rms | 4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-03-2022 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
Size

4.6MB
MD5

db463e26728b4396feb9145ef2de758d
SHA1

e10a452585645cde52d8e20db93dfa935290f28d
SHA256

4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427
SHA512

e8d9afc3cc3d3a43d35eda30f761e9bb2ceedc2a1f9edcd0b7f8631313129f2d730deb9bcdbed9d881da3c6c41c52cdcba9a721fbd05d4b4266fb3bdfce2e309

Score

10^/10

rms discovery evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
1632	rutserv.exe
732	rutserv.exe
440	rutserv.exe
1140	rutserv.exe
444	rfusclient.exe
1324	rfusclient.exe
2936	rfusclient.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000001e78d-135.dat	upx
behavioral2/files/0x000500000001e783-136.dat	upx
behavioral2/files/0x000400000001e794-140.dat	upx
behavioral2/files/0x000500000001e787-139.dat	upx
behavioral2/files/0x000400000001e794-143.dat	upx
behavioral2/files/0x000400000001e794-144.dat	upx
behavioral2/files/0x000400000001e794-145.dat	upx
behavioral2/files/0x000400000001e794-146.dat	upx
behavioral2/files/0x000500000001e787-149.dat	upx
behavioral2/files/0x000500000001e787-148.dat	upx
behavioral2/files/0x000500000001e787-153.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
File created	C:\Program Files\rtsd\rfusclient.exe	cmd.exe
File opened for modification	C:\Program Files\rtsd\rfusclient.exe	cmd.exe
File created	C:\Program Files\rtsd\vp8decoder.dll	cmd.exe
File opened for modification	C:\Program Files\rtsd\vp8encoder.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\vp8encoder.dll	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\vp8decoder.dll	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\13213.exe	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
File opened for modification	C:\Program Files\rtsd\rfusclient.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\install.bat	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\gabe.jpg	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
File opened for modification	C:\Program Files\rtsd\rutserv.exe	cmd.exe
File opened for modification	C:\Program Files\rtsd\vp8decoder.dll	cmd.exe
File created	C:\Program Files\rtsd\vp8encoder.dll	cmd.exe
File opened for modification	C:\Program Files\rtsd\vp8decoder.dll	attrib.exe
File opened for modification	C:\Program Files\rtsd\vp8encoder.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rfusclient.exe	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rutserv.exe	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
File created	C:\Program Files\rtsd\rutserv.exe	cmd.exe
File opened for modification	C:\Program Files\rtsd\rutserv.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\regedit.reg	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
3456	taskkill.exe
1576	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3348	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
732	rutserv.exe
732	rutserv.exe
440	rutserv.exe
440	rutserv.exe
1140	rutserv.exe
1140	rutserv.exe
1140	rutserv.exe
1140	rutserv.exe
1140	rutserv.exe
1140	rutserv.exe
444	rfusclient.exe
444	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2936	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1632	rutserv.exe
Token: SeDebugPrivilege	440	rutserv.exe
Token: SeTakeOwnershipPrivilege	1140	rutserv.exe
Token: SeTcbPrivilege	1140	rutserv.exe
Token: SeTcbPrivilege	1140	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1632	rutserv.exe
732	rutserv.exe
440	rutserv.exe
1140	rutserv.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 2176	4028	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe	79
PID 4028 wrote to memory of 2176	4028	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe	79
PID 4028 wrote to memory of 2176	4028	4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe	79
PID 2176 wrote to memory of 3456	2176	cmd.exe	81
PID 2176 wrote to memory of 3456	2176	cmd.exe	81
PID 2176 wrote to memory of 3456	2176	cmd.exe	81
PID 2176 wrote to memory of 1576	2176	cmd.exe	83
PID 2176 wrote to memory of 1576	2176	cmd.exe	83
PID 2176 wrote to memory of 1576	2176	cmd.exe	83
PID 2176 wrote to memory of 4040	2176	cmd.exe	85
PID 2176 wrote to memory of 4040	2176	cmd.exe	85
PID 2176 wrote to memory of 4040	2176	cmd.exe	85
PID 2176 wrote to memory of 3348	2176	cmd.exe	86
PID 2176 wrote to memory of 3348	2176	cmd.exe	86
PID 2176 wrote to memory of 3348	2176	cmd.exe	86
PID 2176 wrote to memory of 3296	2176	cmd.exe	87
PID 2176 wrote to memory of 3296	2176	cmd.exe	87
PID 2176 wrote to memory of 3296	2176	cmd.exe	87
PID 2176 wrote to memory of 1632	2176	cmd.exe	88
PID 2176 wrote to memory of 1632	2176	cmd.exe	88
PID 2176 wrote to memory of 1632	2176	cmd.exe	88
PID 2176 wrote to memory of 732	2176	cmd.exe	89
PID 2176 wrote to memory of 732	2176	cmd.exe	89
PID 2176 wrote to memory of 732	2176	cmd.exe	89
PID 2176 wrote to memory of 440	2176	cmd.exe	90
PID 2176 wrote to memory of 440	2176	cmd.exe	90
PID 2176 wrote to memory of 440	2176	cmd.exe	90
PID 1140 wrote to memory of 444	1140	rutserv.exe	93
PID 1140 wrote to memory of 444	1140	rutserv.exe	93
PID 1140 wrote to memory of 444	1140	rutserv.exe	93
PID 1140 wrote to memory of 1324	1140	rutserv.exe	92
PID 1140 wrote to memory of 1324	1140	rutserv.exe	92
PID 1140 wrote to memory of 1324	1140	rutserv.exe	92
PID 444 wrote to memory of 2936	444	rfusclient.exe	96
PID 444 wrote to memory of 2936	444	rfusclient.exe	96
PID 444 wrote to memory of 2936	444	rfusclient.exe	96

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3296	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe
"C:\Users\Admin\AppData\Local\Temp\4c9f119fa1e021e2a60d2716ca8ebd4c196e8b30e895b1199cf59be5e6004427.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Company\NewProduct\install.bat" "
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 4t4t5
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im g4rgt
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    reg delete "70t9j" /f
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3348
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Program Files\rtsd\*.*"
    3⤵
    - Drops file in Program Files directory
    - Views/modifies file attributes
    PID:3296
- - C:\Program Files\rtsd\rutserv.exe
    rutserv.exe /silentinstall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1632
- - C:\Program Files\rtsd\rutserv.exe
    rutserv.exe /firewall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:732
- - C:\Program Files\rtsd\rutserv.exe
    rutserv.exe /start
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:440

C:\Program Files\rtsd\rutserv.exe
"C:\Program Files\rtsd\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Program Files\rtsd\rfusclient.exe
  "C:\Program Files\rtsd\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Program Files\rtsd\rfusclient.exe
  "C:\Program Files\rtsd\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Program Files\rtsd\rfusclient.exe
    "C:\Program Files\rtsd\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/440-147-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/444-151-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1140-150-0x0000000000F50000-0x0000000000FB3000-memory.dmp

Filesize
396KB

Download
memory/1324-152-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/2936-154-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download