rms | 19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064

Analysis

max time kernel
11s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
Size

4.2MB
MD5

97aaf10b6715f935080eaa51e01c57af
SHA1

23e400cbb3a2b7390cf864643c0d09966a2872f9
SHA256

19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064
SHA512

c9fa663568be4633f3acb3f1e699909dce2616a8520b11bad6ebbe8fb380b44c9054c952ab050f881778a64ed340ae9da60901b12fd7ed262adaa860d668eae3

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 4 IoCs

pid	Process
2836	wmplaer.exe
4776	wmplaer.exe
4676	wmplaer.exe
864	wmplaer.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Media player	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File opened for modification	C:\Program Files\Media player\vp8encoder.dll	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File created	C:\Program Files\Media player\install.vbs	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File created	C:\Program Files\Media player\install.bat	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File opened for modification	C:\Program Files\Media player\regedit.reg	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File created	C:\Program Files\Media player\vp8encoder.dll	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File opened for modification	C:\Program Files\Media player\install.vbs	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File opened for modification	C:\Program Files\Media player\install.bat	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File created	C:\Program Files\Media player\regedit.reg	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File created	C:\Program Files\Media player\__tmp_rar_sfx_access_check_240570890	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File opened for modification	C:\Program Files\Media player\vp8decoder.dll	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File created	C:\Program Files\Media player\wmplayerss.exe	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File opened for modification	C:\Program Files\Media player\wmplayerss.exe	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File created	C:\Program Files\Media player\wmplaer.exe	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File created	C:\Program Files\Media player\vp8decoder.dll	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
File opened for modification	C:\Program Files\Media player\wmplaer.exe	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1132	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4528	taskkill.exe
552	taskkill.exe
844	taskkill.exe
4852	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3144	regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2836	wmplaer.exe
2836	wmplaer.exe
2836	wmplaer.exe
2836	wmplaer.exe
2836	wmplaer.exe
2836	wmplaer.exe
4776	wmplaer.exe
4776	wmplaer.exe
4676	wmplaer.exe
4676	wmplaer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	4852	taskkill.exe
Token: SeDebugPrivilege	2836	wmplaer.exe
Token: SeDebugPrivilege	4676	wmplaer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2836	wmplaer.exe
4776	wmplaer.exe
4676	wmplaer.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 2996	4100	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe	56
PID 4100 wrote to memory of 2996	4100	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe	56
PID 4100 wrote to memory of 2996	4100	19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe	56
PID 2996 wrote to memory of 1748	2996	WScript.exe	58
PID 2996 wrote to memory of 1748	2996	WScript.exe	58
PID 2996 wrote to memory of 1748	2996	WScript.exe	58
PID 1748 wrote to memory of 4528	1748	cmd.exe	61
PID 1748 wrote to memory of 4528	1748	cmd.exe	61
PID 1748 wrote to memory of 4528	1748	cmd.exe	61
PID 1748 wrote to memory of 552	1748	cmd.exe	66
PID 1748 wrote to memory of 552	1748	cmd.exe	66
PID 1748 wrote to memory of 552	1748	cmd.exe	66
PID 1748 wrote to memory of 844	1748	cmd.exe	67
PID 1748 wrote to memory of 844	1748	cmd.exe	67
PID 1748 wrote to memory of 844	1748	cmd.exe	67
PID 1748 wrote to memory of 4852	1748	cmd.exe	68
PID 1748 wrote to memory of 4852	1748	cmd.exe	68
PID 1748 wrote to memory of 4852	1748	cmd.exe	68
PID 1748 wrote to memory of 1508	1748	cmd.exe	72
PID 1748 wrote to memory of 1508	1748	cmd.exe	72
PID 1748 wrote to memory of 1508	1748	cmd.exe	72
PID 1748 wrote to memory of 3228	1748	cmd.exe	71
PID 1748 wrote to memory of 3228	1748	cmd.exe	71
PID 1748 wrote to memory of 3228	1748	cmd.exe	71
PID 1748 wrote to memory of 3144	1748	cmd.exe	70
PID 1748 wrote to memory of 3144	1748	cmd.exe	70
PID 1748 wrote to memory of 3144	1748	cmd.exe	70
PID 1748 wrote to memory of 1132	1748	cmd.exe	69
PID 1748 wrote to memory of 1132	1748	cmd.exe	69
PID 1748 wrote to memory of 1132	1748	cmd.exe	69
PID 1748 wrote to memory of 2836	1748	cmd.exe	88
PID 1748 wrote to memory of 2836	1748	cmd.exe	88
PID 1748 wrote to memory of 2836	1748	cmd.exe	88
PID 1748 wrote to memory of 4776	1748	cmd.exe	89
PID 1748 wrote to memory of 4776	1748	cmd.exe	89
PID 1748 wrote to memory of 4776	1748	cmd.exe	89
PID 1748 wrote to memory of 4676	1748	cmd.exe	90
PID 1748 wrote to memory of 4676	1748	cmd.exe	90
PID 1748 wrote to memory of 4676	1748	cmd.exe	90

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4196	attrib.exe

C:\Users\Admin\AppData\Local\Temp\19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe
"C:\Users\Admin\AppData\Local\Temp\19d6754ff4b6f0aa3b8c1e0911f9450c2933263cbb99733976e2e903510bd064.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\Media player\install.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\Media player\install.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im wmplaer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im wmplayerss.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1132
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:3144
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Software Media Player win" /f
      4⤵
      PID:3228
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:1508
  - - C:\Program Files\Media player\wmplaer.exe
      wmplaer.exe /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2836
  - - C:\Program Files\Media player\wmplaer.exe
      wmplaer.exe /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4776
  - - C:\Program Files\Media player\wmplaer.exe
      wmplaer.exe /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Program Files\Media player" /S /D
      4⤵
      Views/modifies file attributes
      PID:4196

C:\Program Files\Media player\wmplaer.exe
"C:\Program Files\Media player\wmplaer.exe"
1⤵
- Executes dropped EXE
PID:864
- C:\Program Files\Media player\wmplayerss.exe
  "C:\Program Files\Media player\wmplayerss.exe" /tray
  2⤵
  PID:900
- C:\Program Files\Media player\wmplayerss.exe
  "C:\Program Files\Media player\wmplayerss.exe"
  2⤵
  PID:228
- - C:\Program Files\Media player\wmplayerss.exe
    "C:\Program Files\Media player\wmplayerss.exe" /tray
    3⤵
    PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Media player\install.bat

Filesize
468B

MD5
ece56e6bad6197ba223d35342f102592

SHA1
f239fcdad49b89fc18cbf9f56f30a8c724b58f4f

SHA256
da7d4826181d2fe0b22e2b6d25fd0ac84acd4be04aea34a41f8a97dc44ace37b

SHA512
2eb6561cbc88437ad317a11fab89de055f4e231fe0fbee1cd9a373274e83cd0d0f1cc16acb52c99864030a00a7c79332abc08993a1b9b97fc4f76da6d8c96f6e

Download Submit
C:\Program Files\Media player\install.vbs

Filesize
117B

MD5
65fc32766a238ff3e95984e325357dbb

SHA1
3ac16a2648410be8aa75f3e2817fbf69bb0e8922

SHA256
a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

SHA512
621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

Download Submit
C:\Program Files\Media player\regedit.reg

Filesize
11KB

MD5
d8a722095a0d1710c9c2789c0d0be2cf

SHA1
1567edf5e7da78eac3d40d70fe1d422977dc67e1

SHA256
27eb62d80a2d2f7314b39b78087ff9fe0e89cee9678b20d8a350906872cd16b7

SHA512
e8138121206019a21792bfa1a5fe7709898dc08bdb285fc54aec1f7f2cffbcd0849b09b145f2c85e86764e48685f1aa369d8b75467f771ef998fe242169beb19

Download Submit
C:\Program Files\Media player\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Program Files\Media player\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Program Files\Media player\wmplaer.exe

Filesize
3.9MB

MD5
0b1eb1a9b7a02bb44fff06728cba1484

SHA1
fe46cffd47f51d272e6e47a85328a7f4e12665c5

SHA256
6ff693cf36feb70fa9140cc374f4c9ca23d1d091441f02b9019694ce5ac59184

SHA512
95f2555e01d269194d35d1205a2367024f1732c97fc70372dc8ade53014c1f9eee97dabd1ebea576bc1c6741e57ca72f21e19d1251cb5f67472a57ee1cfa8835

Download Submit
C:\Program Files\Media player\wmplaer.exe

Filesize
5.3MB

MD5
dfb275ad71ef3c176ab7702cf40034b5

SHA1
9087482a2ed8eb025491926cb59cebb93b5495a4

SHA256
fee54bd7d487d28dd67b45fdf91887c2b102b7f3103f8a15b84f48dcf66cbbca

SHA512
d0ae7625f0843fa6c01a8ae89d8eac8a75e5368a06efdfd851203ab5f75908f438e91636f7e4f7a04504f053f74f73c73e56f838fea75896d830a7aea3bacbf6

Download Submit
C:\Program Files\Media player\wmplaer.exe

Filesize
6.0MB

MD5
13a9a353d0d928dd0077ce5ac52043f0

SHA1
8ae26a367acad1185077096a092c54cb2f9adf04

SHA256
f273664db3d1e4a334de157d5caecf2b47b05f801008abc8d8bfce93505d44bb

SHA512
187c2633d10e352ce2ad579dece9871835b98f6432638265b50d4db36c1a0bf1dd50e37c24813db059e655a4a40f82b3a26a417d59d18fd8ca3e12b4331c38e6

Download Submit
C:\Program Files\Media player\wmplaer.exe

Filesize
5.6MB

MD5
4b2bc0181eee2d247979aeb365deeb5a

SHA1
e0134d3c647f765843363edcce9bf8e25769ccc2

SHA256
359ac6d0b028b77ba36c6eb4a295c2f136c28e12e670c8da08c82a3d8acc9417

SHA512
0bce7453ec82b20a34f32f30410935e0d376e6e7abc5681f7b0ce974dd683c07709bc2bf449f2cc2c9434ef7965379ed77d3b10bc2e0cd0a612505cbcf6f23f8

Download Submit
C:\Program Files\Media player\wmplaer.exe

Filesize
3.5MB

MD5
e314af2a6c4d5809b056b83f0aed7419

SHA1
d8767a52c05ba77cbf7d87b248618918af7590d6

SHA256
b00da5d75184014d198561e3b9afd1e1bbcc72d6fb427c4e41584fb657b53137

SHA512
9f17baf8586514681c187058bf0698fe08937155bc0a8785bdf00a9046af4ec93b8e048f14f6d8da574a0e4ce25c79799c6da39c46851009b1e7e501f61946a2

Download Submit
C:\Program Files\Media player\wmplayerss.exe

Filesize
4.9MB

MD5
8a4429865a57edc364f1920204eaa62c

SHA1
04f5c105c46cec8a83af8db95492fe48c379f5f5

SHA256
ef9a210c8827989462d8d7bf35c53cdbb3e94aaad32f0b24c131c121cc70ffbb

SHA512
cdc0e2fd29825c9221ec100500b427ef431c9a24f628a621ceb78ea13167c6f551c1ef2499e4abff0ed3652d2733d51c5148c57de54826620ff2a1add10509db

Download Submit
C:\Program Files\Media player\wmplayerss.exe

Filesize
3.3MB

MD5
359746195d08e3775c79b19764566dac

SHA1
7349c5a6b86b5cf50bddcd643f03e2b71d35581d

SHA256
068e3a02d2626ca04f41f7dd25b6940cca0a9554e529a82d3c7867f2fc11ce3a

SHA512
5601d0cd4b8e0900e1ed6cc2b40740a03774b5e0adfe7b9daec4ac1cd0e181b13e4023ab2b6160ce53283357b41da2c50e2586ed57bdd4bbdf7f226a910df687

Download Submit
C:\Program Files\Media player\wmplayerss.exe

Filesize
1019KB

MD5
f9cb56dc7095777bd627d47a652e6768

SHA1
1d3d62a96e07a35fa693d328512cb966387ab21f

SHA256
f1231a696476b661642f429b629d9ef5b2959998020939a3f2c6e1eeb1df95a4

SHA512
977d8b4d6edac34ce3cb35176b3c4e799fdcdd627b14b266eff9a95945fbeb998eec22a9d0dd32390bd0f4927b8b406b6db338c9288e21efe33001522016ca55

Download Submit