rms | ae20798a24a3a7dbc44ad8d9182fd4cd289ed89a96e5f0ee430e329b710af522

Analysis

max time kernel
156s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1132ead4499f0ce2b021432b83ca4b76.exe
Size

23.7MB
MD5

1132ead4499f0ce2b021432b83ca4b76
SHA1

3c2f0503b02a80619e55c444b1dbf66b48328d47
SHA256

ae20798a24a3a7dbc44ad8d9182fd4cd289ed89a96e5f0ee430e329b710af522
SHA512

bc68289bfa35889ddb9d9c1749bc29aeb64c2423fe0d856ac40e057c836ad821d3f91643bb5233f663912232885dc503e85fe52405ff2396e35b99767fbe34c6
SSDEEP

393216:0bUBx1ZrzDywEvRYeHuCZYKmvJITDqgM+evGXioV1S64G790KxcPD+l:Xri2eL6K/aYioD4Gii

Score

10^/10

rms rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1700 created 4960	1700	svchost.exe	81

Executes dropped EXE 4 IoCs

pid	Process
2808	rfusclient.exe
4960	rutserv.exe
2060	rutserv.exe
4592	rfusclient.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2468-132-0x0000000000040000-0x00000000025BF000-memory.dmp	upx
behavioral2/memory/2468-133-0x0000000000040000-0x00000000025BF000-memory.dmp	upx
behavioral2/memory/2468-137-0x0000000000040000-0x00000000025BF000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	rutserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1132ead4499f0ce2b021432b83ca4b76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Loads dropped DLL 4 IoCs

pid	Process
4960	rutserv.exe
4960	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_DDC6638534E8608691DE0CEAFF22DE0F	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_DDC6638534E8608691DE0CEAFF22DE0F	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers"	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-9216 = "This PC"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2808	rfusclient.exe
2808	rfusclient.exe
4960	rutserv.exe
4960	rutserv.exe
4960	rutserv.exe
4960	rutserv.exe
4960	rutserv.exe
4960	rutserv.exe
4960	rutserv.exe
4960	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe
4592	rfusclient.exe
4592	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	rutserv.exe
Token: SeTcbPrivilege	1700	svchost.exe
Token: SeTcbPrivilege	1700	svchost.exe
Token: SeTakeOwnershipPrivilege	2060	rutserv.exe
Token: SeTcbPrivilege	2060	rutserv.exe
Token: SeTcbPrivilege	2060	rutserv.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4592	rfusclient.exe
4592	rfusclient.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4592	rfusclient.exe
4592	rfusclient.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4960	rutserv.exe
4960	rutserv.exe
4960	rutserv.exe
4960	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe
2060	rutserv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2808	2468	1132ead4499f0ce2b021432b83ca4b76.exe	80
PID 2468 wrote to memory of 2808	2468	1132ead4499f0ce2b021432b83ca4b76.exe	80
PID 2468 wrote to memory of 2808	2468	1132ead4499f0ce2b021432b83ca4b76.exe	80
PID 2808 wrote to memory of 4960	2808	rfusclient.exe	81
PID 2808 wrote to memory of 4960	2808	rfusclient.exe	81
PID 2808 wrote to memory of 4960	2808	rfusclient.exe	81
PID 1700 wrote to memory of 2060	1700	svchost.exe	84
PID 1700 wrote to memory of 2060	1700	svchost.exe	84
PID 1700 wrote to memory of 2060	1700	svchost.exe	84
PID 2060 wrote to memory of 4592	2060	rutserv.exe	87
PID 2060 wrote to memory of 4592	2060	rutserv.exe	87
PID 2060 wrote to memory of 4592	2060	rutserv.exe	87

C:\Users\Admin\AppData\Local\Temp\1132ead4499f0ce2b021432b83ca4b76.exe
"C:\Users\Admin\AppData\Local\Temp\1132ead4499f0ce2b021432b83ca4b76.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rfusclient.exe
  "C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rfusclient.exe" -run_agent
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rutserv.exe
    "C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rutserv.exe" -run_agent
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4960
  - - C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rutserv.exe
      "C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rutserv.exe" -run_agent -second
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rfusclient.exe
        
        "C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rfusclient.exe" /tray /user
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\branding.ini

Filesize
348B

MD5
d3906b183b5df57e81a7989f4aa99e8b

SHA1
aacdf22c6dba161a0303a0a7018f52d2f59968f7

SHA256
a20c12d94705b05cb06d1f6c9d8e84d14b2815f21a18438bd9cd21a046416ea8

SHA512
d369c6597e9f114bf90d8ebea64c54e685376216d90c6c183368fe206d72d39f9ab44e594c1290b9d7a277a77c6b43a49cec394562d7d24a34ae1c5563ea1340

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\eventmsg.dll

Filesize
51KB

MD5
4e84df6558c385bc781cddea34c9fba3

SHA1
6d63d87c19c11bdbfa484a5835ffffd7647296c8

SHA256
0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d

SHA512
c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\libeay32.dll

Filesize
1.3MB

MD5
5222eaf78313758b0520be16e3f8392e

SHA1
9c7cc8fb340618fef38422cf0c75c4c9bfb216e2

SHA256
4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5

SHA512
459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\libeay32.dll

Filesize
1.3MB

MD5
5222eaf78313758b0520be16e3f8392e

SHA1
9c7cc8fb340618fef38422cf0c75c4c9bfb216e2

SHA256
4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5

SHA512
459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\libeay32.dll

Filesize
1.3MB

MD5
5222eaf78313758b0520be16e3f8392e

SHA1
9c7cc8fb340618fef38422cf0c75c4c9bfb216e2

SHA256
4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5

SHA512
459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\logo.png

Filesize
16KB

MD5
ff59b0d7f3237a901de14457fb5015ca

SHA1
811a211ae6920693e18466d3ee00471b41dbb8e2

SHA256
cd179ef5c28593ac4d60723630cd00cd85a197d5e5c4781efdd2283511f05b4c

SHA512
5c319f107f084feaead52c2c4272aaa8707732cd77fd098fdfb9c88e897c948fc74c1148c2d2f9b3f32472b63e2f99d2915e845a7128ceba0a0ed9c95a1707b5

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rfusclient.exe

Filesize
10.2MB

MD5
ef7eaf7529dc8697135da931369f6a74

SHA1
a5eed61e45d96f3e9abbf629c340576e5f30eb7e

SHA256
8a235e33081b0037c7df6c8a1b3a24b102d501a2ecaaf68b2fe6fb53f67dd999

SHA512
23aee01641ab5121899d9146294708e92fa79dfd2954dcd1d3c85486456d187ed0e0c77c6c8886948e823b621f78cfa4112dc85b58c0ab870dc33db481655a58

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rfusclient.exe

Filesize
10.2MB

MD5
ef7eaf7529dc8697135da931369f6a74

SHA1
a5eed61e45d96f3e9abbf629c340576e5f30eb7e

SHA256
8a235e33081b0037c7df6c8a1b3a24b102d501a2ecaaf68b2fe6fb53f67dd999

SHA512
23aee01641ab5121899d9146294708e92fa79dfd2954dcd1d3c85486456d187ed0e0c77c6c8886948e823b621f78cfa4112dc85b58c0ab870dc33db481655a58

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rfusclient.exe

Filesize
10.2MB

MD5
ef7eaf7529dc8697135da931369f6a74

SHA1
a5eed61e45d96f3e9abbf629c340576e5f30eb7e

SHA256
8a235e33081b0037c7df6c8a1b3a24b102d501a2ecaaf68b2fe6fb53f67dd999

SHA512
23aee01641ab5121899d9146294708e92fa79dfd2954dcd1d3c85486456d187ed0e0c77c6c8886948e823b621f78cfa4112dc85b58c0ab870dc33db481655a58

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rutserv.exe

Filesize
19.8MB

MD5
e8d8f057578b8f2fc28a6f9f52904a9d

SHA1
619cd404d2fef57a81471e280c793a7053c7916f

SHA256
71208d9cddf1ce21825a9d641a00fc2b0044bd0ee980640814d22f1a2b48ba7f

SHA512
a97d17105c5e495d8f90936cdf49dea7ca5155958b1bc2d3525b1dbcdd2d5975bc5908eda616400e29702beb15aa279c19ad4a3d17db3698e8c607f1fcb1c243

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rutserv.exe

Filesize
19.8MB

MD5
e8d8f057578b8f2fc28a6f9f52904a9d

SHA1
619cd404d2fef57a81471e280c793a7053c7916f

SHA256
71208d9cddf1ce21825a9d641a00fc2b0044bd0ee980640814d22f1a2b48ba7f

SHA512
a97d17105c5e495d8f90936cdf49dea7ca5155958b1bc2d3525b1dbcdd2d5975bc5908eda616400e29702beb15aa279c19ad4a3d17db3698e8c607f1fcb1c243

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\rutserv.exe

Filesize
19.8MB

MD5
e8d8f057578b8f2fc28a6f9f52904a9d

SHA1
619cd404d2fef57a81471e280c793a7053c7916f

SHA256
71208d9cddf1ce21825a9d641a00fc2b0044bd0ee980640814d22f1a2b48ba7f

SHA512
a97d17105c5e495d8f90936cdf49dea7ca5155958b1bc2d3525b1dbcdd2d5975bc5908eda616400e29702beb15aa279c19ad4a3d17db3698e8c607f1fcb1c243

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\settings.dat

Filesize
7KB

MD5
91c7d2e7301c7fd4206ee5bfac5cec27

SHA1
6258797998a9dd222fbd570b0d8c12b28e7466a4

SHA256
aebf3bf09cca5f87024ae58deb23ffac571927258f7d649e201d9d8c724e6821

SHA512
8ce2ea97c2b3a84a057fc0f1c79a2c0ce43e56dbc8110c94a7f409b8d28df407066c0a1a4b84e97c95866a6757301dc0e7dec1a6ace7a43fd7b6ce0b91ffa08d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\ssleay32.dll

Filesize
337KB

MD5
90a4b7fc6807693e68dd32b68614d989

SHA1
785484ef531ca90f323d5b017fefcff05e68093a

SHA256
4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6

SHA512
97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\ssleay32.dll

Filesize
337KB

MD5
90a4b7fc6807693e68dd32b68614d989

SHA1
785484ef531ca90f323d5b017fefcff05e68093a

SHA256
4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6

SHA512
97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\ssleay32.dll

Filesize
337KB

MD5
90a4b7fc6807693e68dd32b68614d989

SHA1
785484ef531ca90f323d5b017fefcff05e68093a

SHA256
4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6

SHA512
97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\vp8decoder.dll

Filesize
379KB

MD5
e247666cdea63da5a95aebc135908207

SHA1
4642f6c3973c41b7d1c9a73111a26c2d7ac9c392

SHA256
b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33

SHA512
06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\vp8encoder.dll

Filesize
1.6MB

MD5
d5c2a6ac30e76b7c9b55adf1fe5c1e4a

SHA1
3d841eb48d1a32b511611d4b9e6eed71e2c373ee

SHA256
11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428

SHA512
3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\webmmux.dll

Filesize
259KB

MD5
49c51ace274d7db13caa533880869a4a

SHA1
b539ed2f1a15e2d4e5c933611d736e0c317b8313

SHA256
1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b

SHA512
13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\webmvorbisdecoder.dll

Filesize
364KB

MD5
eda07083af5b6608cb5b7c305d787842

SHA1
d1703c23522d285a3ccdaf7ba2eb837d40608867

SHA256
c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d

SHA512
be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70150\35BC857EC7\webmvorbisencoder.dll

Filesize
859KB

MD5
642dc7e57f0c962b9db4c8fb346bc5a7

SHA1
acee24383b846f7d12521228d69135e5704546f6

SHA256
63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede

SHA512
fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

Download Submit
memory/2468-132-0x0000000000040000-0x00000000025BF000-memory.dmp

Filesize
37.5MB

Download
memory/2468-137-0x0000000000040000-0x00000000025BF000-memory.dmp

Filesize
37.5MB

Download
memory/2468-133-0x0000000000040000-0x00000000025BF000-memory.dmp

Filesize
37.5MB

Download