rms | d3e198d02970c41c83dc1564901df7870ae8753450eb16fd4e264224b80a2ee5

Analysis

max time kernel
132s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-04-2022 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe
Size

4.0MB
MD5

08d8635c2d1c55bd8e9b75f3a0dba935
SHA1

0a775ac49ce5eb194b11d08527a005519feb8b7e
SHA256

d3e198d02970c41c83dc1564901df7870ae8753450eb16fd4e264224b80a2ee5
SHA512

2d4d5ae871f308767f81e9cb611836e9e05ef64e96dc19316a9965bf94da44c51b851e8563a680b703a35e5a095492c6d67fb9408c91d5e42f082fbabd5affd7

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 3 IoCs

pid	Process
1348	drvhost.exe
956	drvhost.exe
1908	drvhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	drvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	drvhost.exe

Loads dropped DLL 11 IoCs

pid	Process
1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe
1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe
1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe
1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe
1348	drvhost.exe
1348	drvhost.exe
956	drvhost.exe
956	drvhost.exe
1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe
1908	drvhost.exe
1908	drvhost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\OpenJVC\drvhost.exe	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe
File created	C:\Program Files (x86)\OpenJVC\ssleay32.dll	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe
File created	C:\Program Files (x86)\OpenJVC\libeay32.dll	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1348	drvhost.exe
1348	drvhost.exe
1348	drvhost.exe
1348	drvhost.exe
1348	drvhost.exe
1348	drvhost.exe
956	drvhost.exe
956	drvhost.exe
956	drvhost.exe
956	drvhost.exe
956	drvhost.exe
956	drvhost.exe
1908	drvhost.exe
1908	drvhost.exe
1908	drvhost.exe
1908	drvhost.exe
1908	drvhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	drvhost.exe
Token: SeTakeOwnershipPrivilege	956	drvhost.exe
Token: SeTcbPrivilege	956	drvhost.exe
Token: SeTcbPrivilege	956	drvhost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1348	drvhost.exe
1348	drvhost.exe
1348	drvhost.exe
1348	drvhost.exe
956	drvhost.exe
956	drvhost.exe
956	drvhost.exe
956	drvhost.exe
1908	drvhost.exe
1908	drvhost.exe
1908	drvhost.exe
1908	drvhost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1348	1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe	27
PID 1640 wrote to memory of 1348	1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe	27
PID 1640 wrote to memory of 1348	1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe	27
PID 1640 wrote to memory of 1348	1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe	27
PID 1640 wrote to memory of 320	1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe	29
PID 1640 wrote to memory of 320	1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe	29
PID 1640 wrote to memory of 320	1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe	29
PID 1640 wrote to memory of 320	1640	D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe	29
PID 320 wrote to memory of 2020	320	cmd.exe	31
PID 320 wrote to memory of 2020	320	cmd.exe	31
PID 320 wrote to memory of 2020	320	cmd.exe	31
PID 320 wrote to memory of 2020	320	cmd.exe	31
PID 320 wrote to memory of 1528	320	cmd.exe	32
PID 320 wrote to memory of 1528	320	cmd.exe	32
PID 320 wrote to memory of 1528	320	cmd.exe	32
PID 320 wrote to memory of 1528	320	cmd.exe	32
PID 320 wrote to memory of 1588	320	cmd.exe	33
PID 320 wrote to memory of 1588	320	cmd.exe	33
PID 320 wrote to memory of 1588	320	cmd.exe	33
PID 320 wrote to memory of 1588	320	cmd.exe	33
PID 364 wrote to memory of 1908	364	taskeng.exe	35
PID 364 wrote to memory of 1908	364	taskeng.exe	35
PID 364 wrote to memory of 1908	364	taskeng.exe	35
PID 364 wrote to memory of 1908	364	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe
"C:\Users\Admin\AppData\Local\Temp\D3E198D02970C41C83DC1564901DF7870AE8753450EB1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Program Files (x86)\OpenJVC\drvhost.exe
  "C:\Program Files (x86)\OpenJVC\drvhost.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1348
- - C:\Program Files (x86)\OpenJVC\drvhost.exe
    "C:\Program Files (x86)\OpenJVC\drvhost.exe" -second
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SchTasks /create /f /XML %temp%\Log43.xml /TN \microsoft\windows\defrag\scheduleddefrag && schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE && schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\schtasks.exe
    SchTasks /create /f /XML C:\Users\Admin\AppData\Local\Temp\Log43.xml /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    - Creates scheduled task(s)
    PID:2020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    PID:1588

C:\Windows\system32\taskeng.exe
taskeng.exe {CD9758FC-0F58-4CDF-B62E-ACAEE3AEE7E4} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:364
- C:\Program Files (x86)\OpenJVC\drvhost.exe
  "C:\Program Files (x86)\OpenJVC\drvhost.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\OpenJVC\drvhost.exe

Filesize
11.2MB

MD5
2d8bef5c87c297073eb19739ad3f6fe5

SHA1
5634208b9374b21fd5a0d8872333b1753b58c760

SHA256
2d3a2e40afb18ed3946c38c155f85072d9cfd7604a76d8c646ce3ce15ab795eb

SHA512
ca06b03ca87d71dcb0fb583f79fa6fbe56c1f4a49129e4022158e5ca50706fc52e5fb23a5ebf2d5db7db9fdd3bd8fd8c9bf6477775b9c1878db3dc1ccc70898a

Download Submit
C:\Program Files (x86)\OpenJVC\drvhost.exe

Filesize
11.2MB

MD5
2d8bef5c87c297073eb19739ad3f6fe5

SHA1
5634208b9374b21fd5a0d8872333b1753b58c760

SHA256
2d3a2e40afb18ed3946c38c155f85072d9cfd7604a76d8c646ce3ce15ab795eb

SHA512
ca06b03ca87d71dcb0fb583f79fa6fbe56c1f4a49129e4022158e5ca50706fc52e5fb23a5ebf2d5db7db9fdd3bd8fd8c9bf6477775b9c1878db3dc1ccc70898a

Download Submit
C:\Program Files (x86)\OpenJVC\drvhost.exe

Filesize
11.2MB

MD5
2d8bef5c87c297073eb19739ad3f6fe5

SHA1
5634208b9374b21fd5a0d8872333b1753b58c760

SHA256
2d3a2e40afb18ed3946c38c155f85072d9cfd7604a76d8c646ce3ce15ab795eb

SHA512
ca06b03ca87d71dcb0fb583f79fa6fbe56c1f4a49129e4022158e5ca50706fc52e5fb23a5ebf2d5db7db9fdd3bd8fd8c9bf6477775b9c1878db3dc1ccc70898a

Download Submit
C:\Program Files (x86)\OpenJVC\drvhost.exe

Filesize
11.2MB

MD5
2d8bef5c87c297073eb19739ad3f6fe5

SHA1
5634208b9374b21fd5a0d8872333b1753b58c760

SHA256
2d3a2e40afb18ed3946c38c155f85072d9cfd7604a76d8c646ce3ce15ab795eb

SHA512
ca06b03ca87d71dcb0fb583f79fa6fbe56c1f4a49129e4022158e5ca50706fc52e5fb23a5ebf2d5db7db9fdd3bd8fd8c9bf6477775b9c1878db3dc1ccc70898a

Download Submit
C:\Program Files (x86)\OpenJVC\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files (x86)\OpenJVC\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log43.xml

Filesize
1KB

MD5
d91f1a2c8a4fc1378a4bc5a2ce8510fb

SHA1
0ebfc0a627a4a0df62170402032ab80dcbaefb09

SHA256
ac175ed03340afa53ee19927e265291a735a29a7effc75afd69fc0a23e5b2c57

SHA512
47f8c97b6f7eaf68346b787cc7eeb9d94a0fcb6b242704cd30ce06edf155adac79b4659b27fb693a4c3fb82ca425ffa22674a91c12dc27ccf8add860e271c933

Download Submit
\Program Files (x86)\OpenJVC\drvhost.exe

Filesize
11.2MB

MD5
2d8bef5c87c297073eb19739ad3f6fe5

SHA1
5634208b9374b21fd5a0d8872333b1753b58c760

SHA256
2d3a2e40afb18ed3946c38c155f85072d9cfd7604a76d8c646ce3ce15ab795eb

SHA512
ca06b03ca87d71dcb0fb583f79fa6fbe56c1f4a49129e4022158e5ca50706fc52e5fb23a5ebf2d5db7db9fdd3bd8fd8c9bf6477775b9c1878db3dc1ccc70898a

Download Submit
\Program Files (x86)\OpenJVC\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\Program Files (x86)\OpenJVC\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\Program Files (x86)\OpenJVC\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\Program Files (x86)\OpenJVC\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\Program Files (x86)\OpenJVC\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\Program Files (x86)\OpenJVC\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\Users\Admin\AppData\Local\Temp\nsy263.tmp\NSISList.dll

Filesize
105KB

MD5
4b0617493f32b2b5fe5e838eeb885819

SHA1
336e84380420a9caaa9c12af7c8e530135e63c57

SHA256
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402

SHA512
5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

Download Submit
\Users\Admin\AppData\Local\Temp\nsy263.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsy263.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
\Users\Admin\AppData\Local\Temp\nsy263.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
memory/1640-54-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download