rms | 9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827

Analysis

max time kernel
27s
max time network
141s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
Size

6.2MB
MD5

c868ed63d0a3667bcc78e15c0e9216e6
SHA1

d7b1f6a519c81ae7db5b5d18b26252e049bfe502
SHA256

9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827
SHA512

8e4f07215a1e8fec3ade29496170302eaf569c5eaadb90e6e32aebe2200cb7041c68d3a9037be5ea2e059b77654aed517d5fdaa61da42cffbc9ea7bf2c526342

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1systemsmss.exe, explorer.exe"	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1systemsmss.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 1 IoCs

pid	Process
1804	1systemsmss.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Loads dropped DLL 3 IoCs

pid	Process
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1804	1systemsmss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	1systemsmss.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System64\1systemsmss.exe	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
File opened for modification	C:\Windows\System64\1systemsmss.exe	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
File created	C:\Windows\Zont911\Home.zip	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File created	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File created	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File created	C:\Windows\Zont911\Regedit.reg	1systemsmss.exe
File created	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File created	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File created	C:\Windows\Zont911\Tupe.bat	1systemsmss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
1220	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe
1804	1systemsmss.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1804	1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe	27
PID 1100 wrote to memory of 1804	1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe	27
PID 1100 wrote to memory of 1804	1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe	27
PID 1100 wrote to memory of 1804	1100	9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe	27
PID 1804 wrote to memory of 1220	1804	1systemsmss.exe	28
PID 1804 wrote to memory of 1220	1804	1systemsmss.exe	28
PID 1804 wrote to memory of 1220	1804	1systemsmss.exe	28
PID 1804 wrote to memory of 1220	1804	1systemsmss.exe	28
PID 1804 wrote to memory of 2040	1804	1systemsmss.exe	30
PID 1804 wrote to memory of 2040	1804	1systemsmss.exe	30
PID 1804 wrote to memory of 2040	1804	1systemsmss.exe	30
PID 1804 wrote to memory of 2040	1804	1systemsmss.exe	30
PID 2040 wrote to memory of 1764	2040	cmd.exe	32
PID 2040 wrote to memory of 1764	2040	cmd.exe	32
PID 2040 wrote to memory of 1764	2040	cmd.exe	32
PID 2040 wrote to memory of 1764	2040	cmd.exe	32

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
580	attrib.exe
1340	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe
"C:\Users\Admin\AppData\Local\Temp\9c7b164a8dfcf5376a73d9b1bd1a0ce574710a78b0faf412f746034e943da827.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\System64\1systemsmss.exe
  "C:\Windows\System64\1systemsmss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:1764
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      PID:1080
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\System64\*.*" +s +h
      4⤵
      Views/modifies file attributes
      PID:580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\System64" +s +h
      4⤵
      Views/modifies file attributes
      PID:1340

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
PID:636
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  PID:1992
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\1systemsmss.exe

Filesize
269KB

MD5
b12e0185e46fee852763b520b34f95df

SHA1
29d4a8cd2feac18fbf107cc4e868ea643b8753cf

SHA256
9415eb4b85731025f947ebb53b6c30cc09826acea57f31cb797deff26ef23661

SHA512
d219f650c8f740802fe484eaddb0cc7794fd7a7c47da4a265df0687074a5f9003c20c4134a0597f014105f1496e7e407c1148a44b471f7d8bfe8710716bf8fde

Download Submit
C:\Windows\System64\1systemsmss.exe

Filesize
241KB

MD5
09f9821bd2277dafcf4a8bed13b90a63

SHA1
4330461ada4c8eaf8ff76d9f274ebfe1c0500d10

SHA256
c2b1cd6b42955481e9035f2fa5abfb87033939bf0db85b13ecc27e6bd79d5343

SHA512
300a495bf3d3952e594ed560eb9b4060663205bfdc06cf64910267785f67d15d469e404a3dd755ceea7b4c9b2400e3d87e017a5d920452707daaacedb50e4014

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
381KB

MD5
24e570ff069acbc1d93a1c0172c368df

SHA1
18d95d19dd4618be9bad66ffbe0a65b4baf4c23a

SHA256
fb49d3aa81351a0c0c06d5a16868a336e87683f957baebd6579106564a53f91a

SHA512
bed38ee29826e6b1dd86cc4158056de4a1883aa701126e6a56c1f9e8e63b4cd4cecd56d09c7029c11bf891dda8b071bdf7087b377c5728e5cb42512f2af13ea6

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
381KB

MD5
24e570ff069acbc1d93a1c0172c368df

SHA1
18d95d19dd4618be9bad66ffbe0a65b4baf4c23a

SHA256
fb49d3aa81351a0c0c06d5a16868a336e87683f957baebd6579106564a53f91a

SHA512
bed38ee29826e6b1dd86cc4158056de4a1883aa701126e6a56c1f9e8e63b4cd4cecd56d09c7029c11bf891dda8b071bdf7087b377c5728e5cb42512f2af13ea6

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
fbd460137890250b2cf3203e7c705c15

SHA1
38184211e035726c833ea457a76ba98b7a344a06

SHA256
5e40d1a2a6e2cd884219cb6a1b150db97c474a5d97b96711e3f5aa24db99e651

SHA512
7ddeb322da09e12db3a9462fdd531164fd76fa3cc9326c7dfe161dffa7e44498681a0865e995f4d37dcaa10e4365284363c21e140090f59b861d700365b687c1

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
357B

MD5
e5274839994aefad7d0268f3d9d18c31

SHA1
39edce7d681a25435c2c7607ba51ba45d3217e25

SHA256
dcc09369c3fa2c56fc03fa5982c7836abfe6972cf18e4bb26a9c3ce266ee5149

SHA512
81a97588d1fd81d0257189ed1d6351cb4fedf5c72d79750a611f51ed117232e3825f81bd5189079e656a7c164e76ad3ec56b8522db8ad5f7bb0e26fdcebeb386

Download Submit
\Windows\System64\1systemsmss.exe

Filesize
252KB

MD5
efd339e4bed400add87ac4f7943ce44b

SHA1
3c2555843efc54160f7d693cfbed00e39512af96

SHA256
08652fe0d448c8b3815828619c61327eba5cfac3750fb31058ae402b3834504f

SHA512
7672f6a54c6e7f521ee425b5c194a955cab4306944724dbae2591fcaa1e4f0985ca56a2cb7435d4a125262c3efe790189bb456cc76ca5f2a3e2b877ab991feeb

Download Submit
\Windows\System64\1systemsmss.exe

Filesize
305KB

MD5
bedfab28c395d10b39af10320b1d3bc1

SHA1
b5ce7ba3a9fedb5e0947d014b50d1a7b64c50287

SHA256
ec06ca899a78209383b588672259e65bc6c1a783dbb5183fb8081ff21c7b56ce

SHA512
4e82574c4168b8ed5013b4655b0e2c0e50c62404c46970db4a74c6c129a854916899c53540c138863b064baa85a431f74ef544d82fd1389c460222f20ce93a09

Download Submit
\Windows\System64\1systemsmss.exe

Filesize
404KB

MD5
89ffa00ad9e670d2b657d43862b2217c

SHA1
3c81ed6ad80a02b45f1916406391787e11369123

SHA256
f62ae567d5e33495155712a57809440f94fe3af0c66b9493c2f260082e4c50ef

SHA512
9c1d934bc5877baa0bfdda8baae37301e0355e52a3e70cc024079515fa5169b8c44f747d418e8919d26918b2b5abd1441cf6f9f5c71d373c67062cca31de941e

Download Submit
\Windows\System64\svnhost.exe

Filesize
94KB

MD5
93a209206a5b27227cd426c20ed374dc

SHA1
12821aae4b69ed94f48cb5c247e1dfb4e0c5a540

SHA256
7b00972c4c1b0de9f43d4b67420ebc06526c11cea1bd42f4c3cfcf3aba57c507

SHA512
89171e6fd5e08803de7d00c383fb2cc49c2ca9581e76b538220b31368520548d1e6c7c4ad6ef82685317ab52c0c1c1590869d9ea69d4f71f38a7db2aef5b2850

Download Submit
memory/1100-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download