rms | 8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec

General

Target

8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Size

5.0MB
MD5

06f4968bbe4bc2595432073659abdb12
SHA1

89e4f5a320643818011c0c22017a866f6fe0198f
SHA256

8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec
SHA512

f15f337793f58ead1817c68d3cecf6189d6027773707a96733ab6c93591f9e286eac28274cba3ee8d86a2b6309ce5b479233fd4372b1c0ff8fb64307c3a8d9b9

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 7 IoCs

pid	Process
3448	Windows.exe
3864	Windows.exe
1796	Windows.exe
3244	Windows.exe
2192	Windowsx32.exe
3792	Windowsx32.exe
2436	Windowsx32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\RMS\settings.ini	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File created	C:\Program Files\RMS\Windowsx32.exe	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File created	C:\Program Files\RMS\vp8decoder.dll	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File opened for modification	C:\Program Files\RMS	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File opened for modification	C:\Program Files\RMS\settings.ini	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File opened for modification	C:\Program Files\RMS\Windows.exe	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File opened for modification	C:\Program Files\RMS\Windowsx32.exe	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File opened for modification	C:\Program Files\RMS\regedit.reg	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File opened for modification	C:\Program Files\RMS\vp8encoder.dll	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File created	C:\Program Files\RMS\Windows.exe	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File created	C:\Program Files\RMS\regedit.reg	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File created	C:\Program Files\RMS\vp8encoder.dll	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
File opened for modification	C:\Program Files\RMS\vp8decoder.dll	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4088	regedit.exe
1944	regedit.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3448	Windows.exe
3448	Windows.exe
3448	Windows.exe
3448	Windows.exe
3448	Windows.exe
3448	Windows.exe
3864	Windows.exe
3864	Windows.exe
1796	Windows.exe
1796	Windows.exe
3244	Windows.exe
3244	Windows.exe
3244	Windows.exe
3244	Windows.exe
3244	Windows.exe
3244	Windows.exe
2192	Windowsx32.exe
2192	Windowsx32.exe
2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
2192	Windowsx32.exe
2436	Windowsx32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Token: SeIncBasePriorityPrivilege	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Token: SeDebugPrivilege	3448	Windows.exe
Token: SeDebugPrivilege	1796	Windows.exe
Token: SeTakeOwnershipPrivilege	3244	Windows.exe
Token: SeTcbPrivilege	3244	Windows.exe
Token: SeTcbPrivilege	3244	Windows.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3448	Windows.exe
3864	Windows.exe
1796	Windows.exe
3244	Windows.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1944	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	55
PID 2784 wrote to memory of 1944	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	55
PID 2784 wrote to memory of 1944	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	55
PID 2784 wrote to memory of 3448	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	59
PID 2784 wrote to memory of 3448	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	59
PID 2784 wrote to memory of 3448	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	59
PID 2784 wrote to memory of 3864	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	61
PID 2784 wrote to memory of 3864	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	61
PID 2784 wrote to memory of 3864	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	61
PID 2784 wrote to memory of 4088	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	63
PID 2784 wrote to memory of 4088	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	63
PID 2784 wrote to memory of 4088	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	63
PID 2784 wrote to memory of 1796	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	64
PID 2784 wrote to memory of 1796	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	64
PID 2784 wrote to memory of 1796	2784	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe	64
PID 3244 wrote to memory of 2192	3244	Windows.exe	66
PID 3244 wrote to memory of 2192	3244	Windows.exe	66
PID 3244 wrote to memory of 2192	3244	Windows.exe	66
PID 3244 wrote to memory of 3792	3244	Windows.exe	67
PID 3244 wrote to memory of 3792	3244	Windows.exe	67
PID 3244 wrote to memory of 3792	3244	Windows.exe	67
PID 2192 wrote to memory of 2436	2192	Windowsx32.exe	70
PID 2192 wrote to memory of 2436	2192	Windowsx32.exe	70
PID 2192 wrote to memory of 2436	2192	Windowsx32.exe	70

System policy modification 1 TTPs 11 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe

C:\Users\Admin\AppData\Local\Temp\8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe
"C:\Users\Admin\AppData\Local\Temp\8f4a0a1c651b7e50efb2883b1f8392771b5c36553127b3a216ed3a483cef0dec.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2784
- C:\Windows\SysWOW64\regedit.exe
  regedit /s "C:\Program Files\RMS\regedit.reg"
  2⤵
  - Runs .reg file with regedit
  PID:1944
- C:\Program Files\RMS\Windows.exe
  "C:\Program Files\RMS\Windows.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3448
- C:\Program Files\RMS\Windows.exe
  "C:\Program Files\RMS\Windows.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3864
- C:\Windows\SysWOW64\regedit.exe
  regedit /s "C:\Program Files\RMS\regedit.reg"
  2⤵
  - Runs .reg file with regedit
  PID:4088
- C:\Program Files\RMS\Windows.exe
  "C:\Program Files\RMS\Windows.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1796

C:\Program Files\RMS\Windows.exe
"C:\Program Files\RMS\Windows.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Program Files\RMS\Windowsx32.exe
  "C:\Program Files\RMS\Windowsx32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: SetClipboardViewer
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Program Files\RMS\Windowsx32.exe
    "C:\Program Files\RMS\Windowsx32.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2436
- C:\Program Files\RMS\Windowsx32.exe
  "C:\Program Files\RMS\Windowsx32.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:3792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2192-148-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2192-149-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2784-130-0x0000000000400000-0x0000000000BF9000-memory.dmp

Filesize
8.0MB

Download
memory/2784-145-0x0000000000400000-0x0000000000BF9000-memory.dmp

Filesize
8.0MB

Download
memory/3244-147-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3448-137-0x0000000000400000-0x0000000000AA1000-memory.dmp

Filesize
6.6MB

Download
memory/3792-146-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing