rms | 244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf

Analysis

max time kernel
157s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe
Size

5.5MB
MD5

42f3db290bdb873ea53f87dd71262d41
SHA1

97c643cee498989e193330f0af5b3d5a9d50977b
SHA256

244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf
SHA512

2ced086d1488f1cda5d0dfbff9b30f1c838896f925bf615c71b26816ba43a2632f74d1da0880eccaf3b4793c3ad44b24063437285995d034d62751e9cc108841

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 4 IoCs

pid	Process
2680	Injector.exe
5116	csrss.exe
2232	csrss.exe
1080	csrss.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\install.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\install.bat	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4428	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3712	taskkill.exe
4412	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3908	regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5116	csrss.exe
5116	csrss.exe
5116	csrss.exe
5116	csrss.exe
5116	csrss.exe
5116	csrss.exe
2232	csrss.exe
2232	csrss.exe
1080	csrss.exe
1080	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	5116	csrss.exe
Token: SeDebugPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: SeDebugPrivilege	2232	csrss.exe
Token: SeDebugPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe
Token: 33	2680	Injector.exe
Token: SeIncBasePriorityPrivilege	2680	Injector.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5116	csrss.exe
2232	csrss.exe
1080	csrss.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 3308	2036	244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe	81
PID 2036 wrote to memory of 3308	2036	244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe	81
PID 2036 wrote to memory of 3308	2036	244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe	81
PID 2036 wrote to memory of 2680	2036	244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe	82
PID 2036 wrote to memory of 2680	2036	244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe	82
PID 3308 wrote to memory of 1728	3308	WScript.exe	84
PID 3308 wrote to memory of 1728	3308	WScript.exe	84
PID 3308 wrote to memory of 1728	3308	WScript.exe	84
PID 1728 wrote to memory of 3712	1728	cmd.exe	86
PID 1728 wrote to memory of 3712	1728	cmd.exe	86
PID 1728 wrote to memory of 3712	1728	cmd.exe	86
PID 1728 wrote to memory of 4412	1728	cmd.exe	90
PID 1728 wrote to memory of 4412	1728	cmd.exe	90
PID 1728 wrote to memory of 4412	1728	cmd.exe	90
PID 1728 wrote to memory of 816	1728	cmd.exe	91
PID 1728 wrote to memory of 816	1728	cmd.exe	91
PID 1728 wrote to memory of 816	1728	cmd.exe	91
PID 1728 wrote to memory of 4916	1728	cmd.exe	92
PID 1728 wrote to memory of 4916	1728	cmd.exe	92
PID 1728 wrote to memory of 4916	1728	cmd.exe	92
PID 1728 wrote to memory of 5116	1728	cmd.exe	94
PID 1728 wrote to memory of 5116	1728	cmd.exe	94
PID 1728 wrote to memory of 5116	1728	cmd.exe	94
PID 1728 wrote to memory of 3908	1728	cmd.exe	95
PID 1728 wrote to memory of 3908	1728	cmd.exe	95
PID 1728 wrote to memory of 3908	1728	cmd.exe	95
PID 1728 wrote to memory of 2232	1728	cmd.exe	98
PID 1728 wrote to memory of 2232	1728	cmd.exe	98
PID 1728 wrote to memory of 2232	1728	cmd.exe	98
PID 1728 wrote to memory of 4428	1728	cmd.exe	100
PID 1728 wrote to memory of 4428	1728	cmd.exe	100
PID 1728 wrote to memory of 4428	1728	cmd.exe	100
PID 1728 wrote to memory of 972	1728	cmd.exe	101
PID 1728 wrote to memory of 972	1728	cmd.exe	101
PID 1728 wrote to memory of 972	1728	cmd.exe	101
PID 1728 wrote to memory of 2172	1728	cmd.exe	102
PID 1728 wrote to memory of 2172	1728	cmd.exe	102
PID 1728 wrote to memory of 2172	1728	cmd.exe	102

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe
"C:\Users\Admin\AppData\Local\Temp\244ca178cbb5116d9cde1375b6b9d95e74d1e24612f75c850e69724a6f1ad3cf.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im csrss.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ccsrss.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\System32\vipcatalog"
      4⤵
      Views/modifies file attributes
      PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      "csrss.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5116
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s regedit.reg
      4⤵
      Runs .reg file with regedit
      PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      "csrss.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2232
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" ver "
      4⤵
      PID:972
  - - C:\Windows\SysWOW64\find.exe
      find "5."
      4⤵
      PID:2172
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2680

C:\Users\Admin\AppData\Local\Temp\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
6.0MB

MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
6.0MB

MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
6.0MB

MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
6.0MB

MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
663B

MD5
836eb56035271bdd5ba96d7d3e9ea733

SHA1
f38a9c5e37947dbcf59e9bb728316eeefb1cc630

SHA256
c70172116a25dcc9c067a4c557103e5e2350c419cd728b8efc6a438409179748

SHA512
f9ff472f6f892604d3457738636ef5af20a35346264677c510dda5a76bbb0f9c7645e7a38cea77864c903e257df4eeb4e5daf4254c4e12b4d06df57b21fea2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
117B

MD5
65fc32766a238ff3e95984e325357dbb

SHA1
3ac16a2648410be8aa75f3e2817fbf69bb0e8922

SHA256
a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

SHA512
621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

Download Submit
C:\Users\Admin\AppData\Local\Temp\regedit.reg

Filesize
12KB

MD5
17bb440d7ba46e17a987ed1f374f2ac1

SHA1
728ee6597098eea4be6f6b6b47fe78ed9cf398c9

SHA256
db044f668a36fd829dfaa5795987509dec80220ddab120722329c34a7dce22e4

SHA512
2845891eb7259be7a8553c347560c4feadabe14637763080bd7f22b56818abbce884e61852d64fe921a147133268d5ac008da693ea39cca87dcf8e7ed01ee6ac

Download Submit
memory/2680-156-0x000000001BE0A000-0x000000001BE0F000-memory.dmp

Filesize
20KB

Download
memory/2680-155-0x000000001D120000-0x000000001D15C000-memory.dmp

Filesize
240KB

Download
memory/2680-154-0x000000001D0C0000-0x000000001D0D2000-memory.dmp

Filesize
72KB

Download
memory/2680-139-0x00007FFC2E400000-0x00007FFC2EEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2680-138-0x0000000000E70000-0x0000000001056000-memory.dmp

Filesize
1.9MB

Download