rms | f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1

Analysis

max time kernel
4294224s
max time network
143s
platform
windows7_x64
resource
win7-20220310-en
submitted
24-03-2022 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
Size

4.5MB
MD5

fe9a45491e215a118d47a7e9d2ec0150
SHA1

c943abab28f86b51771ff69f9deebdb52748f601
SHA256

f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1
SHA512

dc97ed149dddde987206aa7b27baf097cd086354e67923f67acc113c12c98c7bed97551f17c352ac0771bc66e297e8e187c2d6087540238a0ebae6f24c9df12e

Score

10^/10

rms aspackv2 evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00090000000122c1-70.dat	acprotect
behavioral1/files/0x00090000000122bf-69.dat	acprotect

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00080000000122c3-68.dat	aspack_v212_v242
behavioral1/files/0x00080000000122c2-67.dat	aspack_v212_v242
behavioral1/files/0x00080000000122c3-85.dat	aspack_v212_v242
behavioral1/files/0x00080000000122c3-87.dat	aspack_v212_v242
behavioral1/files/0x00080000000122c3-95.dat	aspack_v212_v242
behavioral1/files/0x00080000000122c3-97.dat	aspack_v212_v242
behavioral1/files/0x00080000000122c3-105.dat	aspack_v212_v242
behavioral1/files/0x00080000000122c3-107.dat	aspack_v212_v242
behavioral1/files/0x00080000000122c3-114.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
2040	rutserv.exe
1748	rutserv.exe
1972	rutserv.exe
1788	rutserv.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000122c1-70.dat	upx
behavioral1/files/0x00090000000122bf-69.dat	upx

Loads dropped DLL 3 IoCs

pid	Process
1736	cmd.exe
1736	cmd.exe
1736	cmd.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_259446245	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File created	C:\Program Files (x86)\System\vp8encoder.dll	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\System	attrib.exe
File opened for modification	C:\Program Files (x86)\System\rutserv.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\System\vp8encoder.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\System\vp8decoder.dll	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\System\install.bat	attrib.exe
File opened for modification	C:\Program Files (x86)\System	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\System\mailsend.exe	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\System\install.vbs	attrib.exe
File opened for modification	C:\Program Files (x86)\System\vp8encoder.dll	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File created	C:\Program Files (x86)\System\rfusclient.exe	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File created	C:\Program Files (x86)\System\mailsend.exe	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\System\install.bat	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\System\mailsend.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\System\rfusclient.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\System\install.vbs	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\Common Files\System	attrib.exe
File opened for modification	C:\Program Files (x86)\System\vp8decoder.dll	attrib.exe
File created	C:\Program Files (x86)\System\install.vbs	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\System\regedit.reg	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File created	C:\Program Files (x86)\System\install.bat	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\System\regedit.reg	attrib.exe
File created	C:\Program Files (x86)\System\vp8decoder.dll	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\System\rfusclient.exe	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File created	C:\Program Files (x86)\System\rutserv.exe	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File created	C:\Program Files (x86)\System\regedit.reg	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
File opened for modification	C:\Program Files (x86)\System\rutserv.exe	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1616	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1464	taskkill.exe
1268	taskkill.exe
1820	taskkill.exe
520	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
888	regedit.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2040	rutserv.exe
2040	rutserv.exe
2040	rutserv.exe
2040	rutserv.exe
1748	rutserv.exe
1748	rutserv.exe
1972	rutserv.exe
1972	rutserv.exe
1788	rutserv.exe
1788	rutserv.exe
1788	rutserv.exe
1788	rutserv.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	2040	rutserv.exe
Token: SeDebugPrivilege	1972	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2040	rutserv.exe
1748	rutserv.exe
1972	rutserv.exe
1788	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 684	952	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe	27
PID 952 wrote to memory of 684	952	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe	27
PID 952 wrote to memory of 684	952	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe	27
PID 952 wrote to memory of 684	952	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe	27
PID 952 wrote to memory of 684	952	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe	27
PID 952 wrote to memory of 684	952	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe	27
PID 952 wrote to memory of 684	952	f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe	27
PID 684 wrote to memory of 1736	684	WScript.exe	30
PID 684 wrote to memory of 1736	684	WScript.exe	30
PID 684 wrote to memory of 1736	684	WScript.exe	30
PID 684 wrote to memory of 1736	684	WScript.exe	30
PID 684 wrote to memory of 1736	684	WScript.exe	30
PID 684 wrote to memory of 1736	684	WScript.exe	30
PID 684 wrote to memory of 1736	684	WScript.exe	30
PID 1736 wrote to memory of 1808	1736	cmd.exe	32
PID 1736 wrote to memory of 1808	1736	cmd.exe	32
PID 1736 wrote to memory of 1808	1736	cmd.exe	32
PID 1736 wrote to memory of 1808	1736	cmd.exe	32
PID 1736 wrote to memory of 1808	1736	cmd.exe	32
PID 1736 wrote to memory of 1808	1736	cmd.exe	32
PID 1736 wrote to memory of 1808	1736	cmd.exe	32
PID 1736 wrote to memory of 1952	1736	cmd.exe	33
PID 1736 wrote to memory of 1952	1736	cmd.exe	33
PID 1736 wrote to memory of 1952	1736	cmd.exe	33
PID 1736 wrote to memory of 1952	1736	cmd.exe	33
PID 1736 wrote to memory of 1952	1736	cmd.exe	33
PID 1736 wrote to memory of 1952	1736	cmd.exe	33
PID 1736 wrote to memory of 1952	1736	cmd.exe	33
PID 1736 wrote to memory of 1820	1736	cmd.exe	34
PID 1736 wrote to memory of 1820	1736	cmd.exe	34
PID 1736 wrote to memory of 1820	1736	cmd.exe	34
PID 1736 wrote to memory of 1820	1736	cmd.exe	34
PID 1736 wrote to memory of 1820	1736	cmd.exe	34
PID 1736 wrote to memory of 1820	1736	cmd.exe	34
PID 1736 wrote to memory of 1820	1736	cmd.exe	34
PID 1736 wrote to memory of 520	1736	cmd.exe	36
PID 1736 wrote to memory of 520	1736	cmd.exe	36
PID 1736 wrote to memory of 520	1736	cmd.exe	36
PID 1736 wrote to memory of 520	1736	cmd.exe	36
PID 1736 wrote to memory of 520	1736	cmd.exe	36
PID 1736 wrote to memory of 520	1736	cmd.exe	36
PID 1736 wrote to memory of 520	1736	cmd.exe	36
PID 1736 wrote to memory of 1464	1736	cmd.exe	37
PID 1736 wrote to memory of 1464	1736	cmd.exe	37
PID 1736 wrote to memory of 1464	1736	cmd.exe	37
PID 1736 wrote to memory of 1464	1736	cmd.exe	37
PID 1736 wrote to memory of 1464	1736	cmd.exe	37
PID 1736 wrote to memory of 1464	1736	cmd.exe	37
PID 1736 wrote to memory of 1464	1736	cmd.exe	37
PID 1736 wrote to memory of 1268	1736	cmd.exe	38
PID 1736 wrote to memory of 1268	1736	cmd.exe	38
PID 1736 wrote to memory of 1268	1736	cmd.exe	38
PID 1736 wrote to memory of 1268	1736	cmd.exe	38
PID 1736 wrote to memory of 1268	1736	cmd.exe	38
PID 1736 wrote to memory of 1268	1736	cmd.exe	38
PID 1736 wrote to memory of 1268	1736	cmd.exe	38
PID 1736 wrote to memory of 1728	1736	cmd.exe	39
PID 1736 wrote to memory of 1728	1736	cmd.exe	39
PID 1736 wrote to memory of 1728	1736	cmd.exe	39
PID 1736 wrote to memory of 1728	1736	cmd.exe	39
PID 1736 wrote to memory of 1728	1736	cmd.exe	39
PID 1736 wrote to memory of 1728	1736	cmd.exe	39
PID 1736 wrote to memory of 1728	1736	cmd.exe	39
PID 1736 wrote to memory of 888	1736	cmd.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1808	attrib.exe
1952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe
"C:\Users\Admin\AppData\Local\Temp\f2435506ae840503e8de6dc5b75d92390cf1c84eab6e1ea9b42f006fba7d0dc1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\System\install.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Program Files (x86)\System" +H +S /S /D
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1820
  - - C:\Windows\SysWOW64\taskkill.exe
      Taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\Windows\SysWOW64\taskkill.exe
      Taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1268
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:888
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1616
  - - C:\Program Files (x86)\System\rutserv.exe
      rutserv.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2040
  - - C:\Program Files (x86)\System\rutserv.exe
      rutserv.exe /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1748
  - - C:\Program Files (x86)\System\rutserv.exe
      rutserv.exe /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1972

C:\Program Files (x86)\System\rutserv.exe
"C:\Program Files (x86)\System\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-54-0x00000000766A1000-0x00000000766A3000-memory.dmp

Filesize
8KB

Download
memory/1748-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1748-103-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1748-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1748-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1748-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1748-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1788-120-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1788-116-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1788-117-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1788-118-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1788-119-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1972-111-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1972-109-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1972-110-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1972-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1972-113-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2040-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2040-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2040-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2040-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2040-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2040-89-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download