rms | eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73

Analysis

max time kernel
26s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
Size

6.2MB
MD5

e82db76be0d58a328eee825d535ff439
SHA1

9a86912e4b058b3947b2e6aa6d7673a1db28c04d
SHA256

eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73
SHA512

ffbad76e3b46f77adfcd9296442e488dfcd9d32c3424e43f853a3a77c1f6580325b03bafff32cdea021fd607b871e686555fffd2a2b6676a0462c68005edd690

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1systemsmss.exe, explorer.exe"	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1systemsmss.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 3 IoCs

pid	Process
2676	1systemsmss.exe
2600	svnhost.exe
4016	svnhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	1systemsmss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	1systemsmss.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File created	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File created	C:\Windows\Zont911\Regedit.reg	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File created	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File created	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File created	C:\Windows\Zont911\Tupe.bat	1systemsmss.exe
File created	C:\Windows\System64\1systemsmss.exe	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
File opened for modification	C:\Windows\System64\1systemsmss.exe	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
File created	C:\Windows\Zont911\Home.zip	1systemsmss.exe
File created	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2552	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	svnhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2600	svnhost.exe
4016	svnhost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2676	2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe	81
PID 2300 wrote to memory of 2676	2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe	81
PID 2300 wrote to memory of 2676	2300	eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe	81
PID 2676 wrote to memory of 2552	2676	1systemsmss.exe	82
PID 2676 wrote to memory of 2552	2676	1systemsmss.exe	82
PID 2676 wrote to memory of 2552	2676	1systemsmss.exe	82
PID 2676 wrote to memory of 2200	2676	1systemsmss.exe	83
PID 2676 wrote to memory of 2200	2676	1systemsmss.exe	83
PID 2676 wrote to memory of 2200	2676	1systemsmss.exe	83
PID 2200 wrote to memory of 3572	2200	cmd.exe	85
PID 2200 wrote to memory of 3572	2200	cmd.exe	85
PID 2200 wrote to memory of 3572	2200	cmd.exe	85
PID 2200 wrote to memory of 2600	2200	cmd.exe	86
PID 2200 wrote to memory of 2600	2200	cmd.exe	86
PID 2200 wrote to memory of 2600	2200	cmd.exe	86
PID 2200 wrote to memory of 4016	2200	cmd.exe	87
PID 2200 wrote to memory of 4016	2200	cmd.exe	87
PID 2200 wrote to memory of 4016	2200	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe
"C:\Users\Admin\AppData\Local\Temp\eb91d289197f07fda8a08894d029fbe33e91bb323b768b270f72ea836ef32b73.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System64\1systemsmss.exe
  "C:\Windows\System64\1systemsmss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:3572
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2600
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4016
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      PID:4236

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
PID:4720
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  PID:4344
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  PID:4376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads