Overview

overview

10

Static

static

8

install.bat

windows7_x64

10

install.bat

windows10-2004_x64

10

install.vbs

windows7_x64

10

install.vbs

windows10-2004_x64

10

mailsend.exe

windows7_x64

1

mailsend.exe

windows10-2004_x64

1

rfusclient.exe

windows7_x64

1

rfusclient.exe

windows10-2004_x64

1

rutserv.exe

windows7_x64

10

rutserv.exe

windows10-2004_x64

10

vp8decoder.dll

windows7_x64

1

vp8decoder.dll

windows10-2004_x64

1

vp8encoder.dll

windows7_x64

1

vp8encoder.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    160s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    17-03-2022 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    install.vbs

  • Size

    120B

  • MD5

    c719a030434d3fa96d62868f27e904a6

  • SHA1

    f2f750a752dd1fda8915a47b082af7cf2d3e3655

  • SHA256

    2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f

  • SHA512

    47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

Score
10/10
rmsevasionrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Windows\system32\attrib.exe
        attrib "C:\Program Files (x86)\System" +H +S /S /D
        3⤵
        • Drops file in Program Files directory
        • Views/modifies file attributes
        PID:3424
      • C:\Windows\system32\attrib.exe
        attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D
        3⤵
        • Views/modifies file attributes
        PID:3680
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im rutserv.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3564
      • C:\Windows\system32\taskkill.exe
        Taskkill /f /im rutserv.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4316
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im rfusclient.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4216
      • C:\Windows\system32\taskkill.exe
        Taskkill /f /im rfusclient.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4960
      • C:\Windows\system32\reg.exe
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        3⤵
          PID:4664
        • C:\Windows\regedit.exe
          regedit /s "regedit.reg"
          3⤵
          • Runs .reg file with regedit
          PID:4620
        • C:\Windows\system32\timeout.exe
          timeout 2
          3⤵
          • Delays execution with timeout.exe
          PID:4680
        • C:\Users\Admin\AppData\Local\Temp\rutserv.exe
          rutserv.exe /silentinstall
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4236
        • C:\Users\Admin\AppData\Local\Temp\rutserv.exe
          rutserv.exe /firewall
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:5116
        • C:\Users\Admin\AppData\Local\Temp\rutserv.exe
          rutserv.exe /start
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2028
        • C:\Windows\system32\sc.exe
          sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
          3⤵
            PID:4436
          • C:\Windows\system32\sc.exe
            sc config RManService obj= LocalSystem type= interact type= own
            3⤵
              PID:1656
            • C:\Windows\system32\sc.exe
              sc config RManService DisplayName= "Windows_Defender v6.3"
              3⤵
                PID:2208
              • C:\Windows\system32\timeout.exe
                timeout 120
                3⤵
                • Delays execution with timeout.exe
                PID:2236
              • C:\Windows\system32\reg.exe
                reg export "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4" "id.txt"
                3⤵
                  PID:3728
                • C:\Windows\system32\timeout.exe
                  timeout 10
                  3⤵
                  • Delays execution with timeout.exe
                  PID:2940
            • C:\Users\Admin\AppData\Local\Temp\rutserv.exe
              "C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
              1⤵
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:392
              • C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
                C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3340
              • C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
                C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
                2⤵
                  PID:4788

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/392-142-0x00000000031E0000-0x00000000031E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/392-132-0x0000000003130000-0x0000000003131000-memory.dmp

                Filesize

                4KB

                Download

              • memory/392-133-0x00000000031C0000-0x00000000031C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/392-135-0x0000000004E70000-0x0000000004E71000-memory.dmp

                Filesize

                4KB

                Download

              • memory/392-134-0x0000000003B20000-0x0000000003B21000-memory.dmp

                Filesize

                4KB

                Download

              • memory/392-136-0x0000000003210000-0x0000000003211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/392-140-0x00000000033F0000-0x00000000033F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/392-137-0x0000000003290000-0x0000000003291000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2028-131-0x0000000004580000-0x0000000004581000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3340-148-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/3340-146-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/3340-150-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/3340-139-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/3340-145-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/3340-143-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/4236-130-0x0000000003010000-0x0000000003011000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4788-144-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/4788-147-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/4788-138-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/4788-149-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/4788-152-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/4788-151-0x0000000000B70000-0x0000000000B71000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4788-141-0x0000000000400000-0x00000000009B6000-memory.dmp

                Filesize

                5.7MB

                Download