rms | d33b0bce0ea5e62ba7480d8e150e021bf9151f5308400dac01a133fa4a94cbba

General

Target

04c8196c86c206783bdb7ab846534328.exe
Size

15.1MB
MD5

04c8196c86c206783bdb7ab846534328
SHA1

949bbc7eb298f29fc39beb5297fde49ab9175950
SHA256

d33b0bce0ea5e62ba7480d8e150e021bf9151f5308400dac01a133fa4a94cbba
SHA512

e4968310b99251e509d367d0e25f642c957de523b4635165f0e4d01fc8c849c8724d1f78f6b329f12d66f54618e693d4992fd24c9773348ae27aac4b9ea8e580

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 4 IoCs

pid	Process
1620	rfusclient.exe
1952	rutserv.exe
992	rutserv.exe
1120	rfusclient.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\International\Geo\Nation	rutserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Loads dropped DLL 9 IoCs

pid	Process
536	04c8196c86c206783bdb7ab846534328.exe
1620	rfusclient.exe
1620	rfusclient.exe
1620	rfusclient.exe
1620	rfusclient.exe
1952	rutserv.exe
1952	rutserv.exe
992	rutserv.exe
992	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1620	rfusclient.exe
1620	rfusclient.exe
1952	rutserv.exe
1952	rutserv.exe
1952	rutserv.exe
1952	rutserv.exe
1952	rutserv.exe
1952	rutserv.exe
992	rutserv.exe
992	rutserv.exe
992	rutserv.exe
992	rutserv.exe
992	rutserv.exe
992	rutserv.exe
1120	rfusclient.exe
1120	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	rutserv.exe
Token: SeTakeOwnershipPrivilege	992	rutserv.exe
Token: SeTcbPrivilege	992	rutserv.exe
Token: SeTcbPrivilege	992	rutserv.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1120	rfusclient.exe
1120	rfusclient.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1120	rfusclient.exe
1120	rfusclient.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1952	rutserv.exe
1952	rutserv.exe
1952	rutserv.exe
1952	rutserv.exe
992	rutserv.exe
992	rutserv.exe
992	rutserv.exe
992	rutserv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1620	536	04c8196c86c206783bdb7ab846534328.exe	29
PID 536 wrote to memory of 1620	536	04c8196c86c206783bdb7ab846534328.exe	29
PID 536 wrote to memory of 1620	536	04c8196c86c206783bdb7ab846534328.exe	29
PID 536 wrote to memory of 1620	536	04c8196c86c206783bdb7ab846534328.exe	29
PID 1620 wrote to memory of 1952	1620	rfusclient.exe	30
PID 1620 wrote to memory of 1952	1620	rfusclient.exe	30
PID 1620 wrote to memory of 1952	1620	rfusclient.exe	30
PID 1620 wrote to memory of 1952	1620	rfusclient.exe	30
PID 992 wrote to memory of 1120	992	rutserv.exe	32
PID 992 wrote to memory of 1120	992	rutserv.exe	32
PID 992 wrote to memory of 1120	992	rutserv.exe	32
PID 992 wrote to memory of 1120	992	rutserv.exe	32

C:\Users\Admin\AppData\Local\Temp\04c8196c86c206783bdb7ab846534328.exe
"C:\Users\Admin\AppData\Local\Temp\04c8196c86c206783bdb7ab846534328.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rfusclient.exe
  "C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rfusclient.exe" -run_agent
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rutserv.exe
    "C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rutserv.exe" -run_agent
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1952
  - - C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rutserv.exe
      "C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rutserv.exe" -run_agent -second
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rfusclient.exe
        
        "C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rfusclient.exe" /tray /user
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/536-55-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/992-106-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/992-96-0x0000000005C00000-0x0000000005C11000-memory.dmp

Filesize
68KB

Download
memory/992-89-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/992-90-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/992-91-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/992-109-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/992-97-0x0000000005AF0000-0x0000000005C00000-memory.dmp

Filesize
1.1MB

Download
memory/992-108-0x0000000006030000-0x0000000006031000-memory.dmp

Filesize
4KB

Download
memory/992-98-0x0000000005AF0000-0x0000000005C00000-memory.dmp

Filesize
1.1MB

Download
memory/992-79-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/992-99-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/992-95-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/992-94-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/992-101-0x0000000005AF0000-0x0000000005C00000-memory.dmp

Filesize
1.1MB

Download
memory/992-107-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/1120-100-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1120-103-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/1120-104-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/1120-110-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1620-60-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1952-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1952-73-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/1952-74-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing