rms | c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba

Analysis

max time kernel
157s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
11-03-2022 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe
Size

9.7MB
MD5

3274c8646fb85f70e22374e61804525f
SHA1

3c630d65bdf87dc8981b0900af3eeafd053c2240
SHA256

c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba
SHA512

ff86e11844547a047110f919062c9c72d79b441c4f7cdf96d92ca10c9afbd4ccb0e5f56067a506b62a1f1049660c2b7478770dac2c90b0e498669b683f13b279

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 9 IoCs

pid	Process
2532	install.sfx.exe
864	install.exe
3608	rutserv.exe
216	rutserv.exe
4296	rutserv.exe
4152	rutserv.exe
5096	rfusclient.exe
4288	rfusclient.exe
4320	rfusclient.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000001e7e3-138.dat	upx
behavioral2/files/0x000400000001e7e4-139.dat	upx
behavioral2/files/0x000300000001e7eb-142.dat	upx
behavioral2/files/0x000800000001e800-143.dat	upx
behavioral2/files/0x000800000001e800-146.dat	upx
behavioral2/files/0x000800000001e800-147.dat	upx
behavioral2/files/0x000800000001e800-148.dat	upx
behavioral2/files/0x000800000001e800-149.dat	upx
behavioral2/files/0x000300000001e7eb-153.dat	upx
behavioral2/files/0x000300000001e7eb-152.dat	upx
behavioral2/files/0x000300000001e7eb-161.dat	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	install.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows\install.sfx.exe	c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe
File opened for modification	C:\Program Files\Server\rfusclient.exe	cmd.exe
File opened for modification	C:\Program Files\Server\rutserv.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows	c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe
File created	C:\Program Files\Server\rfusclient.exe	cmd.exe
File opened for modification	C:\Program Files\Server\vp8decoder.dll	cmd.exe
File opened for modification	C:\Program Files\Server\vp8decoder.dll	attrib.exe
File opened for modification	C:\Program Files\Server\vp8encoder.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows\run.bat	c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe
File opened for modification	C:\Program Files (x86)\Windows\install.sfx.exe	c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe
File opened for modification	C:\Program Files\Server\rutserv.pdb	rutserv.exe
File created	C:\Program Files (x86)\Windows\__tmp_rar_sfx_access_check_30258218	c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe
File created	C:\Program Files (x86)\Windows\run.bat	c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe
File created	C:\Program Files\Server\rutserv.exe	cmd.exe
File opened for modification	C:\Program Files\Server\rutserv.exe	cmd.exe
File created	C:\Program Files\Server\vp8decoder.dll	cmd.exe
File created	C:\Program Files\Server\vp8encoder.dll	cmd.exe
File opened for modification	C:\Program Files\Server\vp8encoder.dll	cmd.exe
File opened for modification	C:\Program Files\Server\rfusclient.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
3584	timeout.exe
3452	timeout.exe
2784	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3232	taskkill.exe
2264	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	install.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5084	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3608	rutserv.exe
3608	rutserv.exe
3608	rutserv.exe
3608	rutserv.exe
3608	rutserv.exe
3608	rutserv.exe
216	rutserv.exe
216	rutserv.exe
4296	rutserv.exe
4296	rutserv.exe
4152	rutserv.exe
4152	rutserv.exe
4152	rutserv.exe
4152	rutserv.exe
4152	rutserv.exe
4152	rutserv.exe
5096	rfusclient.exe
5096	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4320	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	3232	taskkill.exe
Token: SeDebugPrivilege	3608	rutserv.exe
Token: SeDebugPrivilege	4296	rutserv.exe
Token: SeTakeOwnershipPrivilege	4152	rutserv.exe
Token: SeTcbPrivilege	4152	rutserv.exe
Token: SeTcbPrivilege	4152	rutserv.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
864	install.exe
3608	rutserv.exe
216	rutserv.exe
4296	rutserv.exe
4152	rutserv.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1760	2816	c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe	79
PID 2816 wrote to memory of 1760	2816	c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe	79
PID 2816 wrote to memory of 1760	2816	c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe	79
PID 1760 wrote to memory of 2532	1760	cmd.exe	82
PID 1760 wrote to memory of 2532	1760	cmd.exe	82
PID 1760 wrote to memory of 2532	1760	cmd.exe	82
PID 2532 wrote to memory of 864	2532	install.sfx.exe	83
PID 2532 wrote to memory of 864	2532	install.sfx.exe	83
PID 2532 wrote to memory of 864	2532	install.sfx.exe	83
PID 864 wrote to memory of 2952	864	install.exe	84
PID 864 wrote to memory of 2952	864	install.exe	84
PID 864 wrote to memory of 2952	864	install.exe	84
PID 2952 wrote to memory of 1840	2952	WScript.exe	85
PID 2952 wrote to memory of 1840	2952	WScript.exe	85
PID 2952 wrote to memory of 1840	2952	WScript.exe	85
PID 1840 wrote to memory of 2264	1840	cmd.exe	87
PID 1840 wrote to memory of 2264	1840	cmd.exe	87
PID 1840 wrote to memory of 2264	1840	cmd.exe	87
PID 1840 wrote to memory of 3232	1840	cmd.exe	89
PID 1840 wrote to memory of 3232	1840	cmd.exe	89
PID 1840 wrote to memory of 3232	1840	cmd.exe	89
PID 1840 wrote to memory of 3112	1840	cmd.exe	90
PID 1840 wrote to memory of 3112	1840	cmd.exe	90
PID 1840 wrote to memory of 3112	1840	cmd.exe	90
PID 1840 wrote to memory of 5084	1840	cmd.exe	91
PID 1840 wrote to memory of 5084	1840	cmd.exe	91
PID 1840 wrote to memory of 5084	1840	cmd.exe	91
PID 1840 wrote to memory of 3584	1840	cmd.exe	92
PID 1840 wrote to memory of 3584	1840	cmd.exe	92
PID 1840 wrote to memory of 3584	1840	cmd.exe	92
PID 1840 wrote to memory of 3452	1840	cmd.exe	93
PID 1840 wrote to memory of 3452	1840	cmd.exe	93
PID 1840 wrote to memory of 3452	1840	cmd.exe	93
PID 1840 wrote to memory of 4184	1840	cmd.exe	95
PID 1840 wrote to memory of 4184	1840	cmd.exe	95
PID 1840 wrote to memory of 4184	1840	cmd.exe	95
PID 1840 wrote to memory of 3608	1840	cmd.exe	96
PID 1840 wrote to memory of 3608	1840	cmd.exe	96
PID 1840 wrote to memory of 3608	1840	cmd.exe	96
PID 1840 wrote to memory of 216	1840	cmd.exe	97
PID 1840 wrote to memory of 216	1840	cmd.exe	97
PID 1840 wrote to memory of 216	1840	cmd.exe	97
PID 1840 wrote to memory of 4296	1840	cmd.exe	98
PID 1840 wrote to memory of 4296	1840	cmd.exe	98
PID 1840 wrote to memory of 4296	1840	cmd.exe	98
PID 4152 wrote to memory of 4288	4152	rutserv.exe	100
PID 4152 wrote to memory of 4288	4152	rutserv.exe	100
PID 4152 wrote to memory of 4288	4152	rutserv.exe	100
PID 4152 wrote to memory of 5096	4152	rutserv.exe	101
PID 4152 wrote to memory of 5096	4152	rutserv.exe	101
PID 4152 wrote to memory of 5096	4152	rutserv.exe	101
PID 1840 wrote to memory of 2784	1840	cmd.exe	102
PID 1840 wrote to memory of 2784	1840	cmd.exe	102
PID 1840 wrote to memory of 2784	1840	cmd.exe	102
PID 5096 wrote to memory of 4320	5096	rfusclient.exe	108
PID 5096 wrote to memory of 4320	5096	rfusclient.exe	108
PID 5096 wrote to memory of 4320	5096	rfusclient.exe	108

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe
"C:\Users\Admin\AppData\Local\Temp\c0fe78cf0f184149f48658b4d0e82cbad6204ec03785c39716750cf45bcf30ba.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Windows\run.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Program Files (x86)\Windows\install.sfx.exe
    install.sfx.exe -p666666 -dc:/Program Files (x86)/Windows
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Program\install.exe
      "C:\Program\install.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Hex\install.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Hex\install.bat" "
        6⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        7⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "regedit.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5084
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:3584
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\Server\*.*"
        7⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4184
        
        C:\Program Files\Server\rutserv.exe
        
        rutserv.exe /silentinstall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3608
        
        C:\Program Files\Server\rutserv.exe
        
        rutserv.exe /firewall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:216
        
        C:\Program Files\Server\rutserv.exe
        
        rutserv.exe /start
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4296
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2784

C:\Program Files\Server\rutserv.exe
"C:\Program Files\Server\rutserv.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Program Files\Server\rfusclient.exe
  "C:\Program Files\Server\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Program Files\Server\rfusclient.exe
  "C:\Program Files\Server\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Program Files\Server\rfusclient.exe
    "C:\Program Files\Server\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4152-151-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4288-155-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4296-150-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/5096-154-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download