rms | 6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5

Analysis

max time kernel
8s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24/05/2022, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe
Size

2.6MB
MD5

8a2a1a539b09daea31c6d7b5fe030a5f
SHA1

afe6bf6655244be1b4b873ec47acfc265cf4ca4b
SHA256

6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5
SHA512

13e882472e197179ec7f95584f0a4c7809e9b88164b92c5ddd03cb60c66f5779810c528fb7627ee50f14f581b896ae4292fa4f70e7d303774e6fad7f15556c3c

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023165-161.dat	upx
behavioral2/files/0x0006000000023163-162.dat	upx
behavioral2/files/0x0006000000023169-165.dat	upx
behavioral2/files/0x0006000000023169-164.dat	upx
behavioral2/files/0x0006000000023169-167.dat	upx
behavioral2/files/0x0006000000023169-171.dat	upx
behavioral2/files/0x0006000000023169-172.dat	upx
behavioral2/files/0x000600000002316a-173.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
2128	timeout.exe
4312	timeout.exe
4736	timeout.exe
4188	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
864	taskkill.exe
4256	taskkill.exe
3436	taskkill.exe
2144	taskkill.exe
4892	taskkill.exe
4120	taskkill.exe
4896	taskkill.exe
3748	taskkill.exe
1352	taskkill.exe
4404	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe

Runs .reg file with regedit 2 IoCs

pid	Process
228	regedit.exe
2948	regedit.exe

Runs net.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3472	2292	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe	78
PID 2292 wrote to memory of 3472	2292	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe	78
PID 2292 wrote to memory of 3472	2292	6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe	78

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4164	attrib.exe
4216	attrib.exe
4408	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe
"C:\Users\Admin\AppData\Local\Temp\6dee044e1e077b37eb47648c3debefb74a8ba80be576cbd94dccf4924e158ec5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Log\run.vbs"
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Log\pause.bat" "
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:2128
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:4312
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"
      4⤵
      PID:2836

C:\Log\Rar.exe
"Rar.exe" e -p65352493 db.exe
1⤵
PID:1892

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
1⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Log\install.bat" "
1⤵
PID:4028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im rutserv.exe
  2⤵
  - Kills process with taskkill
  PID:864
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im systemc.exe
  2⤵
  - Kills process with taskkill
  PID:4256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im dumprep.exe
  2⤵
  - Kills process with taskkill
  PID:4896
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im gomi.exe
  2⤵
  - Kills process with taskkill
  PID:3436
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im rfusclient.exe
  2⤵
  - Kills process with taskkill
  PID:3748
- C:\Windows\SysWOW64\net.exe
  net stop RManService
  2⤵
  PID:4816
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
  2⤵
  PID:1080
- C:\Windows\SysWOW64\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4736
- C:\Windows\SysWOW64\regedit.exe
  regedit /s "regedit.reg"
  2⤵
  - Runs .reg file with regedit
  PID:228
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f
  2⤵
  PID:256
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f
  2⤵
  PID:5088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im winlogs.exe
  2⤵
  - Kills process with taskkill
  PID:2144
- C:\Folder58\gomi.exe
  gomi.exe /silentinstall
  2⤵
  PID:3976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im drivemanag.exe
  2⤵
  - Kills process with taskkill
  PID:1352
- C:\Folder58\gomi.exe
  gomi.exe /firewall
  2⤵
  PID:1908
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im rfusclient.exe
  2⤵
  - Kills process with taskkill
  PID:4892
- C:\Folder58\gomi.exe
  gomi.exe /start
  2⤵
  PID:2592
- C:\Windows\SysWOW64\regedit.exe
  regedit /s regedit.reg
  2⤵
  - Runs .reg file with regedit
  PID:2948
- C:\Windows\SysWOW64\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4188
- C:\Windows\SysWOW64\sc.exe
  sc config RManService DisplayName= "RManService"
  2⤵
  PID:1488
- C:\Windows\SysWOW64\sc.exe
  sc config RManService obj= LocalSystem type= interact type= own
  2⤵
  PID:4560
- C:\Windows\SysWOW64\sc.exe
  sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
  2⤵
  PID:4856
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Folder58\*.*"
  2⤵
  - Views/modifies file attributes
  PID:4164
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Folder58"
  2⤵
  - Views/modifies file attributes
  PID:4216
- C:\Windows\SysWOW64\attrib.exe
  attrib +s +h "C:\Log"
  2⤵
  - Views/modifies file attributes
  PID:4408
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im rar.exe
  2⤵
  - Kills process with taskkill
  PID:4120
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im rar.exe
  2⤵
  - Kills process with taskkill
  PID:4404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RManService
1⤵
PID:4656

C:\Folder58\gomi.exe
C:\Folder58\gomi.exe
1⤵
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Folder58\gomi.exe

Filesize
69KB

MD5
810f23af98f79cbd759b37c7c1cf5a45

SHA1
5857807aa0064389ee1c6a66b0b5d95f58ab5c2a

SHA256
43a936c7c67bfdde985a9d31886584f72c09a1b8336f29a148da6c24d36aedd3

SHA512
140836481c1fefc5987ee15ba61e99eda0088cac2e1c4c33a24eb65c71de31fbe3f8c0a251f4ce8ac4878168e389a4884cb757995a573d5d99b74dc412ab8ca5

Download Submit
C:\Folder58\gomi.exe

Filesize
114KB

MD5
9ddc7b6bbbd354827e42805be9010c76

SHA1
1fa4052e39a204f7be59b9f88d2d2b3fd8607110

SHA256
aba242c18ed05c5bbe2330e18fb52d1a7febec453db71d1be6281b6e6a01b90b

SHA512
b3c59c635017553a24451faf4c420f69ffe7e2742939666d7d13fb662756af66055a1b49681e1a8abf691fc95433afac5feb7f4edbec48d45964a81581427dbd

Download Submit
C:\Folder58\gomi.exe

Filesize
109KB

MD5
b383e765ea2a74023986dc3d5aafed7a

SHA1
774788f8f112e24c76c7a95344531569877dd8bf

SHA256
efb257eac983bd22b313c3dc737b1c792b71a15b22e760212283590afc07b988

SHA512
76c67e4d85fd1bd6a999f734a6f6c636c7804f67807ec0c14a8963e4010cc009512698cbb27d58eeeb83e51612a76784ae1e6f89f80b967267f981b28a50a8e0

Download Submit
C:\Folder58\gomi.exe

Filesize
167KB

MD5
84ab9987fe5699584b42cf243d879f37

SHA1
e717f6c582719bcf682ae7ca86fdd4443a3a8241

SHA256
740448275486e5797650acfe6121dc37a371e6482ccb3e603532c0dfc24734cd

SHA512
fa2ac772857b39a43dbd7013af6758fca5300ccb4657fe1ed2406e09ddaf250f7116db0f57806525a0f6a2cdcc5e4f8c46e54c64875600a62c8abe769cf340b3

Download Submit
C:\Folder58\gomi.exe

Filesize
99KB

MD5
8f85ea82ccc15808b6d3e901d79cac40

SHA1
cb2108f37d8fb959115b2c16a50318ac28873d7e

SHA256
15bc099ab3f460f544276adc5df9acf4fb00e310be635afbc32c385398b1f039

SHA512
3b605ef100374f7bc9afc644cf5bbb9b7ad4f6683a2cb1f11948eebf08351adf6c9b7fbc2f2098fd6b8a91f2154d777cace48da4187914932fd2909f3c7a7f1d

Download Submit
C:\Folder58\install.bat

Filesize
1KB

MD5
379e05ab18749582bc5aa5ea9fbb33e4

SHA1
d18bd461625d8f83150604e209a1754e60c66fef

SHA256
ff6649a0a1168d490529681ea1c801f19dbd8173a487dc1eeaf86650edca32d9

SHA512
e9645d62b79dcf62d30e7623d5215929c92a449b844165a49e9be245dec891e1f6975db3f2d193c4724f88aac83cc12a30bceb0fac0a63bd5f7661742877ab03

Download Submit
C:\Folder58\regedit.reg

Filesize
12KB

MD5
7d50e31b37b58aa43fcfff52c384f16b

SHA1
c3728f85982747d0f8a1349f160b69e7ea23fdcb

SHA256
472f214e33e6bde4ef55b66473a12f8989d6c2b8364199170f939cd9e843a021

SHA512
572aca3ed267c4389e839682376c3b4ff619825b83bfbebd3968473ca93ea68f09af4f47df16b8526e812aec839ee49771d4749717cf056a81d5a2e05dc05f04

Download Submit
C:\Folder58\vp8encoder.dll

Filesize
191KB

MD5
b24b624675320300240f9ad4d3837765

SHA1
36bc1c3f52cd5bacf1508a17ce3b9cec57f415c8

SHA256
a3dc9ddcfc0f95731ba7b0d1b6a9ed9979df2020950f0f34b2fbd46e6d2219db

SHA512
c8183387700fec7294f2d06508406b2412d90933bd2132f93d2da9fc9f6e36dd38092ef4ee6b143e2dbc0f1b7a90b89218a92d2f71799dbea8381e96ac2f7de3

Download Submit
C:\Log\Rar.exe

Filesize
124KB

MD5
16674cb8a7fefffb3475cab287d3f742

SHA1
cc137dcf3951195a80d3df351ccc87dd9fa18b13

SHA256
685f9ea22daf727f241f6598830903ca1b35e2633e9d32af39c5d1dba5774668

SHA512
7a3eff21a860c29117e2779cb471b09d803f4274903e47dee23c680ef9106f43bf28b45321e08b99c4c149e381cdc32498e170f56df4d6431e0668fdd25d865d

Download Submit
C:\Log\Rar.exe

Filesize
83KB

MD5
20b4aaa3a14a46282a9918ff4afb28e6

SHA1
4e6e1b6b3a4018b765cb8dc069d54d3074f25855

SHA256
f6e9f9a5dc38a90ba09144b79a525f97ceb241933758ec116d133af5712a2710

SHA512
f39699b78d070aa2c404e6c82fe3e6d603aeab974379ef3bb3a0636b8ca7575cf91e87f3ca6d6c929dfaff2230d0f17e23ffbdb1c8b27470b09c5e78f067740b

Download Submit
C:\Log\db.exe

Filesize
86KB

MD5
110d420fe776459dc9ddd6ea0e09bb64

SHA1
f7b683032adfc1aff2eaf7d90644e5a9099d2815

SHA256
ad1f05e6ec1ec46aa2f79fe033105a66ac0eaefd12712da06cf118e0463aa592

SHA512
2043c8032bfaebfa02b898d03ab1a2b35173c79fd403362c10b70c901a0a94542574ef24fe0b7311c9c53deea9234281f7fea905aab03ea1767f3104c75b1fee

Download Submit
C:\Log\gomi.exe

Filesize
71KB

MD5
c0c2d5640e37c82f9dbf1fcdcbfbd725

SHA1
d164f0acc786bc3c108ec9f41423cafa1ebcc7fc

SHA256
7ab3b2d1c76996c788089c832105dcc577a194a8d48f3cd30fe4ce5d208055b7

SHA512
e84cf7d72c8ab9909191fdf2a35d23ecc878b52842203a92a761d0afb9069f40f3036c77fb18d8593e94528ab92d24937152c538b7c548ad7c455c6468f83d8f

Download Submit
C:\Log\install.bat

Filesize
1KB

MD5
379e05ab18749582bc5aa5ea9fbb33e4

SHA1
d18bd461625d8f83150604e209a1754e60c66fef

SHA256
ff6649a0a1168d490529681ea1c801f19dbd8173a487dc1eeaf86650edca32d9

SHA512
e9645d62b79dcf62d30e7623d5215929c92a449b844165a49e9be245dec891e1f6975db3f2d193c4724f88aac83cc12a30bceb0fac0a63bd5f7661742877ab03

Download Submit
C:\Log\install.vbs

Filesize
91B

MD5
1f2c79274a03a035333b15ed68fee8e4

SHA1
2e87549734e5a9e48d4ef75fa9fb06e9cfda2a5b

SHA256
50ec14a13ee65068dc43b7d884fc4d6fa7baa0e5a6095a469ce658dd8d78452f

SHA512
8ddec880f4af6ac1a066c5fa4fc0f57a9c97f038a8098a8a073bfe06bd2353b0ba7dc106ab6eaba5f36e057acb54b023b2a56cfc37df5b04bf5263f12f92b750

Download Submit
C:\Log\pause.bat

Filesize
289B

MD5
d340028ad65d29c89e751a66f89ccd13

SHA1
bd062d9e2909df4819d4c64263c441e16776570e

SHA256
44b5bfeb4d47d3c06d3c0dd0e9f029bad3250ea36d72512d3b62ab701bbaf680

SHA512
3bc53564e5af014f8b8ff8ae6cd4ed9df657611b87b342388df04ebeda5ec0623a4114008fc97a2e133f1d37231982edf1beab9bafd75a49c349ad7a374f8328

Download Submit
C:\Log\regedit.reg

Filesize
12KB

MD5
7d50e31b37b58aa43fcfff52c384f16b

SHA1
c3728f85982747d0f8a1349f160b69e7ea23fdcb

SHA256
472f214e33e6bde4ef55b66473a12f8989d6c2b8364199170f939cd9e843a021

SHA512
572aca3ed267c4389e839682376c3b4ff619825b83bfbebd3968473ca93ea68f09af4f47df16b8526e812aec839ee49771d4749717cf056a81d5a2e05dc05f04

Download Submit
C:\Log\run.vbs

Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
C:\Log\vp8encoder.dll

Filesize
118KB

MD5
d1bbace43e90ee6ad674cb400d988b53

SHA1
ff05b86da83a1fb43486c0dbfea987dfabce557b

SHA256
ccb121786f54ba5e13d2fa8f1f733c8c62358ca75ee800e11b4efab8154d3aab

SHA512
79ab729ae4b3db3012c765e03683ad9e9f8352c397d0398d9da1f6185041c70bb5476fc2a44a91c0d16d604188af897dd58da4a8c3b9b639d194caf1269661c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads