Overview

overview

10

Static

static

4c9f119fa1...27.exe

windows7_x64

10

4c9f119fa1...27.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294211s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    10-03-2022 19:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe

  • Size

    4.6MB

  • MD5

    db463e26728b4396feb9145ef2de758d

  • SHA1

    e10a452585645cde52d8e20db93dfa935290f28d

  • SHA256

    4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427

  • SHA512

    e8d9afc3cc3d3a43d35eda30f761e9bb2ceedc2a1f9edcd0b7f8631313129f2d730deb9bcdbed9d881da3c6c41c52cdcba9a721fbd05d4b4266fb3bdfce2e309

Score
10/10
rmsdiscoveryevasionrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Executes dropped EXE 7 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
    "C:\Users\Admin\AppData\Local\Temp\4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\Company\NewProduct\install.bat" "
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 4t4t5
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:272
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im g4rgt
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
      • C:\Windows\SysWOW64\reg.exe
        reg delete "70t9j" /f
        3⤵
          PID:1940
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s "regedit.reg"
          3⤵
          • Runs .reg file with regedit
          PID:1924
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h "C:\Program Files\rtsd\*.*"
          3⤵
          • Drops file in Program Files directory
          • Views/modifies file attributes
          PID:1020
        • C:\Program Files\rtsd\rutserv.exe
          rutserv.exe /silentinstall
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1664
        • C:\Program Files\rtsd\rutserv.exe
          rutserv.exe /firewall
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1064
        • C:\Program Files\rtsd\rutserv.exe
          rutserv.exe /start
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1980
    • C:\Program Files\rtsd\rutserv.exe
      "C:\Program Files\rtsd\rutserv.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Program Files\rtsd\rfusclient.exe
        "C:\Program Files\rtsd\rfusclient.exe" /tray
        2⤵
        • Executes dropped EXE
        PID:1376
      • C:\Program Files\rtsd\rfusclient.exe
        "C:\Program Files\rtsd\rfusclient.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Program Files\rtsd\rfusclient.exe
          "C:\Program Files\rtsd\rfusclient.exe" /tray
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: SetClipboardViewer
          PID:528

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/528-88-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1376-85-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-84-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1664-69-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1792-54-0x00000000752A1000-0x00000000752A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1980-76-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2000-77-0x00000000003B0000-0x00000000003B1000-memory.dmp

      Filesize

      4KB

      Download