rms | 34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222

Analysis

max time kernel
4294209s
max time network
151s
platform
windows7_x64
resource
win7-20220311-en
submitted
26-03-2022 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
Size

4.5MB
MD5

aa49af78c5949910f09e3d303f2b7680
SHA1

cf9d1787f45ee932791ab0a797a2fc67ecb5eb17
SHA256

34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222
SHA512

85c0a891667aafb44eca64d978eca2346771095f440880328749fd99ee7000f527a163a8985782a30a845f7dfab43eb66a61619948759508193453ca33ba2205

Score

10^/10

rms aspackv2 evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000800000001273a-70.dat	acprotect
behavioral1/files/0x0009000000012697-69.dat	acprotect

ASPack v2.12-2.42 13 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000013101-68.dat	aspack_v212_v242
behavioral1/files/0x000700000001274a-67.dat	aspack_v212_v242
behavioral1/files/0x0006000000013101-85.dat	aspack_v212_v242
behavioral1/files/0x0006000000013101-87.dat	aspack_v212_v242
behavioral1/files/0x0006000000013101-95.dat	aspack_v212_v242
behavioral1/files/0x0006000000013101-97.dat	aspack_v212_v242
behavioral1/files/0x0006000000013101-105.dat	aspack_v212_v242
behavioral1/files/0x0006000000013101-107.dat	aspack_v212_v242
behavioral1/files/0x0006000000013101-114.dat	aspack_v212_v242
behavioral1/files/0x000700000001274a-121.dat	aspack_v212_v242
behavioral1/files/0x000700000001274a-122.dat	aspack_v212_v242
behavioral1/files/0x000700000001274a-125.dat	aspack_v212_v242
behavioral1/files/0x000700000001274a-127.dat	aspack_v212_v242

Executes dropped EXE 6 IoCs

pid	Process
1524	rutserv.exe
304	rutserv.exe
916	rutserv.exe
1584	rutserv.exe
1752	rfusclient.exe
520	rfusclient.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001273a-70.dat	upx
behavioral1/files/0x0009000000012697-69.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1652	cmd.exe
1652	cmd.exe
1652	cmd.exe
1584	rutserv.exe
1584	rutserv.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\System\vp8decoder.dll	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\rutserv.exe	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File created	C:\Program Files (x86)\System\vp8decoder.dll	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File created	C:\Program Files (x86)\System\rfusclient.exe	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\install.bat	attrib.exe
File created	C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_259405357	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\vp8encoder.dll	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File created	C:\Program Files (x86)\System\install.bat	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\rfusclient.exe	attrib.exe
File created	C:\Program Files (x86)\System\vp8encoder.dll	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\regedit.reg	attrib.exe
File created	C:\Program Files (x86)\System\id.txt	reg.exe
File opened for modification	C:\Program Files (x86)\System	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File created	C:\Program Files (x86)\System\rutserv.exe	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File created	C:\Program Files (x86)\System\mailsend.exe	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\Common Files\System	attrib.exe
File opened for modification	C:\Program Files (x86)\System\install.vbs	attrib.exe
File opened for modification	C:\Program Files (x86)\System\mailsend.exe	attrib.exe
File created	C:\Program Files (x86)\System\regedit.reg	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\regedit.reg	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\mailsend.exe	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\install.vbs	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\vp8decoder.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\System\vp8encoder.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\System\id.txt	reg.exe
File created	C:\Program Files (x86)\System\install.vbs	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\rutserv.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\System\rfusclient.exe	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System\install.bat	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
File opened for modification	C:\Program Files (x86)\System	attrib.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1348	timeout.exe
956	timeout.exe
1700	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
432	taskkill.exe
1816	taskkill.exe
1848	taskkill.exe
1132	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1732	regedit.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1524	rutserv.exe
1524	rutserv.exe
1524	rutserv.exe
1524	rutserv.exe
304	rutserv.exe
304	rutserv.exe
916	rutserv.exe
916	rutserv.exe
1584	rutserv.exe
1584	rutserv.exe
1584	rutserv.exe
1584	rutserv.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	1524	rutserv.exe
Token: SeDebugPrivilege	916	rutserv.exe
Token: SeTakeOwnershipPrivilege	1584	rutserv.exe
Token: SeTcbPrivilege	1584	rutserv.exe
Token: SeTcbPrivilege	1584	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1524	rutserv.exe
304	rutserv.exe
916	rutserv.exe
1584	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1752	1212	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe	27
PID 1212 wrote to memory of 1752	1212	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe	27
PID 1212 wrote to memory of 1752	1212	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe	27
PID 1212 wrote to memory of 1752	1212	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe	27
PID 1212 wrote to memory of 1752	1212	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe	27
PID 1212 wrote to memory of 1752	1212	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe	27
PID 1212 wrote to memory of 1752	1212	34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe	27
PID 1752 wrote to memory of 1652	1752	WScript.exe	28
PID 1752 wrote to memory of 1652	1752	WScript.exe	28
PID 1752 wrote to memory of 1652	1752	WScript.exe	28
PID 1752 wrote to memory of 1652	1752	WScript.exe	28
PID 1752 wrote to memory of 1652	1752	WScript.exe	28
PID 1752 wrote to memory of 1652	1752	WScript.exe	28
PID 1752 wrote to memory of 1652	1752	WScript.exe	28
PID 1652 wrote to memory of 1644	1652	cmd.exe	30
PID 1652 wrote to memory of 1644	1652	cmd.exe	30
PID 1652 wrote to memory of 1644	1652	cmd.exe	30
PID 1652 wrote to memory of 1644	1652	cmd.exe	30
PID 1652 wrote to memory of 1644	1652	cmd.exe	30
PID 1652 wrote to memory of 1644	1652	cmd.exe	30
PID 1652 wrote to memory of 1644	1652	cmd.exe	30
PID 1652 wrote to memory of 1384	1652	cmd.exe	31
PID 1652 wrote to memory of 1384	1652	cmd.exe	31
PID 1652 wrote to memory of 1384	1652	cmd.exe	31
PID 1652 wrote to memory of 1384	1652	cmd.exe	31
PID 1652 wrote to memory of 1384	1652	cmd.exe	31
PID 1652 wrote to memory of 1384	1652	cmd.exe	31
PID 1652 wrote to memory of 1384	1652	cmd.exe	31
PID 1652 wrote to memory of 432	1652	cmd.exe	32
PID 1652 wrote to memory of 432	1652	cmd.exe	32
PID 1652 wrote to memory of 432	1652	cmd.exe	32
PID 1652 wrote to memory of 432	1652	cmd.exe	32
PID 1652 wrote to memory of 432	1652	cmd.exe	32
PID 1652 wrote to memory of 432	1652	cmd.exe	32
PID 1652 wrote to memory of 432	1652	cmd.exe	32
PID 1652 wrote to memory of 1816	1652	cmd.exe	34
PID 1652 wrote to memory of 1816	1652	cmd.exe	34
PID 1652 wrote to memory of 1816	1652	cmd.exe	34
PID 1652 wrote to memory of 1816	1652	cmd.exe	34
PID 1652 wrote to memory of 1816	1652	cmd.exe	34
PID 1652 wrote to memory of 1816	1652	cmd.exe	34
PID 1652 wrote to memory of 1816	1652	cmd.exe	34
PID 1652 wrote to memory of 1848	1652	cmd.exe	35
PID 1652 wrote to memory of 1848	1652	cmd.exe	35
PID 1652 wrote to memory of 1848	1652	cmd.exe	35
PID 1652 wrote to memory of 1848	1652	cmd.exe	35
PID 1652 wrote to memory of 1848	1652	cmd.exe	35
PID 1652 wrote to memory of 1848	1652	cmd.exe	35
PID 1652 wrote to memory of 1848	1652	cmd.exe	35
PID 1652 wrote to memory of 1132	1652	cmd.exe	36
PID 1652 wrote to memory of 1132	1652	cmd.exe	36
PID 1652 wrote to memory of 1132	1652	cmd.exe	36
PID 1652 wrote to memory of 1132	1652	cmd.exe	36
PID 1652 wrote to memory of 1132	1652	cmd.exe	36
PID 1652 wrote to memory of 1132	1652	cmd.exe	36
PID 1652 wrote to memory of 1132	1652	cmd.exe	36
PID 1652 wrote to memory of 1504	1652	cmd.exe	37
PID 1652 wrote to memory of 1504	1652	cmd.exe	37
PID 1652 wrote to memory of 1504	1652	cmd.exe	37
PID 1652 wrote to memory of 1504	1652	cmd.exe	37
PID 1652 wrote to memory of 1504	1652	cmd.exe	37
PID 1652 wrote to memory of 1504	1652	cmd.exe	37
PID 1652 wrote to memory of 1504	1652	cmd.exe	37
PID 1652 wrote to memory of 1732	1652	cmd.exe	38

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1644	attrib.exe
1384	attrib.exe

C:\Users\Admin\AppData\Local\Temp\34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe
"C:\Users\Admin\AppData\Local\Temp\34f40cfa2823d88907f8d73c701aba10439b9a8e754cb3b71b026db00833d222.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\System\install.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Program Files (x86)\System" +H +S /S /D
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:432
  - - C:\Windows\SysWOW64\taskkill.exe
      Taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\SysWOW64\taskkill.exe
      Taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1132
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:1732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1348
  - - C:\Program Files (x86)\System\rutserv.exe
      rutserv.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1524
  - - C:\Program Files (x86)\System\rutserv.exe
      rutserv.exe /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:304
  - - C:\Program Files (x86)\System\rutserv.exe
      rutserv.exe /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:916
  - - C:\Windows\SysWOW64\sc.exe
      sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\sc.exe
      sc config RManService obj= LocalSystem type= interact type= own
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\sc.exe
      sc config RManService DisplayName= "Windows_Defender v6.3"
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 120
      4⤵
      Delays execution with timeout.exe
      PID:956
  - - C:\Windows\SysWOW64\reg.exe
      reg export "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4" "id.txt"
      4⤵
      Drops file in Program Files directory
      PID:588
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 10
      4⤵
      Delays execution with timeout.exe
      PID:1700

C:\Program Files (x86)\System\rutserv.exe
"C:\Program Files (x86)\System\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1584
- C:\Program Files (x86)\System\rfusclient.exe
  "C:\Program Files (x86)\System\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Program Files (x86)\System\rfusclient.exe
  "C:\Program Files (x86)\System\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-103-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/304-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/304-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/304-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/304-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/304-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/520-137-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/520-141-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/520-139-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/520-135-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/520-133-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/916-109-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/916-113-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/916-129-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/916-110-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/916-111-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/916-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1212-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1524-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1524-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1524-89-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1524-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1524-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1524-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1584-119-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1584-118-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1584-120-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1584-116-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1584-117-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1652-143-0x0000000002160000-0x0000000002819000-memory.dmp

Filesize
6.7MB

Download