rms | 7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4

Analysis

max time kernel
17s
max time network
130s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
Size

6.2MB
MD5

92b37954eae6bb90e8e08a249e642013
SHA1

272fb78cdb8f6dc6a3b043f891b47658fa399415
SHA256

7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4
SHA512

5f4155d442aff3659406550851ec9dab38f7664e85fb8acca8cf63fff187e2dcdfec9cc4231f98608f6fcb0b306b518038cff19d05599f9efddeb3e539295d76

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1systemsmss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1systemsmss.exe, explorer.exe"	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 1 IoCs

pid	Process
1900	1systemsmss.exe

Loads dropped DLL 3 IoCs

pid	Process
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1900	1systemsmss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	1systemsmss.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Zont911\Regedit.reg	1systemsmss.exe
File created	C:\Windows\Zont911\Home.zip	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File created	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File created	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File created	C:\Windows\Zont911\Tupe.bat	1systemsmss.exe
File created	C:\Windows\System64\1systemsmss.exe	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
File opened for modification	C:\Windows\System64\1systemsmss.exe	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
File created	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File created	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\svnhost.exe	1systemsmss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
968	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe
1900	1systemsmss.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1900	1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe	28
PID 1212 wrote to memory of 1900	1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe	28
PID 1212 wrote to memory of 1900	1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe	28
PID 1212 wrote to memory of 1900	1212	7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe	28
PID 1900 wrote to memory of 968	1900	1systemsmss.exe	29
PID 1900 wrote to memory of 968	1900	1systemsmss.exe	29
PID 1900 wrote to memory of 968	1900	1systemsmss.exe	29
PID 1900 wrote to memory of 968	1900	1systemsmss.exe	29
PID 1900 wrote to memory of 2040	1900	1systemsmss.exe	32
PID 1900 wrote to memory of 2040	1900	1systemsmss.exe	32
PID 1900 wrote to memory of 2040	1900	1systemsmss.exe	32
PID 1900 wrote to memory of 2040	1900	1systemsmss.exe	32
PID 2040 wrote to memory of 1420	2040	cmd.exe	30
PID 2040 wrote to memory of 1420	2040	cmd.exe	30
PID 2040 wrote to memory of 1420	2040	cmd.exe	30
PID 2040 wrote to memory of 1420	2040	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe
"C:\Users\Admin\AppData\Local\Temp\7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\System64\1systemsmss.exe
  "C:\Windows\System64\1systemsmss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      PID:2020
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      PID:1892
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      PID:1376

C:\Windows\SysWOW64\chcp.com
Chcp 1251
1⤵
PID:1420

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
PID:1636
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  PID:1168
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\svnhost.exe

Filesize
203KB

MD5
6fd359e4d4b7bbbc9edbb11f25c1cefd

SHA1
dbc18edb625622f7e18ee20c506fe33fb54e5f43

SHA256
b48143d46be0f35a11776afafe1badb5141c559e6e58d9e1fab84a22a65bfb00

SHA512
5e07c7f666121189d9075e7ec2148f3f1b4cd25d8f74e43d0e046380c8cfd518af73abcbbaf08dfccd90e67ff5bd58cf8001a7dd872b289ef8fdcedd194d42e9

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
128KB

MD5
b29a3aa4baa411594008bf251ba051f2

SHA1
620d0f5ef7d349f5303db287aa03a6f57d80f495

SHA256
0490c6da94bb15a7776d2ed0df3db8a5cb1a059e70b7eb9f70382c29cb2f1d99

SHA512
8a992b7d8c215246e062bcfe47d1ce679c1deb38d634bdc55531bef17e39f513c799881e36a124a44d957a44f1663fae0e2b6257c8f9cc32cd7bc9a745a7acee

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
73KB

MD5
e9fada429a6b0d981c72604d253fee81

SHA1
cd65368a361d74059aeb3d4f06dc63adab1a2709

SHA256
2ba90539301b06e5fc4ef37db3bdb7e3ca3e5b9b18ad18a76d5aa18114230840

SHA512
3e286990c234ef2556fd637a7d47ab98d7befc0bbf16d10d8766775dae302e37f96af1b91e773e9f8802a4824dafdd8ce1ee76d1b768af01f5ac7861108dfd06

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
88KB

MD5
ad9a88dfb893e5b35206bd1a9bdd4c9d

SHA1
64c5a9555eb3adbadbb56fefe10565bb51bbd125

SHA256
c22fef904d9a4ab76f9ce5f077e782d772612144e701dbeb4818b25c894dbdba

SHA512
1dd08c895b9a8e37d4d781fd3b16c1da5030e0c87f7cca88a660f084e0db6a694c4e8004f0d349f1bbfc50e5dd1177a2a1880c5c95cb51f71230cca49f5407f7

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
80KB

MD5
cb5d62516111534b9fb62cf76a37e363

SHA1
a7ef5922184be32df9c936ba247a5d9b5084d7c7

SHA256
f971230c5325d4b2251eb8086486f2ed16e024f33bff12e075de38211ffae950

SHA512
34eb66a538f5503072b64f09884b273ef6849a5559218d0895a768b8d5c6b2ccbcc45df5cc7440d87a338ec1f31fb4931e8f6eced524ed3562360ae67472abca

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
76KB

MD5
4120766f866c121a96ab19be3cad7c56

SHA1
cff2db3cd32c09037b484dd7dd65e5a35f36c3af

SHA256
52ee4d62aa1f8b2ac2c04c18f6d9022112bdbb07c308bac50f48ae6fe4f437d8

SHA512
53d65fdec7f4028b0f565ff2d84f97f5f5a8eff908e1e0936788b6e00fe13337c343c541abeaa19c1232d89bc4e7f3d1e50e1910b9081a43459d251f8423bbff

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
143KB

MD5
fd43e00e0b69b3a11f9223d1a84774ab

SHA1
ab8af6f4ff51976b016cef6241fd67ff6ddc70e6

SHA256
b4e03ffdd362c96e4011f0a5c6a0ad685d95ad65874b2d9871087463ef4998f3

SHA512
f3db07528ee583e7013230166abeb65d02a4c7f38c8d6a74ea84e203348602bc98f2001042661635d36b3360408d5c7274a3ffcef85bcfacc1cc0b3af7fa9001

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
89KB

MD5
786d410389886be10ddd5e7f5997373d

SHA1
5117ec1094a6d6a6fe0a3814688a0d70ab5f5933

SHA256
91d8102f80cf60502f274641980c1acd02ecbe5c787ed7cbc32a596c6b46efed

SHA512
268b707e831cb45b3eeb0643df5fe289afd363513ae72634495eaf95d0144f4b64973cc98e768eff8fb392b5ef8e0bdd7d66dc3b3531c4f51bedd7e86763ef8d

Download Submit
\Windows\System64\systemsmss.exe

Filesize
112KB

MD5
7c3a147ca4e1bc0af64288e06d6ef46a

SHA1
5516b81da3eb0f885e420963e13580554bb488d4

SHA256
9a87adfd9b6b5ac351ff1005bd2874ee7a2ded987b2af572d1d6285c58ae9188

SHA512
9117d4511fd5a6ce7eba3c8094495e8a615cab13af93985c391027e09d9342a9bf899b7ae9b3ebc59ef8a2fbf4571bf0941d1acb073a524082faaa68ccf6bcf9

Download Submit
\Windows\System64\systemsmss.exe

Filesize
50KB

MD5
635f185bf1c9237fee96ea9433cd445b

SHA1
9dc8b01bf3c2f9fa7a4b0ef0788d62c943dcbce3

SHA256
2c9c5b3606eff0c9e8178c9cd8dec6cd5c8f1672bfe26598a40e06ba50ccfacf

SHA512
78a59741a7f3c3722b8d5045fcbd282db9f88d420c251ce89038188d85937a9def4c263972a734831edfaa7ce83b7257df959d4b6ec64a858e45a5ffe9ea7c5e

Download Submit
memory/1212-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download