rms | 5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a

Analysis

max time kernel
4s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24/05/2022, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
Size

4.5MB
MD5

52c78278b86fa5d4eff97690a2db9190
SHA1

f30f7cb2ed3d2a2d450f3e3406aa73cd4495a964
SHA256

5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a
SHA512

fe1633ce8bf39e7eb1989196318e314b03b8ec4bdf0871823b336ce40b449a69c30ff5fc41073deabe6e9c6e8411c51988c5eebd7eb1775558980da11d39d1d6

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002315a-140.dat	acprotect

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002315b-141.dat	upx
behavioral2/files/0x000600000002315a-140.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\System\rutserv.exe	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File created	C:\Program Files\System\regedit.reg	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File opened for modification	C:\Program Files\System	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File created	C:\Program Files\System\rfusclient.exe	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File created	C:\Program Files\System\vp8decoder.dll	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File opened for modification	C:\Program Files\System\vp8encoder.dll	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File opened for modification	C:\Program Files\System\rfusclient.exe	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File created	C:\Program Files\System\mailsend.exe	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File created	C:\Program Files\System\install.bat	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File opened for modification	C:\Program Files\System\install.bat	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File created	C:\Program Files\System\install.vbs	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File opened for modification	C:\Program Files\System\install.vbs	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File opened for modification	C:\Program Files\System\vp8decoder.dll	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File created	C:\Program Files\System\vp8encoder.dll	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File created	C:\Program Files\System\rutserv.exe	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File opened for modification	C:\Program Files\System\regedit.reg	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File opened for modification	C:\Program Files\System\mailsend.exe	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
File created	C:\Program Files\System\__tmp_rar_sfx_access_check_240551484	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1816	timeout.exe
4456	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4268	taskkill.exe
4836	taskkill.exe
3736	taskkill.exe
3880	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3212	regedit.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 3124	2484	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe	78
PID 2484 wrote to memory of 3124	2484	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe	78
PID 2484 wrote to memory of 3124	2484	5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe	78

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2020	attrib.exe
2964	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe
"C:\Users\Admin\AppData\Local\Temp\5e5e14222258ab97a1727f4ade75a37f1754cfe3d48e7ae7f9072bafcd21012a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\System\install.vbs"
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\System\install.bat" "
    3⤵
    PID:4244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      PID:4268
  - - C:\Windows\SysWOW64\taskkill.exe
      Taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      PID:4836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      PID:3736
  - - C:\Windows\SysWOW64\taskkill.exe
      Taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      PID:3880
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1816
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:3212
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:3216
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Program Files\System\*.*" +H +S /S /D
      4⤵
      Views/modifies file attributes
      PID:2964
  - - C:\Program Files\System\rutserv.exe
      rutserv.exe /silentinstall
      4⤵
      PID:3468
  - - C:\Program Files\System\rutserv.exe
      rutserv.exe /firewall
      4⤵
      PID:1976
  - - C:\Program Files\System\rutserv.exe
      rutserv.exe /start
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 120
      4⤵
      Delays execution with timeout.exe
      PID:4456
  - - C:\Windows\SysWOW64\sc.exe
      sc config RManService DisplayName= "Windows_Defender v6.3"
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\sc.exe
      sc config RManService obj= LocalSystem type= interact type= own
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\sc.exe
      sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
      4⤵
      PID:2320

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Program Files\System" +H +S /S /D
1⤵
- Views/modifies file attributes
PID:2020

C:\Program Files\System\rutserv.exe
"C:\Program Files\System\rutserv.exe"
1⤵
PID:4380
- C:\Program Files\System\rfusclient.exe
  "C:\Program Files\System\rfusclient.exe" /tray
  2⤵
  PID:308
- C:\Program Files\System\rfusclient.exe
  "C:\Program Files\System\rfusclient.exe"
  2⤵
  PID:4376
- - C:\Program Files\System\rfusclient.exe
    "C:\Program Files\System\rfusclient.exe" /tray
    3⤵
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\System\install.bat

Filesize
1KB

MD5
faa5cc7f920266c258b73db4cc82d74c

SHA1
cce65f38e87bb80478dfb6d9df14c855827e60bf

SHA256
dfc083aabaf31a69c3d7ab1e39c6bf7fc926b8599a0e822912d785f1e33177dd

SHA512
72496aff6c7842ebf8b38e8d1a8c01bd2b9a5ce1286a7041ee7be0e75e8c6641a88028856471dffb03ccfaf552f2e421bfc816285839e3f8d500537328f6eba1

Download Submit
C:\Program Files\System\install.vbs

Filesize
120B

MD5
c719a030434d3fa96d62868f27e904a6

SHA1
f2f750a752dd1fda8915a47b082af7cf2d3e3655

SHA256
2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f

SHA512
47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

Download Submit
C:\Program Files\System\mailsend.exe

Filesize
102KB

MD5
342341872c6fddb54169476f117195a8

SHA1
3c916c3844b5216b20ebfb803fb625de15aa67bc

SHA256
f04da14723bfa3c3cf79aaefc63116fd96e818570458d14189aa21c825926d03

SHA512
3bdc70d31b61dcb1d95f43f4c0a8ba3301409d63f63396b0f303a4583e8023e4f7f3abc87ce272f309632a7d789f8a1d13907de792f538001ac6c7155f0bb3ba

Download Submit
C:\Program Files\System\regedit.reg

Filesize
12KB

MD5
9a56933d0206754adb0651cb2d2bbeef

SHA1
27b44b40b6010edb98c96f63a7307e44d2c98d42

SHA256
ff22b446bef51af2c26136a1999c40661afc9c838e8dd2b8e09a90c7cb7ba626

SHA512
bcf64d20e62e37bd02d4266d72f7409b44c4ea9d862313bcf8b340a194110d0146e30b24b92f7048511f7a21abccb378111a3f800b822930363d19c754141ad8

Download Submit
C:\Program Files\System\rfusclient.exe

Filesize
139KB

MD5
a64ff300d39c87d1452372f66a16e45d

SHA1
c3c5c17ecf8f5c5e9a0fe1368b1f234af7c4a4bf

SHA256
f260da51f79df68f4af9dd1f438535a88aeeda5dc57631d7ad038fd299b0cfef

SHA512
c7ded03829a21f2aa2937e0b3148ab3cd5e3c5445b142a9d59368e83e194f126ac1618832a7b00fb5ccd632d0d3a3cf6d70c2d3e55ff8a14df5bced9fc4b0f39

Download Submit
C:\Program Files\System\rfusclient.exe

Filesize
56KB

MD5
4ed9dfc0f3018011899157fe2cbcb38c

SHA1
52119d4ce9e3162e79a05b3693b676d180ed5ac7

SHA256
f6f6b77ff0b23921404f78d9093fa622ab6834b0fc7728eba0212e230b2fd937

SHA512
4c74b3dba5e30d676cf347c2ee10224b2fb72ee7c187604f356bbefc5876f667d64fd3cd0bcb846a02ea0c4aa6e712d03fb38b2ef60fb800b4837774ec931a47

Download Submit
C:\Program Files\System\rfusclient.exe

Filesize
99KB

MD5
f63c7c70dbd6b940faccb58cc1f6f354

SHA1
7c9c6a9903e39fb8f9779a3f8c90b87539ade92a

SHA256
5f03f3ab1e444053b7afc7444559a3483ab855ac861948a0da4057c4bc2abd5f

SHA512
3f9daecbfb53fe352bdc81d20f57138874a722615b49ee41ddfc66944b9f0963724cde8fdd07ffa9f703a7c4e0b44ff2946a612b3793a0c521e4947c0db72e00

Download Submit
C:\Program Files\System\rfusclient.exe

Filesize
128KB

MD5
4dcb78790b31bd53fb35a571bdd507ec

SHA1
a787be4516f663d224d91f6294805ff3aa830e33

SHA256
4137eafbf1a3c6b9c5fe40a7a4769ebe2a3ed5aa4baf04902f63911b5cea5d47

SHA512
b68093faec7b9a0a09a701d3625d5e0d4bed0806b31b607688366b1562902ff495bdeb1d5d9317f07f8f1e719b2b78393d83224d8cead1014d532232cd1d8be4

Download Submit
C:\Program Files\System\rutserv.exe

Filesize
134KB

MD5
a88ec77025cf5996281684bed4618265

SHA1
b2ac525a8da5db7042200354f995f0bed455607e

SHA256
d67c36415a5782a34194957adaf1b0c1342b5edadb89c45d28b7878425c6624d

SHA512
bff8a166214125569ba852332e5b0e83a957daa4ead1681e0cb952342d7a2825fc76be12df5d2e2006814fbd676e4e02f4a84162c755f1df89e852dccb4b3664

Download Submit
C:\Program Files\System\rutserv.exe

Filesize
92KB

MD5
d0425547769f799072a5203b43d2fa8b

SHA1
34c6e9e46556143198bc87e5b19b17eb3d699c4e

SHA256
fd1f5203eeea65b40e467c1b87bd89ad9d4ecc1dd2e865824881164dac5527ae

SHA512
a44919b78ac9734be6229c64c0dc30b0bc2dbfc65269eda226470f8b5016dc80d761f9d9094096892c0b586985aed6b64f8bcb54d8abdd901ed331f5addce0b0

Download Submit
C:\Program Files\System\rutserv.exe

Filesize
118KB

MD5
cf26ca6b3053632f1c59a37e2dcb40a0

SHA1
2b15d8862d45b662f324bdf5cdceba9f8a0251af

SHA256
70dc2197b0d3048ba7d0afeee530fd0603725bb84c9c27a2086d6c26f5c81e57

SHA512
0a47ae2d3bde4baf9dbd8787b4f2414e06c87a7af946c71f600d4006b74e061229cbe85d013d6340ae28821c0ba1d9dddb87c34c3fa1c57e54fbcfd8ffacaf0b

Download Submit
C:\Program Files\System\rutserv.exe

Filesize
82KB

MD5
61c9bfa3150bb162e55f70d10b301552

SHA1
0290d3b325041afb0fd4072d814001ac0c68ade4

SHA256
2540813b02bc7a790b8411ce1d50ac554e6e6e429a0b4dbc370298b293fbf9f5

SHA512
7ccf9c30b2ce69d7c2271e59e888c910229d18a221afbe508028709d11cba65953c2119c1d4a14022e175ce953b26478a9ab0223b04ed82a7cf7efa21c34e877

Download Submit
C:\Program Files\System\rutserv.exe

Filesize
92KB

MD5
3c2c7b6559deff874033012b067ee6fc

SHA1
de4a9eaa1e85d703fd481a9c5c3fd75043051a1d

SHA256
cd7265fdccb4fcaa5f59278f654d1826cf05c5c70af908b0abc551409a30b6ba

SHA512
1ea28ca17c9eaa2763b1b9e9e147a4690c0189da7a0ff0e5eea5ce7872cd67138a46cc4adc5120afce43869e8962d469dc8e9f921f4b2fda09ef45bf7a621b18

Download Submit
C:\Program Files\System\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\Program Files\System\vp8encoder.dll

Filesize
128KB

MD5
bca91a0fced1099b89e4880237864acc

SHA1
016d7cecae44bc71e776a3c6518283325e8f4c5d

SHA256
a26ba38ce7e70b3e4fdcff6e9b0ce8bd637b1de32fc7b3e95dbc730cacf1e982

SHA512
60cf129466352f76811ab3016665424169414a9ec6e07653033fa03966f27896b78bc9f428ebd5ba9b595b929260f0abe5147fa45792e1523ca08e7cc11aebea

Download Submit
memory/308-192-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/308-187-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/308-184-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/308-191-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/308-188-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/856-200-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/856-201-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/856-202-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/856-203-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/856-199-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/856-204-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1524-167-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1524-182-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1524-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1524-171-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1524-170-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1524-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1976-164-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1976-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1976-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1976-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1976-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1976-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3468-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3468-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3468-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3468-153-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3468-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3468-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4376-190-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4376-185-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4376-189-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4376-183-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4376-186-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4380-174-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4380-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4380-176-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4380-175-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4380-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads