rms | 413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-07-2022 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

agent7.1.2.0 .exe
Size

16.9MB
MD5

8447cd76c56cb7c13dc31d3aaadff615
SHA1

0b2d53a0699add6ad76c5141eeb67ac77277cd14
SHA256

413af64238d7985f1749cb5903bac8e17a58d37408488992d40247b42fcffbc7
SHA512

666a8d64a5815e9fedb568db02ce31c7f7e76764503976cfa1301fbc70cef7c37dacf3e00d957227f745e4bc96b6fa8bda10fb418ddcf9ce12564f9e55a1f590

Score

10^/10

rms rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 4 IoCs

pid	Process
2024	rfusclient.exe
1324	rutserv.exe
552	rutserv.exe
1412	rfusclient.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1964-55-0x0000000000400000-0x00000000028EB000-memory.dmp	upx
behavioral1/memory/1964-61-0x0000000000400000-0x00000000028EB000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation	rutserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Loads dropped DLL 9 IoCs

pid	Process
1964	agent7.1.2.0 .exe
2024	rfusclient.exe
2024	rfusclient.exe
2024	rfusclient.exe
2024	rfusclient.exe
1324	rutserv.exe
1324	rutserv.exe
552	rutserv.exe
552	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\SysWOW64\ieframe.dll,-5723 = "The Internet"	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers"	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network"	rutserv.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2024	rfusclient.exe
2024	rfusclient.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe
1412	rfusclient.exe
1412	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	rutserv.exe
Token: SeTakeOwnershipPrivilege	552	rutserv.exe
Token: SeTcbPrivilege	552	rutserv.exe
Token: SeTcbPrivilege	552	rutserv.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1412	rfusclient.exe
1412	rfusclient.exe
1412	rfusclient.exe
1412	rfusclient.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1412	rfusclient.exe
1412	rfusclient.exe
1412	rfusclient.exe
1412	rfusclient.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2024	1964	agent7.1.2.0 .exe	26
PID 1964 wrote to memory of 2024	1964	agent7.1.2.0 .exe	26
PID 1964 wrote to memory of 2024	1964	agent7.1.2.0 .exe	26
PID 1964 wrote to memory of 2024	1964	agent7.1.2.0 .exe	26
PID 2024 wrote to memory of 1324	2024	rfusclient.exe	27
PID 2024 wrote to memory of 1324	2024	rfusclient.exe	27
PID 2024 wrote to memory of 1324	2024	rfusclient.exe	27
PID 2024 wrote to memory of 1324	2024	rfusclient.exe	27
PID 552 wrote to memory of 1412	552	rutserv.exe	29
PID 552 wrote to memory of 1412	552	rutserv.exe	29
PID 552 wrote to memory of 1412	552	rutserv.exe	29
PID 552 wrote to memory of 1412	552	rutserv.exe	29

C:\Users\Admin\AppData\Local\Temp\agent7.1.2.0 .exe
"C:\Users\Admin\AppData\Local\Temp\agent7.1.2.0 .exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe
  "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe" -run_agent
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe
    "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe" -run_agent
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1324
  - - C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe
      "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe" -run_agent -second
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe
        
        "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe" /tray /user
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\eventmsg.dll

Filesize
51KB

MD5
ca8a4346b37cdd0220792885c5937b30

SHA1
eef05f4b7fb5f8aabfb93d10a6451cc77b489864

SHA256
ccd5b9e5947f956e880bd2285a6091dc9f1ee9b0eb8df627ec4e72b451a1c745

SHA512
c286b0fa9d24a85fe63d3a3d801f135d12409736742c4fc16ba1dc15529df136577dc8975736146437dd56467576fdedb4ac50cf05ab054547504f3dc5ca0c35

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\libeay32.dll

Filesize
1.3MB

MD5
d9871a6ba02aacf3d51e6c168d9c6066

SHA1
42012a0116a9e8aed16c7298bd43cb1206a0f0cd

SHA256
7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

SHA512
ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe

Filesize
10.3MB

MD5
aaf8ce35de73ae8277454e5d56c6ea3a

SHA1
917da0204367be210e65a4ad1848ab2c3ab9b545

SHA256
5d98abca0c45a45d3308d6b86df7a4ad855eeb7ab2ab63bcf5541da973f8722b

SHA512
880a538912db42acc20ffef242c94d9a5d02047a2cfb4fa34ee04655666f1e0479ed318abc5dd43d8fbad60b9cf521448c82981bc5a62bcc8198e94a2750f561

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe

Filesize
10.3MB

MD5
aaf8ce35de73ae8277454e5d56c6ea3a

SHA1
917da0204367be210e65a4ad1848ab2c3ab9b545

SHA256
5d98abca0c45a45d3308d6b86df7a4ad855eeb7ab2ab63bcf5541da973f8722b

SHA512
880a538912db42acc20ffef242c94d9a5d02047a2cfb4fa34ee04655666f1e0479ed318abc5dd43d8fbad60b9cf521448c82981bc5a62bcc8198e94a2750f561

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe

Filesize
10.3MB

MD5
aaf8ce35de73ae8277454e5d56c6ea3a

SHA1
917da0204367be210e65a4ad1848ab2c3ab9b545

SHA256
5d98abca0c45a45d3308d6b86df7a4ad855eeb7ab2ab63bcf5541da973f8722b

SHA512
880a538912db42acc20ffef242c94d9a5d02047a2cfb4fa34ee04655666f1e0479ed318abc5dd43d8fbad60b9cf521448c82981bc5a62bcc8198e94a2750f561

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe

Filesize
19.6MB

MD5
21c7ef02914ab2c0eb555287f844c5ce

SHA1
05620f3523b1c7706b39d1a594e8a7f754ed80a7

SHA256
67fcbe4a6f2599d6899654a05f66d8a2846ed50de51171f7d7315c055f76aef7

SHA512
f30f9eec09c648521fc69ed32f893ecc402ed3cbc9cb1d14eeaa3f91f205694347db6d525486243565a98e7fb44469d4cacd39a476a061aa5500969538f97ad0

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe

Filesize
19.6MB

MD5
21c7ef02914ab2c0eb555287f844c5ce

SHA1
05620f3523b1c7706b39d1a594e8a7f754ed80a7

SHA256
67fcbe4a6f2599d6899654a05f66d8a2846ed50de51171f7d7315c055f76aef7

SHA512
f30f9eec09c648521fc69ed32f893ecc402ed3cbc9cb1d14eeaa3f91f205694347db6d525486243565a98e7fb44469d4cacd39a476a061aa5500969538f97ad0

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe

Filesize
19.6MB

MD5
21c7ef02914ab2c0eb555287f844c5ce

SHA1
05620f3523b1c7706b39d1a594e8a7f754ed80a7

SHA256
67fcbe4a6f2599d6899654a05f66d8a2846ed50de51171f7d7315c055f76aef7

SHA512
f30f9eec09c648521fc69ed32f893ecc402ed3cbc9cb1d14eeaa3f91f205694347db6d525486243565a98e7fb44469d4cacd39a476a061aa5500969538f97ad0

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\ssleay32.dll

Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\vp8decoder.dll

Filesize
380KB

MD5
41acd8b6d9d80a61f2f686850e3d676a

SHA1
38428a08915cf72dd2eca25b3d87613d9aa027dd

SHA256
36993fc3312ce757c8adeca3e5969e1fcc11d5b51b12c458ba8d54d73b64d4e7

SHA512
d174638965ec781cbcb2927ceafb295c3176dc78da8938467faca3e512a42fe71a9dc1070f23e1c95f0b7c157fff3b00a8b572c39e4670713564f1310360ed23

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\vp8encoder.dll

Filesize
1.6MB

MD5
2ac39d6990170ca37a735f2f15f970e8

SHA1
8148a9cdc6b3fe6492281ebad79636433a6064ab

SHA256
0961d83cb25e1a50d5c0ec2f9fb0d17f2504dae0b22a865f6e1ea8e987e1c6fa

SHA512
7e30fde909d5f8efd6c2e40e125525697267273163ac35cf53561a2bd32e5dad8e4fba32905f53e422c9c73b8ad9a0c151f8d36042c5f156b50bf42dc21a9cee

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\webmmux.dll

Filesize
260KB

MD5
8a683f90a78778fba037565588a6f752

SHA1
011939c1fa7b73272db340c32386a13e140adc6a

SHA256
bd520007864b44e0bda7a466384d12c3c3f328326cf3549ba1853a58ccdbc99d

SHA512
9280fbb121f8b94f57560d1be3bcfe5e7c308d54dac278f13ea6c00256444fb9f17f543dd0d32c9844460818c1a50d83b26ce51c79698e9ca7a304652a3f5ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\webmvorbisdecoder.dll

Filesize
365KB

MD5
c9d412c1d30abb9d61151a10371f4140

SHA1
87120faa6b859f5e23f7344f9547b2fc228af15b

SHA256
f3465ce8a23db5e8228eed5a60a6f7a096d1a9adf3012c39bc6d81d4e57e8e9e

SHA512
1c020afa89cdae55f4dcb80a455dc1b352f40455142f3947ed29c3e3d51fbd465b6e0ea16cd103186c252783a3f2a7f7c417e4df5727d9b2db511b650308face

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\webmvorbisencoder.dll

Filesize
860KB

MD5
a59f69797c42324540e26c7c7998c18c

SHA1
7f7bc5bc62a8744f87a7d2e30cc6dd74c72e19b4

SHA256
83e1c1eb55bfd0f2d85d41c1e4dee65046b064ccb263ec7f412a5f329c75cfd1

SHA512
837f244e6b70658974506ac35bd3ee2d413b89fe4b26e75f4a61cc7bec63e999c9c2cffb690ad567f74962bab13f2f5471300cd0e0cfe61bb1084072cb55c38b

Download Submit
\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\libeay32.dll

Filesize
1.3MB

MD5
d9871a6ba02aacf3d51e6c168d9c6066

SHA1
42012a0116a9e8aed16c7298bd43cb1206a0f0cd

SHA256
7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

SHA512
ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

Download Submit
\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\libeay32.dll

Filesize
1.3MB

MD5
d9871a6ba02aacf3d51e6c168d9c6066

SHA1
42012a0116a9e8aed16c7298bd43cb1206a0f0cd

SHA256
7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

SHA512
ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

Download Submit
\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rfusclient.exe

Filesize
10.3MB

MD5
aaf8ce35de73ae8277454e5d56c6ea3a

SHA1
917da0204367be210e65a4ad1848ab2c3ab9b545

SHA256
5d98abca0c45a45d3308d6b86df7a4ad855eeb7ab2ab63bcf5541da973f8722b

SHA512
880a538912db42acc20ffef242c94d9a5d02047a2cfb4fa34ee04655666f1e0479ed318abc5dd43d8fbad60b9cf521448c82981bc5a62bcc8198e94a2750f561

Download Submit
\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe

Filesize
19.6MB

MD5
21c7ef02914ab2c0eb555287f844c5ce

SHA1
05620f3523b1c7706b39d1a594e8a7f754ed80a7

SHA256
67fcbe4a6f2599d6899654a05f66d8a2846ed50de51171f7d7315c055f76aef7

SHA512
f30f9eec09c648521fc69ed32f893ecc402ed3cbc9cb1d14eeaa3f91f205694347db6d525486243565a98e7fb44469d4cacd39a476a061aa5500969538f97ad0

Download Submit
\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe

Filesize
19.6MB

MD5
21c7ef02914ab2c0eb555287f844c5ce

SHA1
05620f3523b1c7706b39d1a594e8a7f754ed80a7

SHA256
67fcbe4a6f2599d6899654a05f66d8a2846ed50de51171f7d7315c055f76aef7

SHA512
f30f9eec09c648521fc69ed32f893ecc402ed3cbc9cb1d14eeaa3f91f205694347db6d525486243565a98e7fb44469d4cacd39a476a061aa5500969538f97ad0

Download Submit
\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe

Filesize
19.6MB

MD5
21c7ef02914ab2c0eb555287f844c5ce

SHA1
05620f3523b1c7706b39d1a594e8a7f754ed80a7

SHA256
67fcbe4a6f2599d6899654a05f66d8a2846ed50de51171f7d7315c055f76aef7

SHA512
f30f9eec09c648521fc69ed32f893ecc402ed3cbc9cb1d14eeaa3f91f205694347db6d525486243565a98e7fb44469d4cacd39a476a061aa5500969538f97ad0

Download Submit
\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\rutserv.exe

Filesize
19.6MB

MD5
21c7ef02914ab2c0eb555287f844c5ce

SHA1
05620f3523b1c7706b39d1a594e8a7f754ed80a7

SHA256
67fcbe4a6f2599d6899654a05f66d8a2846ed50de51171f7d7315c055f76aef7

SHA512
f30f9eec09c648521fc69ed32f893ecc402ed3cbc9cb1d14eeaa3f91f205694347db6d525486243565a98e7fb44469d4cacd39a476a061aa5500969538f97ad0

Download Submit
\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\ssleay32.dll

Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\74EC324139\ssleay32.dll

Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
memory/1964-54-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download
memory/1964-60-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/1964-61-0x0000000000400000-0x00000000028EB000-memory.dmp

Filesize
36.9MB

Download
memory/1964-55-0x0000000000400000-0x00000000028EB000-memory.dmp

Filesize
36.9MB

Download
memory/1964-88-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download