rms | 52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c

Analysis

max time kernel
4294205s
max time network
156s
platform
windows7_x64
resource
win7-20220310-en
submitted
26-03-2022 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
Size

21.3MB
MD5

591b70bb39ae6201841a62b12d0dd2d8
SHA1

fb9eef4e415956063bc59d8c7b0a9ca487ce1015
SHA256

52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c
SHA512

53ea11e218fbb6d4800212e9f46287e5fe7227ade5f119404cdb2e26801321c079d81b15ccfc0dcd7bd83c6d7039b242d54e655c3ecdce9418727b97059009d8

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 7 IoCs

pid	Process
1604	rutserv.exe
1920	rutserv.exe
1200	rutserv.exe
2012	rutserv.exe
972	rfusclient.exe
968	rfusclient.exe
272	rfusclient.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Loads dropped DLL 2 IoCs

pid	Process
2020	cmd.exe
2012	rutserv.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System64\install.bat	attrib.exe
File created	C:\Windows\System64\rfusclient.exe	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
File created	C:\Windows\System64\rutserv.exe	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
File created	C:\Windows\System64\vp8encoder.dll	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
File created	C:\Windows\System64\vp8decoder.dll	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
File created	C:\Windows\System64\regedit.reg	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
File created	C:\Windows\System64\install.bat	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1556	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1264	taskkill.exe
1764	taskkill.exe
1312	taskkill.exe
1160	taskkill.exe
828	taskkill.exe
668	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1328	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
960	regedit.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1604	rutserv.exe
1604	rutserv.exe
1604	rutserv.exe
1604	rutserv.exe
1920	rutserv.exe
1920	rutserv.exe
1200	rutserv.exe
1200	rutserv.exe
2012	rutserv.exe
2012	rutserv.exe
2012	rutserv.exe
2012	rutserv.exe
972	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
272	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeCreatePagefilePrivilege	1156	powercfg.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	1604	rutserv.exe
Token: SeDebugPrivilege	1200	rutserv.exe
Token: SeTakeOwnershipPrivilege	2012	rutserv.exe
Token: SeTcbPrivilege	2012	rutserv.exe
Token: SeTcbPrivilege	2012	rutserv.exe
Token: SeBackupPrivilege	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
1604	rutserv.exe
1920	rutserv.exe
1200	rutserv.exe
2012	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1748	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	27
PID 1904 wrote to memory of 1748	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	27
PID 1904 wrote to memory of 1748	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	27
PID 1904 wrote to memory of 1748	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	27
PID 1904 wrote to memory of 1712	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	29
PID 1904 wrote to memory of 1712	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	29
PID 1904 wrote to memory of 1712	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	29
PID 1904 wrote to memory of 1712	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	29
PID 1904 wrote to memory of 1328	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	30
PID 1904 wrote to memory of 1328	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	30
PID 1904 wrote to memory of 1328	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	30
PID 1904 wrote to memory of 1328	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	30
PID 1904 wrote to memory of 1156	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	33
PID 1904 wrote to memory of 1156	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	33
PID 1904 wrote to memory of 1156	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	33
PID 1904 wrote to memory of 1156	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	33
PID 1904 wrote to memory of 2020	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	35
PID 1904 wrote to memory of 2020	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	35
PID 1904 wrote to memory of 2020	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	35
PID 1904 wrote to memory of 2020	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	35
PID 1904 wrote to memory of 2020	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	35
PID 1904 wrote to memory of 2020	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	35
PID 1904 wrote to memory of 2020	1904	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	35
PID 2020 wrote to memory of 1612	2020	cmd.exe	37
PID 2020 wrote to memory of 1612	2020	cmd.exe	37
PID 2020 wrote to memory of 1612	2020	cmd.exe	37
PID 2020 wrote to memory of 1612	2020	cmd.exe	37
PID 2020 wrote to memory of 1264	2020	cmd.exe	38
PID 2020 wrote to memory of 1264	2020	cmd.exe	38
PID 2020 wrote to memory of 1264	2020	cmd.exe	38
PID 2020 wrote to memory of 1264	2020	cmd.exe	38
PID 2020 wrote to memory of 1764	2020	cmd.exe	40
PID 2020 wrote to memory of 1764	2020	cmd.exe	40
PID 2020 wrote to memory of 1764	2020	cmd.exe	40
PID 2020 wrote to memory of 1764	2020	cmd.exe	40
PID 2020 wrote to memory of 1312	2020	cmd.exe	41
PID 2020 wrote to memory of 1312	2020	cmd.exe	41
PID 2020 wrote to memory of 1312	2020	cmd.exe	41
PID 2020 wrote to memory of 1312	2020	cmd.exe	41
PID 2020 wrote to memory of 1160	2020	cmd.exe	42
PID 2020 wrote to memory of 1160	2020	cmd.exe	42
PID 2020 wrote to memory of 1160	2020	cmd.exe	42
PID 2020 wrote to memory of 1160	2020	cmd.exe	42
PID 2020 wrote to memory of 828	2020	cmd.exe	43
PID 2020 wrote to memory of 828	2020	cmd.exe	43
PID 2020 wrote to memory of 828	2020	cmd.exe	43
PID 2020 wrote to memory of 828	2020	cmd.exe	43
PID 2020 wrote to memory of 668	2020	cmd.exe	44
PID 2020 wrote to memory of 668	2020	cmd.exe	44
PID 2020 wrote to memory of 668	2020	cmd.exe	44
PID 2020 wrote to memory of 668	2020	cmd.exe	44
PID 2020 wrote to memory of 1532	2020	cmd.exe	45
PID 2020 wrote to memory of 1532	2020	cmd.exe	45
PID 2020 wrote to memory of 1532	2020	cmd.exe	45
PID 2020 wrote to memory of 1532	2020	cmd.exe	45
PID 2020 wrote to memory of 744	2020	cmd.exe	46
PID 2020 wrote to memory of 744	2020	cmd.exe	46
PID 2020 wrote to memory of 744	2020	cmd.exe	46
PID 2020 wrote to memory of 744	2020	cmd.exe	46
PID 2020 wrote to memory of 960	2020	cmd.exe	47
PID 2020 wrote to memory of 960	2020	cmd.exe	47
PID 2020 wrote to memory of 960	2020	cmd.exe	47
PID 2020 wrote to memory of 960	2020	cmd.exe	47
PID 2020 wrote to memory of 1556	2020	cmd.exe	48

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1612	attrib.exe
1336	attrib.exe

C:\Users\Admin\AppData\Local\Temp\52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
"C:\Users\Admin\AppData\Local\Temp\52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set opmode mode=disable
  2⤵
  PID:1748
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  PID:1712
- C:\Windows\SysWOW64\reg.exe
  reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1328
- C:\Windows\SysWOW64\powercfg.exe
  powercfg.exe -h off
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\System64\install.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -a -s -h "C:\Windows\System64\install.bat" /S /D
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:668
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\System Corporation Update" /f
    3⤵
    PID:744
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:960
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1556
- - C:\Windows\System64\rutserv.exe
    rutserv.exe /silentinstall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1604
- - C:\Windows\System64\rutserv.exe
    rutserv.exe /firewall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1920
- - C:\Windows\System64\rutserv.exe
    rutserv.exe /start
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1200
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +a +s +h "C:\Windows\System64" /S /D
    3⤵
    - Views/modifies file attributes
    PID:1336

C:\Windows\System64\rutserv.exe
C:\Windows\System64\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2012
- C:\Windows\System64\rfusclient.exe
  C:\Windows\System64\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- - C:\Windows\System64\rfusclient.exe
    C:\Windows\System64\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:272
- C:\Windows\System64\rfusclient.exe
  C:\Windows\System64\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:968