Overview

overview

10

Static

static

8

04c8196c86...28.exe

windows7_x64

10

04c8196c86...28.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    14-03-2022 19:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04c8196c86c206783bdb7ab846534328.exe

  • Size

    15.1MB

  • MD5

    04c8196c86c206783bdb7ab846534328

  • SHA1

    949bbc7eb298f29fc39beb5297fde49ab9175950

  • SHA256

    d33b0bce0ea5e62ba7480d8e150e021bf9151f5308400dac01a133fa4a94cbba

  • SHA512

    e4968310b99251e509d367d0e25f642c957de523b4635165f0e4d01fc8c849c8724d1f78f6b329f12d66f54618e693d4992fd24c9773348ae27aac4b9ea8e580

Score
10/10
rmsrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04c8196c86c206783bdb7ab846534328.exe
    "C:\Users\Admin\AppData\Local\Temp\04c8196c86c206783bdb7ab846534328.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rfusclient.exe
      "C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rfusclient.exe" -run_agent
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rutserv.exe
        "C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rutserv.exe" -run_agent
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1056
        • C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rutserv.exe" -run_agent -second
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rfusclient.exe
            "C:\Users\Admin\AppData\Roaming\RMS Agent\70001\4F2A842DE2\rfusclient.exe" /tray /user
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:3696
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:720

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/744-130-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1056-142-0x0000000004E90000-0x0000000004E91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1056-141-0x0000000003800000-0x0000000003801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1056-136-0x0000000001D90000-0x0000000001D91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1316-134-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-166-0x00000000060E0000-0x00000000060E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-167-0x0000000006230000-0x0000000006231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-157-0x0000000005120000-0x0000000005121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-156-0x0000000005080000-0x0000000005081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-162-0x0000000005180000-0x0000000005181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-163-0x00000000058A0000-0x00000000058A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-164-0x00000000058B0000-0x00000000058B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-146-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-165-0x00000000058C0000-0x00000000058C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-158-0x0000000005150000-0x0000000005151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-175-0x00000000086D0000-0x00000000086D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-174-0x0000000008700000-0x0000000008701000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-173-0x00000000050B0000-0x00000000050B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1784-172-0x00000000050A0000-0x00000000050A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3696-171-0x0000000004D60000-0x0000000004D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3696-170-0x00000000047C0000-0x00000000047C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3696-169-0x00000000047A0000-0x00000000047A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3696-168-0x0000000001470000-0x0000000001471000-memory.dmp

    Filesize

    4KB

    Download