rms | 94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e

Analysis

max time kernel
7s
max time network
135s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe
Size

4.1MB
MD5

31a8cb6a5c8db75522c9c470243c7fc8
SHA1

4a78c47ad57b2c74cba64f2eccc7e051e50c996f
SHA256

94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e
SHA512

86115245885a14200c788abb327740d143a3cd865a3d03f9cd0871a90a2dbd0f7734942abbc84fc1064eebf023e26eaff7109ad65301e61faf44ea4ca8c12d50

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 1 IoCs

pid	Process
1476	data.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Loads dropped DLL 3 IoCs

pid	Process
276	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe
276	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe
276	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
980	timeout.exe
1800	timeout.exe
1280	timeout.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1516	regedit.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 276 wrote to memory of 1476	276	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe	28
PID 276 wrote to memory of 1476	276	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe	28
PID 276 wrote to memory of 1476	276	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe	28
PID 276 wrote to memory of 1476	276	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe	28
PID 276 wrote to memory of 1476	276	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe	28
PID 276 wrote to memory of 1476	276	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe	28
PID 276 wrote to memory of 1476	276	94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe	28

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
928	attrib.exe
756	attrib.exe
680	attrib.exe
1756	attrib.exe
272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe
"C:\Users\Admin\AppData\Local\Temp\94cee9364c9b5bb05b4633f55c6646304768a107f8e0096935476c2709d92c4e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276
- C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe"
  2⤵
  - Executes dropped EXE
  PID:1476
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"
    3⤵
    PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Log\Windows\hiscomponent\install.bat" "
      4⤵
      PID:1812
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:1800
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Remote Manipulator System\rfusclient.exe"
        5⤵
        Views/modifies file attributes
        
        PID:680
    - - C:\Remote Manipulator System\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        
        PID:1728
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Remote Manipulator System\rutserv.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1756
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Remote Manipulator System\*.*"
        5⤵
        Views/modifies file attributes
        
        PID:272
    - - C:\Remote Manipulator System\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        
        PID:1536
    - - C:\Remote Manipulator System\rutserv.exe
        
        rutserv.exe /start
        5⤵
        
        PID:1572
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:1280

C:\Windows\SysWOW64\timeout.exe
timeout 1
1⤵
- Delays execution with timeout.exe
PID:980

C:\Windows\SysWOW64\regedit.exe
regedit /s "Windows\hiscomponent\regedit.reg"
1⤵
- Runs .reg file with regedit
PID:1516

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Log"
1⤵
- Views/modifies file attributes
PID:928

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Remote Manipulator System"
1⤵
- Views/modifies file attributes
PID:756

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f
1⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
1⤵
PID:1220

C:\Remote Manipulator System\rutserv.exe
"C:\Remote Manipulator System\rutserv.exe"
1⤵
PID:1972
- C:\Remote Manipulator System\rfusclient.exe
  "C:\Remote Manipulator System\rfusclient.exe" /tray
  2⤵
  PID:1736
- C:\Remote Manipulator System\rfusclient.exe
  "C:\Remote Manipulator System\rfusclient.exe"
  2⤵
  PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Log\Windows\hiscomponent\install.bat

Filesize
1KB

MD5
d150ad4601b180ae466174c36b3adbf9

SHA1
49f3844858bc5a396201b08ad1c3f9384d1c0e98

SHA256
00915d1b31a1fa86614412173e80560667396181092835c18584c9890d70343f

SHA512
fb01613b0e5eb7c9028cfeb8944517253b4c3378074fe8ad841e50f5b18f7bc3d052ad6d19be9907ef640d9e922bc8b84ff8f6020e17787d280678319555519e

Download Submit
C:\Log\Windows\hiscomponent\regedit.reg

Filesize
12KB

MD5
c7773a85904b375a8676fb4259901720

SHA1
1a813a9a67f48913cc50f94fb6a5a3d50102d955

SHA256
40dddf8a9940d97ed3ac63c34b5972cf72f9e3b52760eb65f5275ad91032c872

SHA512
70cd94604a63d36ea00bd255ebee30d43dfcd7056fb0cf6262eb9d0a38177fc83b6ffecc4635008b8d2b24c8afab6ed0f8e7244e3b6c951ba660b39f7cd4f8d5

Download Submit
C:\Log\install.vbs

Filesize
145B

MD5
bc5fa1fff095d50d252cb327ccd6661b

SHA1
8263ea4ab762f188df0f2902297cc46baf816c5c

SHA256
e8bd8b6ff5f0653e82c7239bfdb2894fbd509b45e581c2458bd84c2fd3d84886

SHA512
1eb5a0bc2b3c3ffa6f0967803239313110cd1c3293ecbb6a1f1c2d9d717a2f5aaf042dd28af8520ef63639f291e083c511527515489a45732e6191ad521f544d

Download Submit
C:\Log\rfusclient.exe

Filesize
60KB

MD5
902f2a7b6af6de60adbd7f56292269ba

SHA1
e94afe1cf324c437d99608107c39d330625a02d7

SHA256
14dddb081589d78ddc3dab8f465b87aa008fefdfbb1bfd13a0a37c070989af5f

SHA512
7f2259ca134ff6609cfbdaf5f2570959a8092356a1b485ad607ac959344f0d05a81d95b24f0b245d96446d3ba5e951b3d700aa0eb677ec43fbfbd62f83537e9e

Download Submit
C:\Log\rutserv.exe

Filesize
64KB

MD5
6d6670a37298fc572a16543ed793caa6

SHA1
fd10f21cb414b7959568a3324b9fd8b1f9f5db00

SHA256
7841f80d7330a9d60cf17cdadab4f96c375c704f65ed6f52c34c216d20dba541

SHA512
752a0128162799c2a3448c61496038a5f5e5d83959ff1c44493c099bef4ea2a6298928b80421aac3735c43e9eac600b88e03037f7a4883fc883464aa22e5b4fd

Download Submit
C:\Log\vp8decoder.dll

Filesize
51KB

MD5
cedd0ef678fac0ef32d2beb8059629c9

SHA1
b49ee54b517fea12fe30105044adfd7915e17866

SHA256
525396fa3d8dd89e5688d1e9eacab7a5794371fe68cdb40d45f6e904cba5953d

SHA512
3fadb591cc4d47409a9ea761d693bed07760438c51bc227d30cb91ab1aa63a419b8b767d691f1ecb63189495ada93003c3d7854043846c2addc47da5ae4579c7

Download Submit
C:\Log\vp8encoder.dll

Filesize
86KB

MD5
da488caf8d57782e9f317ea144492acb

SHA1
6474e93e888d4d7b59557b170254c98ceb03b689

SHA256
b70e516c59729411eb08dfdb2a4e269ed924309f290e69da9a09984a3682f4e7

SHA512
90fdb02f6befd78360a7d2be1a80a392374383644761067aa680507efc50255fca751ed00f0b9825254ff8a9a1abc585c7423ce8c71f734f9d3028c1197c5de1

Download Submit
C:\Remote Manipulator System\rfusclient.exe

Filesize
2.8MB

MD5
3dd2ea64f27bf86772055574a1d675bd

SHA1
3e6d96a79be1974c54b2aba638ca8f51c7b2a063

SHA256
4c8c245a8d9e6280b3e472a981382fa6e47cf5a1231de38b63fccba66ed58bcd

SHA512
f0a0943029cc90cd0065598ff396ca49c2e3037739971c23141064dce8a770f2f73f2d0a74e0340f3b7ccdf5c73afcd42cb18bf37730b0c0f1ba10e21f4cb8ca

Download Submit
C:\Remote Manipulator System\rfusclient.exe

Filesize
2.3MB

MD5
80e9119bdb174f48f13d076aaa72eac7

SHA1
0c22bdaab731228596d361e72e7243a5cf9e8803

SHA256
d3fc95fa954ff500a598bbd02d57702ac40f08726d987eedf6924cfd41a4d243

SHA512
c3b853f1b948b09393f3216b2bd222978a0538605e7ed8b466f721a8315b15eb1cd074b5839a3e846df184cee37846e78c8aa41638b48d47de69317395674e55

Download Submit
C:\Remote Manipulator System\rfusclient.exe

Filesize
56KB

MD5
67d4408604ad68c96abf4e0686d0d195

SHA1
73f95ce2f07b1e18b13b9ee95e83a72660d1c3cf

SHA256
ca246a17fba45051a83ccd886157a12078b2c69b0ff157e55fb962063578df12

SHA512
294e4c1b377e340a56c9a57b6d4da315c889413f0979aa98c9daae928e7fa5dcd93e8b0b4011497b81f6b015e9d537ef18e5f4c27023d146629ba81727d42cb8

Download Submit
C:\Remote Manipulator System\rutserv.exe

Filesize
55KB

MD5
b71815ad57ebf3f73204f47b0f5e1dfa

SHA1
e92b658b68a8cccdb469cf64c7cbf3eaa0b080fe

SHA256
8a6fd75ff5dbb05341bb24e4d5b50a7ced7db142c3999d0a0cc33664c1ac0821

SHA512
11451da09a2de230b3ed67e5587c65e107882c62bdfb8eb58da778c69f73020c6743fc909f17aef2dbd5f45c0fa3269c73c4b92962cbcdd00c9081b8ece94c73

Download Submit
C:\Remote Manipulator System\rutserv.exe

Filesize
22KB

MD5
dd9d5c49b961fa7f60110d4f7e87ddcf

SHA1
481f8724b5472706feabf1d54ef2ecc3bd47a675

SHA256
6a1b59d4159e6fbb8a6f802969f24b101684b43c488b4813840926a854b7f413

SHA512
85f0f3e121fea3d56251aa29c989db6d84c45c90c568e05254c57a060433918877f22e7d2d276ff8e8dc4b842c181db3204c4e12bcd6a1ff25cbded4f051f01a

Download Submit
C:\Remote Manipulator System\rutserv.exe

Filesize
73KB

MD5
a02b82c7bac38191c534e3d31e44f27d

SHA1
22c970c73f9b5a535cfaf374181df85c1cfd2cf7

SHA256
570fa85686a011db1ab917ca4dcdbc915f5756ffe7ea9d58cf7cc78ba79a34bc

SHA512
225d7f1e84cbaaa0f949cb9e877dc3f208b29e312f2417c9dddd7bcbb5c9a2c70aae6f6e295e723a2ed4c19eb1c8f57d89b47f263c4eebd9adb8a6b5e6a27b4f

Download Submit
C:\Remote Manipulator System\rutserv.exe

Filesize
105KB

MD5
3e8fd1b2ad961063e20537379cc195f5

SHA1
0d50d6bdbffb3fad3010382d4a98bd6230bd963f

SHA256
9921903e3baf46cd2d0ae6b19453f5d5c5f71f000abe1a285012122bfb6a7f84

SHA512
94401e8e4dba9720c5d8438bedf8febdb7ca0524d22e0eb43a3cec467a46ac0add84741635e082693be4813810b25b67046f634e5ef490c0466e7a991c79c9cf

Download Submit
C:\Remote Manipulator System\rutserv.exe

Filesize
46KB

MD5
560fc3ed706f4a8eb528746e5f3e5c2e

SHA1
9891d0e2814f69365ef2c6b5fba5ba6ab9b10e89

SHA256
912d2b3710cf591e764a4539d84e95f7b47ef4581a4bd76d31b6c95dd9225969

SHA512
6aa1f128a10b57204dcc7e85f54df159ec4486d86722a8d2c1571cda9930d185fc845f661599735a249acc7b36e95002a9b4733fab4e1361bd9f6053d86216b0

Download Submit
C:\Remote Manipulator System\vp8decoder.dll

Filesize
57KB

MD5
46bf1c8595f38164195066f9a9e809a9

SHA1
722a84d142c954c472fae64fa7e74d979764f09c

SHA256
dad57f615c519d6c814c5e92fd39d4ed7d4d52a7ce121c4c3cff04e782a4631a

SHA512
a691dd343b9a05a66ca23af0575ad7b8cc8aa46a4d42a57b34c4fc5b0c070a70f9a81b2c2ea444fa0f155475cbc4530214cb63e93c99f00b869e1a2b37054b8f

Download Submit
C:\Remote Manipulator System\vp8encoder.dll

Filesize
51KB

MD5
ee20d874610be1d4db4fb0d61169897a

SHA1
43807871f65a13cdf6e186c12268089a10b2c7d7

SHA256
aeb07bcc714040d086b5ef431390160e0ea8b56923d661edd595bdf99316f032

SHA512
252e91cba874a680fcfa36de89fc51b916eba2a2ca5eb001d192ef010315b349880d9916274e3b8888ab3038b245973ff6a60ce298c5acd9ce10bd3e05d2ce30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

Filesize
14KB

MD5
20489f62205f24c6af3b9ce139e0fc54

SHA1
ddbc1964266e514bd62a3ff6c5fb364dfda1276f

SHA256
6fb4faae503d4153a5db42779aa215dd69d4ffaadde51acb7ff45de856a3034a

SHA512
e2c953bb3bff5a81ffe25615c31593e35447f281ee20831441731f591fdc0f06d68e29273c0a5a0f4de2d5da51a8266d128bb54bad47eb352c0d5822b1affbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

Filesize
64KB

MD5
3e25ab1a19582d04846ba49dc7949bfa

SHA1
750c6e3daea0a70f126424b43b110f6bcdee85d0

SHA256
527365a3f10fbaba771e02099f957ddf6da395c5b4431966c1febaac36f19057

SHA512
3cc24929e627468bfaddaf270d3307aff4d001aa8ca275070a83ccb4de79c4a2c247a11a79aed0265c8a1e68e0b45105fcd3e19bc64e80b11e21fbcf2855d525

Download Submit
\Remote Manipulator System\rfusclient.exe

Filesize
54KB

MD5
6e12f12cce78ca1f29de94f1ff014d81

SHA1
9a40d92e088be3636e9d279e36bc557ed6b5c73c

SHA256
40153624961d71250ee871321f8598d7ab90cb67441ed1996170173b3d436029

SHA512
ffd8e2354e3e0869afe6febe1072ad59c715ffcdd3dbc4ebc75fb028a4b9b5ee875220722ec227fd25d220939f942986def30070080fc0f4a8edaf1371c595ed

Download Submit
\Remote Manipulator System\rfusclient.exe

Filesize
7KB

MD5
5854e006a2ac878cd6b7f8aaa925bbc8

SHA1
5a2b62a798b91064f4a56bb66743ea7973546eea

SHA256
56505ff71860c598bffab3cd0cd580ac9f4d795495e90bd8559d96bcfd169929

SHA512
bd14751a9959fa047a94f4d78fd41fcdee8cd32f5cbfb5b805576a2be19c2a92f7ae393ce07015152e9ae124c2a6c5686b910dd2ae6888d5b80f4c7536800618

Download Submit
\Remote Manipulator System\rutserv.exe

Filesize
83KB

MD5
a931355823f43466750dcecd05a808dd

SHA1
f3e833599e28e23d68b39f8016edb18580d99c4f

SHA256
0d05bca4c372c60040f26691a8068c73b2f7fdc88cc811b45bb14a7cc556cbf7

SHA512
f22f3e6654cd3c0948ecfd06751713b74a38a315fa83626828dafec6f57f60174c929e4b1a71431707022add5624c350063322526d5aa5fb3ccaa2bf17f1b9c4

Download Submit
\Remote Manipulator System\rutserv.exe

Filesize
63KB

MD5
8552da2768466c969b70089819fc3921

SHA1
2f3d2f4dd09ec5f72f9f294cfb26a2abd00005f7

SHA256
29d1e8a6bf267a3ba3764fc13af29f003051182bce99643910bfef1c2ddf945c

SHA512
49aa8f147307bae4b7e8be88bc4e0c7427018fd4533e9372f299bd3704988d7cda02c204cfc3bb26d8757a2440e7fd70831dfe20cbdd6c7e6ed289237b7586d7

Download Submit
\Remote Manipulator System\rutserv.exe

Filesize
32KB

MD5
3a3d565dedc20a1507de9d861e24e64f

SHA1
88696058c9aa5651c4ca243deb4ad015bbc2b5dd

SHA256
6a5736dfc7621be28d0dd9dcfc3a5b1db1c894f51f800f126550b4eced0e6086

SHA512
e9bd7763ae131c79364c881afd5a728efc5c2bc982a09473639a115c453ba5f492f1f0717fb6038fc550d931a0d2088d58f43990280636c622c808e1e37494ff

Download Submit
\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

Filesize
40KB

MD5
d775d8d7f658a825174ec1a35f322c4f

SHA1
a7dbc05da440cfaa47f58d56301028ba3e3e1546

SHA256
9367ca0062aeaba2278f1ffa7dc3dc28794c20089123a096d3718e1370b76b3f

SHA512
4b98b91eca27a3cd4990090927f7351ea6f40298dc409888ec3260d59eb73726173099c1c2240e1b1b6dc31008132b4994d4b364e9f9394bd1bc3cc4bbd5f4ee

Download Submit
\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

Filesize
21KB

MD5
89850c920be1d94a439b5f4e717a4af4

SHA1
46514bdda2a9c3e293e4dc427cada34469379277

SHA256
760e63f3668e0df4f81e1bf634e783786a4d9841c9cf56338b1bd2242fdb1be6

SHA512
cc506183a72be4514c2a25e07212aa4a7c411e9a79d947ac7d8d3d8102f784b6355e912bf6f6e1b5f598aa0457fbf7991138509f99f4f158cad9ca9079eb2881

Download Submit
\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

Filesize
92KB

MD5
a6f290a579b3b38bce3cdea1f4823697

SHA1
1b6f06c7479539064605ff1123f86fb2a62b52cb

SHA256
022d5caff4096ecd6399dc77f388fafafef8208f5b166bf82763c937ed480e2f

SHA512
922092e46eba6e699dfce7541304bcbe2cf6db92505bdb4e2f15a9a1ccd729ec9d892e2258de2f81ec37cae3d3e7c58b290eb82d68f9125e9811694ebd48b822

Download Submit
memory/276-54-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads