rms | 1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518

Analysis

max time kernel
80s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25/05/2022, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
Size

6.2MB
MD5

0a6c36584f98ec2f98121071477e7702
SHA1

6c839ed190e408f65b3b0c856e5adcb1d305c067
SHA256

1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518
SHA512

1e620fe29a47929c491fbe3003ae0177e4f7ff5b90c5b456f54fd67d17916c8657f80552f7f0acfd333fc0f393555d9202a564edc4f4ed5a2c9282691b414442

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1systemsmss.exe, explorer.exe"	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1systemsmss.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 1 IoCs

pid	Process
2500	1systemsmss.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	1systemsmss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	1systemsmss.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File created	C:\Windows\Zont911\Tupe.bat	1systemsmss.exe
File opened for modification	C:\Windows\System64\1systemsmss.exe	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File created	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File created	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File created	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File created	C:\Windows\System64\1systemsmss.exe	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
File created	C:\Windows\Zont911\Regedit.reg	1systemsmss.exe
File created	C:\Windows\Zont911\Home.zip	1systemsmss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2060	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 2500	380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe	80
PID 380 wrote to memory of 2500	380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe	80
PID 380 wrote to memory of 2500	380	1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe	80
PID 2500 wrote to memory of 2060	2500	1systemsmss.exe	82
PID 2500 wrote to memory of 2060	2500	1systemsmss.exe	82
PID 2500 wrote to memory of 2060	2500	1systemsmss.exe	82
PID 2500 wrote to memory of 4164	2500	1systemsmss.exe	84
PID 2500 wrote to memory of 4164	2500	1systemsmss.exe	84
PID 2500 wrote to memory of 4164	2500	1systemsmss.exe	84

C:\Users\Admin\AppData\Local\Temp\1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe
"C:\Users\Admin\AppData\Local\Temp\1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\System64\1systemsmss.exe
  "C:\Windows\System64\1systemsmss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    PID:4164
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:1924
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      PID:4924
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      PID:1652
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      PID:4392

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
PID:1984
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  PID:4056
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\1systemsmss.exe

Filesize
6.2MB

MD5
0a6c36584f98ec2f98121071477e7702

SHA1
6c839ed190e408f65b3b0c856e5adcb1d305c067

SHA256
1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518

SHA512
1e620fe29a47929c491fbe3003ae0177e4f7ff5b90c5b456f54fd67d17916c8657f80552f7f0acfd333fc0f393555d9202a564edc4f4ed5a2c9282691b414442

Download Submit
C:\Windows\System64\1systemsmss.exe

Filesize
6.2MB

MD5
0a6c36584f98ec2f98121071477e7702

SHA1
6c839ed190e408f65b3b0c856e5adcb1d305c067

SHA256
1d8291a5cba2f38b160dfc10921e29a54799ff0ef634b410aa1a6618b04fb518

SHA512
1e620fe29a47929c491fbe3003ae0177e4f7ff5b90c5b456f54fd67d17916c8657f80552f7f0acfd333fc0f393555d9202a564edc4f4ed5a2c9282691b414442

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
2.6MB

MD5
dcc523c7917bc6cb1ccf04a19e1079a7

SHA1
97d23460227c25ef81b8191851d2e4b790f9f20d

SHA256
8205e1f9d190e77dc4aec8dd8ae8894e4fa8cd9e4e763d605928a007ed366314

SHA512
91986f9cb6451be6de7010175e20c66184d4d5159d11b355a3267ed782db5d3f1af6dffe575f2b025ef27d26c88e9ed6efcd140f8c29b2757bd202b2a37aea44

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
2.7MB

MD5
688e73cfabd09a794d5e9f73df047259

SHA1
6106ba5112d63f8470834fa7a9208d89e2869bea

SHA256
3d3fd936f88536fd02e9bb4447a7a9d8808cf430e76f8974dae740d0973cf279

SHA512
5ad39de0bd9e4eaf750b46bbd24365476e5214a59e7e4e1f6e0c48be4269cca01e8e0353c9233be0f15cf01d83e54a998ef49238a89ffda1ceb823a3191b53d6

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
2.4MB

MD5
3eebe39b9a482d89a8880731ca510c6e

SHA1
e3e3d2109621fae14c49bd45570a68e5f048ca15

SHA256
b78b8df6bf02b73326af8ff47e778c5b1ce61a98a6f64c293e5f9bf987e286e7

SHA512
9794ae7216495221df003e277948844c1f2e31563552106ae6ffc038e536d81401a0121f974d945e311c17b32dea28e4dad9acf3010efc2fac3a18627b301593

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
2.9MB

MD5
afa008ab97e8fc05466be6328221cb76

SHA1
2da3a079e0555e69715a69dbc9d73a743b3af676

SHA256
ec11e0ae328bc8ea7a40837a7180809fc0f7197743127a9dc16c78663710653b

SHA512
7c5b86416045552088e7d345d02927d7be858f51c385d3451b73a67b05159503c8de119c52e6aa535294f906f943a16a694c1393d2b9c2303ca31ffff1adaefc

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
2.5MB

MD5
91829ede3bd84efcddb5032e51c1ac26

SHA1
da5933c9368176f8572218b549e44b440a086436

SHA256
f1f50ff8aa0125ac6e13eae622b80b896916f1b9179d2228555e4bc211284e4f

SHA512
426e683a5c9a3b192b83941b875ea648442fecb21b3206dd5b00deb86c4782abedc08f33452a54ec50dbfc6a8eb54a1fb424a3588552e00b0bbe4d3217383b9d

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
2.8MB

MD5
45a00f2c58e320049bde8ff148dda2db

SHA1
5d43c48c4412415bb7a4b9088ee4a27b1bfe76b8

SHA256
91cc75fedfa77f898e7d6c8b98c8b21908658eeab449d8fe225b720ed6a917d8

SHA512
c3c752df23f72afcd6c1dfe5bda31b8a5616b122f3a93e37d8a4431bb414a6dcffbdc1047545c376fac80952ffe76cc8ac6d75cebb8d636c29ed3bffc0acf579

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
2.6MB

MD5
1a22fa1cb8606814570b8e06f28f78a6

SHA1
dad1348cb2e286245f9d27a142b683e1fa18cefb

SHA256
9b33427fdd5bed0620904367d9655d3289f916cfb8c1ed9ff95700585cefc12c

SHA512
f70f4bfd6820147e30232734ce1557394cfaf64c02491be6c0568e50cfffc661277a2f0f30319203689b960137a7338ed510b3d0f7d6987ae6b09de1d993b517

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
2.7MB

MD5
800c04a2cfa895af460d5a6adf95b696

SHA1
cdafb2337731053183eb07b852988be7a13508b9

SHA256
2c783362c1bb6777d7a32e74c522b8b6f30609e9e851499c8dcbfc0a8ee32a20

SHA512
3cb1f15e468b991989189c6f371a7f25686a53906cb1bb9846858fbc6c6d2c497a985da9aface83ebdc2147e4a25a17943fb09efda5c24a01374e8dcec5f6355

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
ce871700179dfc5638b9bcd2052a9e11

SHA1
31318891734c352a94e3e4b616fce40d29dd28e3

SHA256
3ef1ec65cf389b0e33c693c2f8a07ba479a5b0d9f9e281c42e6acc561f798061

SHA512
fbbcf4de0d77483d5ea9a74590373fcc53f2ea15b3f81cb38d353ae0c4f2c42b9e53e65da77a64c521a50c3478f5b8533e5153230299ac2f644924662cabb715

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
281B

MD5
691f040de6d335962416b319dcd416dc

SHA1
db49109c0917910f7fce8b6de690a1c7e2026226

SHA256
605d0b9c2fd1972c4ee60d8eefd336be636884dcdf54a4e5f2829c46e80fdcea

SHA512
f34ba36bdeaa43a1265ec69acfa0f199f2b4d5d90b4ea890327478f4f48ec7597d660b922dd1e149de3a1ff9b48c79e4c9c53e8a482b4cb5842bc0976f93bf89

Download Submit