rms | 7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5

Analysis

max time kernel
5s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
Size

4.3MB
MD5

1a3a539d46d864a5c10bbe55150e03f3
SHA1

8d2d3d4dfe96b4c8fc62264a22bdd289749f0756
SHA256

7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5
SHA512

3504e27c5a6b2e0bc8fa8cf39ef1225df6ef9be6be0bb874d0ebed5dbf4296cd9b9056e018ee5a76067495fcf410b43a16b1d84f1f4e7aa65dac501f9c5c2908

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 4 IoCs

pid	Process
1000	WmiPrvSE.exe
4192	rutserv.exe
2756	rutserv.exe
3120	rutserv.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231d0-134.dat	upx
behavioral2/files/0x00060000000231d0-133.dat	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vipcatalog\vp8encoder.dll	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File opened for modification	C:\Windows\SysWOW64\vipcatalog\rutserv.exe	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File opened for modification	C:\Windows\SysWOW64\vipcatalog\russian.lg	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File opened for modification	C:\Windows\SysWOW64\vipcatalog\regedit.reg	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File opened for modification	C:\Windows\SysWOW64\vipcatalog	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File created	C:\Windows\SysWOW64\vipcatalog\__tmp_rar_sfx_access_check_240543718	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File created	C:\Windows\SysWOW64\vipcatalog\start.vbs	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File opened for modification	C:\Windows\SysWOW64\vipcatalog\vp8decoder.dll	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File created	C:\Windows\SysWOW64\vipcatalog\russian.lg	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File opened for modification	C:\Windows\SysWOW64\vipcatalog\start.vbs	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File created	C:\Windows\SysWOW64\vipcatalog\install.bat	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File opened for modification	C:\Windows\SysWOW64\vipcatalog\rfusclient.exe	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File created	C:\Windows\SysWOW64\vipcatalog\rutserv.exe	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File created	C:\Windows\SysWOW64\vipcatalog\regedit.reg	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File opened for modification	C:\Windows\SysWOW64\vipcatalog\install.bat	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File created	C:\Windows\SysWOW64\vipcatalog\vp8decoder.dll	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File created	C:\Windows\SysWOW64\vipcatalog\vp8encoder.dll	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File created	C:\Windows\SysWOW64\vipcatalog\rfusclient.exe	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File created	C:\Windows\SysWOW64\vipcatalog\WmiPrvSE.exe	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File opened for modification	C:\Windows\SysWOW64\vipcatalog\WmiPrvSE.exe	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
File opened for modification	C:\Windows\SysWOW64\vipcatalog	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4316	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4828	taskkill.exe
3600	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe

Runs .reg file with regedit 1 IoCs

pid	Process
840	regedit.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4192	rutserv.exe
4192	rutserv.exe
4192	rutserv.exe
4192	rutserv.exe
4192	rutserv.exe
4192	rutserv.exe
2756	rutserv.exe
2756	rutserv.exe
3120	rutserv.exe
3120	rutserv.exe
3120	rutserv.exe
3120	rutserv.exe
3120	rutserv.exe
3120	rutserv.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	3600	taskkill.exe
Token: SeDebugPrivilege	4192	rutserv.exe
Token: SeDebugPrivilege	2756	rutserv.exe
Token: SeTakeOwnershipPrivilege	3120	rutserv.exe
Token: SeTcbPrivilege	3120	rutserv.exe
Token: SeTcbPrivilege	3120	rutserv.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4192	rutserv.exe
2756	rutserv.exe
3120	rutserv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1844	2712	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe	43
PID 2712 wrote to memory of 1844	2712	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe	43
PID 2712 wrote to memory of 1844	2712	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe	43
PID 2712 wrote to memory of 1000	2712	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe	45
PID 2712 wrote to memory of 1000	2712	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe	45
PID 2712 wrote to memory of 1000	2712	7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe	45
PID 1844 wrote to memory of 3680	1844	WScript.exe	48
PID 1844 wrote to memory of 3680	1844	WScript.exe	48
PID 1844 wrote to memory of 3680	1844	WScript.exe	48
PID 3680 wrote to memory of 4828	3680	cmd.exe	47
PID 3680 wrote to memory of 4828	3680	cmd.exe	47
PID 3680 wrote to memory of 4828	3680	cmd.exe	47
PID 3680 wrote to memory of 3600	3680	cmd.exe	51
PID 3680 wrote to memory of 3600	3680	cmd.exe	51
PID 3680 wrote to memory of 3600	3680	cmd.exe	51
PID 3680 wrote to memory of 4612	3680	cmd.exe	57
PID 3680 wrote to memory of 4612	3680	cmd.exe	57
PID 3680 wrote to memory of 4612	3680	cmd.exe	57
PID 3680 wrote to memory of 4588	3680	cmd.exe	53
PID 3680 wrote to memory of 4588	3680	cmd.exe	53
PID 3680 wrote to memory of 4588	3680	cmd.exe	53
PID 3680 wrote to memory of 4192	3680	cmd.exe	52
PID 3680 wrote to memory of 4192	3680	cmd.exe	52
PID 3680 wrote to memory of 4192	3680	cmd.exe	52
PID 3680 wrote to memory of 840	3680	cmd.exe	56
PID 3680 wrote to memory of 840	3680	cmd.exe	56
PID 3680 wrote to memory of 840	3680	cmd.exe	56
PID 3680 wrote to memory of 2756	3680	cmd.exe	54
PID 3680 wrote to memory of 2756	3680	cmd.exe	54
PID 3680 wrote to memory of 2756	3680	cmd.exe	54

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4588	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe
"C:\Users\Admin\AppData\Local\Temp\7fc961edbd47040dbe29241d252478847ebbf8554db3e197e909c36e17cd56f5.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\vipcatalog\start.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\vipcatalog\install.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3600
  - - C:\Windows\SysWOW64\vipcatalog\rutserv.exe
      "rutserv.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4192
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\System32\vipcatalog"
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:4588
  - - C:\Windows\SysWOW64\vipcatalog\rutserv.exe
      "rutserv.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2756
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s regedit.reg
      4⤵
      Runs .reg file with regedit
      PID:840
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:4316
- C:\Windows\SysWOW64\vipcatalog\WmiPrvSE.exe
  "C:\Windows\System32\vipcatalog\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  PID:1000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\SysWOW64\vipcatalog\rutserv.exe
C:\Windows\SysWOW64\vipcatalog\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3120
- C:\Windows\SysWOW64\vipcatalog\rfusclient.exe
  C:\Windows\SysWOW64\vipcatalog\rfusclient.exe
  2⤵
  PID:4536
- - C:\Windows\SysWOW64\vipcatalog\rfusclient.exe
    C:\Windows\SysWOW64\vipcatalog\rfusclient.exe /tray
    3⤵
    PID:5080
- C:\Windows\SysWOW64\vipcatalog\rfusclient.exe
  C:\Windows\SysWOW64\vipcatalog\rfusclient.exe /tray
  2⤵
  PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vipcatalog\WmiPrvSE.exe

Filesize
154KB

MD5
64fd6375023b7e7d740a2d5b2f3594bc

SHA1
aca5ef95d3b5b4ee3feca894cf0ef22514d61fe2

SHA256
cecf657dc14600d50d6694fd38c116ddee70ca798cb3c5fc03f66d06cbc7864f

SHA512
a22f19b6d9e89ba1365e858f35462a592dfbd280982c371875a20ff5deb94ee317b043c0d305f28bd1a46e0343d87cdfeadf3032b1136216504f815bfa24722a

Download Submit
C:\Windows\SysWOW64\vipcatalog\WmiPrvSE.exe

Filesize
154KB

MD5
64fd6375023b7e7d740a2d5b2f3594bc

SHA1
aca5ef95d3b5b4ee3feca894cf0ef22514d61fe2

SHA256
cecf657dc14600d50d6694fd38c116ddee70ca798cb3c5fc03f66d06cbc7864f

SHA512
a22f19b6d9e89ba1365e858f35462a592dfbd280982c371875a20ff5deb94ee317b043c0d305f28bd1a46e0343d87cdfeadf3032b1136216504f815bfa24722a

Download Submit
C:\Windows\SysWOW64\vipcatalog\install.bat

Filesize
308B

MD5
d7257fb016b4c895bbd0a014811fc380

SHA1
fff0b0f132e2e2cba1fc986f941ded5d494214b2

SHA256
a9e5c0e62e154171b5cd8bfbbda21d3de43d96614533aa45fdc298fe74c10c76

SHA512
86ba1ffb928400592e158e86789c7b7bf41b41a5c8303ad9aea8f942b2d6497546b881c9327bd196ae852e01e5edc32edc4992040560cd3d8b0486561dad8853

Download Submit
C:\Windows\SysWOW64\vipcatalog\regedit.reg

Filesize
23KB

MD5
579628c2aefec1f068f8f743e311b0b6

SHA1
18a7ae4645d3a5e162a38ae1514089d42093bd90

SHA256
708879cdb382dd855c1c946803721520d61d3e58df6f2a9503e32522313e3bff

SHA512
555a5d258b40e1f109d7d23e2c29d1d2e678e33aaac8a1c4ecec651f8d4c87cbb16aff0fea9aebaa6fc2fedc3ab46bfc69d55fa1370815bdcf01e2876c4ff9b2

Download Submit
C:\Windows\SysWOW64\vipcatalog\rfusclient.exe

Filesize
1.2MB

MD5
ef46d70aba80fc810e9484950b50ee34

SHA1
e2b67921db9ddb492f5adc89c4ea1e3ae0aaf8fe

SHA256
ca58640c775b7f1871c9651991a142f4ac28a6618a0f0931f67dd15f4db20ad9

SHA512
94893ccc4f259a27e6f8742eded467f9f12060a725bbe8c498aad5b9d225fedef79adba7efca96a8ed25845bf9d82915e9c21771644f597ffd1b5e017fdb8356

Download Submit
C:\Windows\SysWOW64\vipcatalog\russian.lg

Filesize
48KB

MD5
37b80cc200e62cdb350f7c86ee61264c

SHA1
35885999a4dc527dfc6d67079c5f82dd4759d78d

SHA256
5c394e7f7e6571ea2de8ebf23d087d452ccfda4b7468db793ce11cafac3e92a1

SHA512
7c1831fdf6584eab78d63245295014ab9361fbfe30c4304c11b4d8ce3eca784d2528c3a3d5183bc05118ab4054ae90cfcfe6a7b1f666839dc45acf5bc4ac2481

Download Submit
C:\Windows\SysWOW64\vipcatalog\rutserv.exe

Filesize
2.4MB

MD5
5d1a03169ab9c171f6e1d506cf936a33

SHA1
cfd2a625db587f7fbc917d45ac911ba83f237777

SHA256
d968a691e02c104b65e1f4ff60be500a5d1f3f7dea58ac551c957ce728d96956

SHA512
773fc462e4d7ab55dd3706bba4f982e5808a945a45401c3f9bbde885218d20af31053a1cd45e0824353a49433e729b52a9023b858926bf67654ebeea0398472f

Download Submit
C:\Windows\SysWOW64\vipcatalog\rutserv.exe

Filesize
2.4MB

MD5
0b42ffd274c04833ce5681c251fef659

SHA1
801bff8525b57246a1dccfe1edb60e36d31edc50

SHA256
e69334efc167d29352d05bcc2861ee92368fbfb04d05c54468f4f82f0fef9566

SHA512
78606e115f23f648e7c3b4a3ae37fa9a69b9088e169bd4044f5759257b9b684462c5efd4961d89b09ba55bac9f290f7d20f4de89aa34b1d6913442adb8b1ec67

Download Submit
C:\Windows\SysWOW64\vipcatalog\rutserv.exe

Filesize
2.0MB

MD5
0e266b762eac0bb0787263e65a851e5d

SHA1
c3a19b8e8ec7e1a6456143b7c6132ddcbf9aec23

SHA256
adb0eae77904b5477f077370662c3a8e1bf4b6d217e827c60ace4c552a284cad

SHA512
7592ece7bdf81dc9b431c01872a3774939d4a40d9a951507cc46042634416407f9576b6792b65b9b2717b7cef23eb1c84953eb82084a13d1fb52dd90d3cb7505

Download Submit
C:\Windows\SysWOW64\vipcatalog\rutserv.exe

Filesize
1.9MB

MD5
8340e70559b0d65f47918678b5410cde

SHA1
84c23052599e458c1847f919ddcf692228c9f7b5

SHA256
f70adcb3d2ec55507d58c4aae0780570daf8338059355b7fab3616c3b7aac354

SHA512
2f663362bbcde4e1309fc24696aee4ad13474123d1dba50c0ca05005c0a992bc2fd712b442b1cb112e7fd15ae21d4c25a2e2d798e7036ae7839d4ede4116f8ab

Download Submit
C:\Windows\SysWOW64\vipcatalog\start.vbs

Filesize
117B

MD5
65fc32766a238ff3e95984e325357dbb

SHA1
3ac16a2648410be8aa75f3e2817fbf69bb0e8922

SHA256
a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

SHA512
621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

Download Submit
C:\Windows\SysWOW64\vipcatalog\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\SysWOW64\vipcatalog\vp8encoder.dll

Filesize
784KB

MD5
8a26e95b5f08c3896a677c6fd5f63a8a

SHA1
e5266b55fadd5d42c61cb709a9b84a9d7bc62426

SHA256
f1388a831e17933e65e30e04fc2861c41300e71bf043f9eb32516043d0d307b4

SHA512
0b4681088266d8d0a583461ab46e7bc9213779473448c122def453e0eda9227a4dfac4d6eca1feff6c8e4f6d49266732d7adc3a203dafafd1125740146ad5839

Download Submit