3132	rfusclient.exe
3132	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	rutserv.exe
Token: SeDebugPrivilege	2996	rutserv.exe
Token: SeTakeOwnershipPrivilege	3124	rutserv.exe
Token: SeTcbPrivilege	3124	rutserv.exe
Token: SeShutdownPrivilege	4192	svchost.exe
Token: SeCreatePagefilePrivilege	4192	svchost.exe
Token: SeShutdownPrivilege	4192	svchost.exe
Token: SeCreatePagefilePrivilege	4192	svchost.exe
Token: SeShutdownPrivilege	4192	svchost.exe
Token: SeCreatePagefilePrivilege	4192	svchost.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe
Token: SeBackupPrivilege	4248	TiWorker.exe
Token: SeRestorePrivilege	4248	TiWorker.exe
Token: SeSecurityPrivilege	4248	TiWorker.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 1412	4668	09fedab0a9fa3fb1df61aa984c9891261b9e15c4ad7bea3de045711f7b081230.exe	81
PID 4668 wrote to memory of 1412	4668	09fedab0a9fa3fb1df61aa984c9891261b9e15c4ad7bea3de045711f7b081230.exe	81
PID 4668 wrote to memory of 1412	4668	09fedab0a9fa3fb1df61aa984c9891261b9e15c4ad7bea3de045711f7b081230.exe	81
PID 1412 wrote to memory of 4860	1412	cmd.exe	84
PID 1412 wrote to memory of 4860	1412	cmd.exe	84
PID 1412 wrote to memory of 4860	1412	cmd.exe	84
PID 1412 wrote to memory of 2300	1412	cmd.exe	85
PID 1412 wrote to memory of 2300	1412	cmd.exe	85
PID 1412 wrote to memory of 2300	1412	cmd.exe	85
PID 1412 wrote to memory of 376	1412	cmd.exe	87
PID 1412 wrote to memory of 376	1412	cmd.exe	87
PID 1412 wrote to memory of 376	1412	cmd.exe	87
PID 1412 wrote to memory of 648	1412	cmd.exe	88
PID 1412 wrote to memory of 648	1412	cmd.exe	88
PID 1412 wrote to memory of 648	1412	cmd.exe	88
PID 1412 wrote to memory of 2996	1412	cmd.exe	89
PID 1412 wrote to memory of 2996	1412	cmd.exe	89
PID 1412 wrote to memory of 2996	1412	cmd.exe	89
PID 3124 wrote to memory of 3132	3124	rutserv.exe	92
PID 3124 wrote to memory of 3132	3124	rutserv.exe	92
PID 3124 wrote to memory of 3132	3124	rutserv.exe	92
PID 3124 wrote to memory of 4808	3124	rutserv.exe	93
PID 3124 wrote to memory of 4808	3124	rutserv.exe	93
PID 3124 wrote to memory of 4808	3124	rutserv.exe	93
PID 3132 wrote to memory of 4136	3132	rfusclient.exe	102
PID 3132 wrote to memory of 4136	3132	rfusclient.exe	102
PID 3132 wrote to memory of 4136	3132	rfusclient.exe	102

C:\Users\Admin\AppData\Local\Temp\09fedab0a9fa3fb1df61aa984c9891261b9e15c4ad7bea3de045711f7b081230.exe
"C:\Users\Admin\AppData\Local\Temp\09fedab0a9fa3fb1df61aa984c9891261b9e15c4ad7bea3de045711f7b081230.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8DE5.tmp\Install.bat" "
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /silentinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /firewall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:376
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "settings.reg"
    3⤵
    - Runs .reg file with regedit
    PID:648
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

C:\Windows\SysWOW64\rutserv.exe
C:\Windows\SysWOW64\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SysWOW64\rfusclient.exe
  C:\Windows\SysWOW64\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\SysWOW64\rfusclient.exe
    C:\Windows\SysWOW64\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4136
- C:\Windows\SysWOW64\rfusclient.exe
  C:\Windows\SysWOW64\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/376-150-0x00000000007E0000-0x0000000000835000-memory.dmp

Filesize
340KB

Download
memory/2300-146-0x0000000000930000-0x0000000000985000-memory.dmp

Filesize
340KB

Download
memory/2996-155-0x00000000008F0000-0x0000000000945000-memory.dmp

Filesize
340KB

Download
memory/2996-160-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/3124-161-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/3124-159-0x00000000008E0000-0x0000000000935000-memory.dmp

Filesize
340KB

Download
memory/3132-172-0x0000000000BC0000-0x0000000000C15000-memory.dmp

Filesize
340KB

Download
memory/3132-176-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4136-184-0x00000000007B0000-0x0000000000805000-memory.dmp

Filesize
340KB

Download
memory/4136-185-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4192-178-0x000001C64C520000-0x000001C64C530000-memory.dmp

Filesize
64KB

Download
memory/4192-179-0x000001C64C580000-0x000001C64C590000-memory.dmp

Filesize
64KB

Download
memory/4192-180-0x000001C64EC50000-0x000001C64EC54000-memory.dmp

Filesize
16KB

Download
memory/4808-177-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4808-175-0x0000000000980000-0x00000000009D5000-memory.dmp

Filesize
340KB

Download