rms | 0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f

General

Target

0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
Size

4.1MB
MD5

a313b0ec5945300cd6819880ce643c28
SHA1

090c50daf2fc79a32aea056398dd7c1db0d2451f
SHA256

0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f
SHA512

6e39099852ba4b3df242480a1ea00d94cc70e629bd7ee3284792936a76253433b52d659b8c11b1bff9825d4e1508125ec1a012e1c89250904854cf9b6361cf26

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\install.vbs	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File opened for modification	C:\Program Files\regedit.reg	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File opened for modification	C:\Program Files\vp8decoder.dll	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File created	C:\Program Files\vp8encoder.dll	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_7092148	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File created	C:\Program Files\rutserv.exe	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File opened for modification	C:\Program Files\rutserv.exe	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File created	C:\Program Files\vp8decoder.dll	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File opened for modification	C:\Program Files\vp8encoder.dll	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File opened for modification	C:\Program Files\install.bat	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File created	C:\Program Files\regedit.reg	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File created	C:\Program Files\rfusclient.exe	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File opened for modification	C:\Program Files\rfusclient.exe	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File created	C:\Program Files\install.bat	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
File created	C:\Program Files\install.vbs	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
844	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1116	taskkill.exe
652	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
924	regedit.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1680	1944	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe	28
PID 1944 wrote to memory of 1680	1944	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe	28
PID 1944 wrote to memory of 1680	1944	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe	28
PID 1944 wrote to memory of 1680	1944	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe	28
PID 1944 wrote to memory of 1680	1944	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe	28
PID 1944 wrote to memory of 1680	1944	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe	28
PID 1944 wrote to memory of 1680	1944	0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe	28

C:\Users\Admin\AppData\Local\Temp\0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe
"C:\Users\Admin\AppData\Local\Temp\0510c7631be8a7d7de274ef343973501f595ff1eaaac847accc2618c6497c96f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\install.vbs"
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\install.bat" "
    3⤵
    PID:956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      PID:652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:844
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:924
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:1372
  - - C:\Program Files\rutserv.exe
      rutserv.exe /silentinstall
      4⤵
      PID:1804
  - - C:\Program Files\rutserv.exe
      rutserv.exe /firewall
      4⤵
      PID:1900
  - - C:\Program Files\rutserv.exe
      rutserv.exe /start
      4⤵
      PID:1336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
1⤵
- Kills process with taskkill
PID:1116

C:\Program Files\rutserv.exe
"C:\Program Files\rutserv.exe"
1⤵
PID:1536
- C:\Program Files\rfusclient.exe
  "C:\Program Files\rfusclient.exe" /tray
  2⤵
  PID:1624
- C:\Program Files\rfusclient.exe
  "C:\Program Files\rfusclient.exe"
  2⤵
  PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\install.bat

Filesize
290B

MD5
9dc2286281a11ee72985dd2041a58ee3

SHA1
de55198aa0f697ed77e98e3e61deb4cb70ba3b03

SHA256
67f0f1704add831bd00a4977a185a2c97198cc4b3299233f62c3a0820716268a

SHA512
ce4443ec8482cdce28bae0169b0d7df688190a596b914df0bbf62ae2598312c9bfc703ffd2d9b6c548e170bf4cb60cef9d4f9494b0e6391cd8cf6d45affa05f6

Download Submit
C:\Program Files\install.vbs

Filesize
117B

MD5
65fc32766a238ff3e95984e325357dbb

SHA1
3ac16a2648410be8aa75f3e2817fbf69bb0e8922

SHA256
a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

SHA512
621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

Download Submit
C:\Program Files\regedit.reg

Filesize
11KB

MD5
088a4960ae994d0e171c2c58e9ed7956

SHA1
4510b23caf40ccc931697b60bc310c806d386025

SHA256
25310eef11676effdc97de2963830ccdff9d74d3da5987147421e786b548d530

SHA512
54da8fc2573b51ea32cb5b6b373ec620a39bca6cb9c40069892f756bf1f174971998ca4329716fbb175222d22775e4e3e2f352c6c13b084c9c391c7bbe01a33e

Download Submit
C:\Program Files\rutserv.exe

Filesize
4KB

MD5
3b5f3696e106939ff6f07ac565cbaf8b

SHA1
446374f97234efe9f5338f0332f023feb1325473

SHA256
69a18572f3f5123400486550ccd21125aefaf22d6ab0ed36a12004028855b1ab

SHA512
281e7a8040df99b04436f8fc797ce48133e00b784835b9c81ce607b8a4ee3b9715910a5668494687368accd5bfde680dd6b34433571f408cb19697bd5296a548

Download Submit
C:\Program Files\rutserv.exe

Filesize
1KB

MD5
70c0f9bb0b3634fc876434df6f625307

SHA1
73b2b94a725a328eef65f2d40071686f0a4d775e

SHA256
d100317274e889c7d19a8562b0769177b62adb484760ee57830d2b72859ad6ec

SHA512
811f0d1697b1b599b1481eb0a6cba3d7792b371d03d9a376d785d021e20d43769155a8b43f50145c28d1820602047f281103922e1fc253e1468437f1f7c87955

Download Submit
C:\Program Files\rutserv.exe

Filesize
30KB

MD5
2f0b9c074dc649be47eb6a472491eb8d

SHA1
717e0702b76b5cae2a69bf61e7ac9453b91effc4

SHA256
0ebcc9cc7125d50bd7d8157b7bdfdbc562e2a16362fb8eeff602b75846e0aa43

SHA512
5f81359638ad19fd0617ef30b9f7ec7c86c20386fa430a4a34868356c8e9556212852b3d66858e4103908b77d67ea9aec2207473f3fea8115dfb2a32c90f45c2

Download Submit
\Program Files\rutserv.exe

Filesize
11KB

MD5
eeaf2c3668550ac6e184000d5c637177

SHA1
7cd1a37fe52db131c9a06a9733df6706ec4ffc3f

SHA256
77c137197e9dbca73fdbc6cf7f5074e83188ceccfca55998f8131845cdd89a99

SHA512
a8290b8914fd847fe54450dbf5748e1a0a624ca0d093976cc036a68efae2db9c89705b64b442bf22617f2749bcc19f79a359c07475320ce8240666fb595796e6

Download Submit
\Program Files\rutserv.exe

Filesize
7KB

MD5
21aa1f293c4996032cf75f851185dc59

SHA1
11c30582b6df6f948c4c028e315565a803e9c75a

SHA256
1ad61c2981d457af636323c9eb41f74b15ad15367eda1b14afa1c86e3567497b

SHA512
f6708aa4c7cfb81b415ea3b6dca3278cd13dfe82f584598320eeb5a0697f68e6c67dd9d3e3a95158b3cecd555a1b03e242ff230b34fcb0851237b81dce9069b8

Download Submit
memory/1336-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1336-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1336-129-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1336-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1336-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1336-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1536-105-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1536-106-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1536-107-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1536-108-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1536-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1624-122-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1624-119-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1624-124-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1624-126-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1624-127-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1804-78-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1804-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1804-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1804-82-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1804-79-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1804-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1900-89-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1900-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1900-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1900-88-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1900-87-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1900-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1944-54-0x00000000765C1000-0x00000000765C3000-memory.dmp

Filesize
8KB

Download
memory/1968-125-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1968-121-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1968-123-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1968-128-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1968-120-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing