rms | 8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379

Analysis

max time kernel
144s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2022 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe
Size

5.2MB
MD5

f44d3d3f38277b9fcebbf502d42932de
SHA1

cbe41a2f4a3c0e1ca562e305f2a9130fb44f48ee
SHA256

8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379
SHA512

954ece50a66274c76a1b5689f1413723f08dff65444e73424e9c2ce8a37726cd1830ab6a1a2dee2fe6aae3f0060de43af6bfbe7a3562254742dc491e5e007c19
SSDEEP

98304:4d3DAwjFAtBFuquha3B6YcnJU4zRYn05tYENoe/dRgh3mV0lnu0vNDge0N3VS:4dTAwhEfXIXJrRYnada40FO1U

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2232 created 968	2232	svchost.exe	82

Executes dropped EXE 3 IoCs

pid	Process
968	lightsv.exe
4796	lightsv.exe
308	lightsv.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	lightsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	lightsv.exe

Loads dropped DLL 11 IoCs

pid	Process
1516	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe
1516	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe
1516	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe
1516	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe
968	lightsv.exe
968	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
1516	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe
308	lightsv.exe
308	lightsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	lightsv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\2	lightsv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\0	lightsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lightsv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\16	lightsv.exe
Key opened	\REGISTRY\MACHINE\hardware\description\system\centralProcessor\1	lightsv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
308	lightsv.exe
308	lightsv.exe
308	lightsv.exe
308	lightsv.exe
308	lightsv.exe
308	lightsv.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	lightsv.exe
Token: SeDebugPrivilege	968	lightsv.exe
Token: SeTcbPrivilege	2232	svchost.exe
Token: SeTcbPrivilege	2232	svchost.exe
Token: SeTakeOwnershipPrivilege	4796	lightsv.exe
Token: SeTcbPrivilege	4796	lightsv.exe
Token: SeTcbPrivilege	4796	lightsv.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
968	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
4796	lightsv.exe
308	lightsv.exe
308	lightsv.exe
308	lightsv.exe
308	lightsv.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 968	1516	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe	82
PID 1516 wrote to memory of 968	1516	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe	82
PID 1516 wrote to memory of 968	1516	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe	82
PID 2232 wrote to memory of 4796	2232	svchost.exe	84
PID 2232 wrote to memory of 4796	2232	svchost.exe	84
PID 2232 wrote to memory of 4796	2232	svchost.exe	84
PID 1516 wrote to memory of 4088	1516	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe	89
PID 1516 wrote to memory of 4088	1516	8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe	89
PID 4088 wrote to memory of 2068	4088	cmd.exe	90
PID 4088 wrote to memory of 2068	4088	cmd.exe	90
PID 4088 wrote to memory of 3636	4088	cmd.exe	91
PID 4088 wrote to memory of 3636	4088	cmd.exe	91
PID 4088 wrote to memory of 116	4088	cmd.exe	92
PID 4088 wrote to memory of 116	4088	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe
"C:\Users\Admin\AppData\Local\Temp\8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Public\Lightshot Screenshots\lightsv.exe
  "C:\Users\Public\Lightshot Screenshots\lightsv.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:968
- - C:\Users\Public\Lightshot Screenshots\lightsv.exe
    "C:\Users\Public\Lightshot Screenshots\lightsv.exe" -run_agent -second
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SchTasks /create /f /XML %temp%\Log436.xml /TN \microsoft\windows\defrag\scheduleddefrag && schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE && schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\system32\schtasks.exe
    SchTasks /create /f /XML C:\Users\Admin\AppData\Local\Temp\Log436.xml /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    - Creates scheduled task(s)
    PID:2068
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE
    3⤵
    PID:3636
- - C:\Windows\system32\schtasks.exe
    schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    PID:116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Public\Lightshot Screenshots\lightsv.exe
"C:\Users\Public\Lightshot Screenshots\lightsv.exe" -run_agent -second
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Log436.xml

Filesize
1KB

MD5
d208af9a53bc8e78b97b603057f2ffe0

SHA1
86ea491fa844579c70b64524517706184e63949c

SHA256
e1e872d5bc39093c922a1c78b1c53f358b3d126313681e453a06fa788203ce80

SHA512
f527dd28e67a7b7d5ebcc75b593734909cd5a429200c89d4791eac0e0151f22e669fef080eb020eedfc5a44025482201a394f0864778e4b0b547ea4785191322

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7A46.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7A46.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7A46.tmp\nsis7z.dll

Filesize
175KB

MD5
7cd97d946e10e902ed2822508e2a11c4

SHA1
fc64d292d1c239abc82bb49a063a58ff8d0609fb

SHA256
f2fc2a430833ed9fef374ec73cb3302d66471aaaddb2f63d3e6e4139b212b78b

SHA512
52513e03fdb79eaeb3d43d28f6862515c13ad65483a2786ca4aa4e5b1eaa5e34ad3c627b9b1bfb5f89b192cdc1c6b6073f3b34bce36fd2fabf6d286e13987621

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7A46.tmp\nsis7z.dll

Filesize
175KB

MD5
7cd97d946e10e902ed2822508e2a11c4

SHA1
fc64d292d1c239abc82bb49a063a58ff8d0609fb

SHA256
f2fc2a430833ed9fef374ec73cb3302d66471aaaddb2f63d3e6e4139b212b78b

SHA512
52513e03fdb79eaeb3d43d28f6862515c13ad65483a2786ca4aa4e5b1eaa5e34ad3c627b9b1bfb5f89b192cdc1c6b6073f3b34bce36fd2fabf6d286e13987621

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7A46.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Public\Lightshot Screenshots\libeay32.dll

Filesize
1.3MB

MD5
0d51927274281007657c7f3e0df7becb

SHA1
6de3746d9d0980f5715cec6c676a8eb53b5efc49

SHA256
dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

SHA512
eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

Download Submit
C:\Users\Public\Lightshot Screenshots\libeay32.dll

Filesize
1.3MB

MD5
0d51927274281007657c7f3e0df7becb

SHA1
6de3746d9d0980f5715cec6c676a8eb53b5efc49

SHA256
dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

SHA512
eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

Download Submit
C:\Users\Public\Lightshot Screenshots\libeay32.dll

Filesize
1.3MB

MD5
0d51927274281007657c7f3e0df7becb

SHA1
6de3746d9d0980f5715cec6c676a8eb53b5efc49

SHA256
dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

SHA512
eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

Download Submit
C:\Users\Public\Lightshot Screenshots\libeay32.dll

Filesize
1.3MB

MD5
0d51927274281007657c7f3e0df7becb

SHA1
6de3746d9d0980f5715cec6c676a8eb53b5efc49

SHA256
dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

SHA512
eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

Download Submit
C:\Users\Public\Lightshot Screenshots\lightsv.exe

Filesize
17.1MB

MD5
6e2cbbd65259e74cba31e223fe115188

SHA1
7cc0845f85b805c4f2e5f6f8b23370698d45cb02

SHA256
7171d3c0204fe84022aa559c3c1b0f996edcb180283513af8919ea350408e7e2

SHA512
5c733194d5d5c4e87a3ded296f769e86f4c2de1fa58c5cdf5d37fb523e9c3dba6825ed2a4d5b78f0d5b21e2d69599a2b91e949fbe4b585a290727ab83a6b887c

Download Submit
C:\Users\Public\Lightshot Screenshots\lightsv.exe

Filesize
17.1MB

MD5
6e2cbbd65259e74cba31e223fe115188

SHA1
7cc0845f85b805c4f2e5f6f8b23370698d45cb02

SHA256
7171d3c0204fe84022aa559c3c1b0f996edcb180283513af8919ea350408e7e2

SHA512
5c733194d5d5c4e87a3ded296f769e86f4c2de1fa58c5cdf5d37fb523e9c3dba6825ed2a4d5b78f0d5b21e2d69599a2b91e949fbe4b585a290727ab83a6b887c

Download Submit
C:\Users\Public\Lightshot Screenshots\lightsv.exe

Filesize
17.1MB

MD5
6e2cbbd65259e74cba31e223fe115188

SHA1
7cc0845f85b805c4f2e5f6f8b23370698d45cb02

SHA256
7171d3c0204fe84022aa559c3c1b0f996edcb180283513af8919ea350408e7e2

SHA512
5c733194d5d5c4e87a3ded296f769e86f4c2de1fa58c5cdf5d37fb523e9c3dba6825ed2a4d5b78f0d5b21e2d69599a2b91e949fbe4b585a290727ab83a6b887c

Download Submit
C:\Users\Public\Lightshot Screenshots\lightsv.exe

Filesize
17.1MB

MD5
6e2cbbd65259e74cba31e223fe115188

SHA1
7cc0845f85b805c4f2e5f6f8b23370698d45cb02

SHA256
7171d3c0204fe84022aa559c3c1b0f996edcb180283513af8919ea350408e7e2

SHA512
5c733194d5d5c4e87a3ded296f769e86f4c2de1fa58c5cdf5d37fb523e9c3dba6825ed2a4d5b78f0d5b21e2d69599a2b91e949fbe4b585a290727ab83a6b887c

Download Submit
C:\Users\Public\Lightshot Screenshots\ssleay32.dll

Filesize
337KB

MD5
197da919e4c91125656bf905877c9b5a

SHA1
9574ec3e87bb0f7acce72d4d59d176296741aa83

SHA256
303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

SHA512
33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

Download Submit
C:\Users\Public\Lightshot Screenshots\ssleay32.dll

Filesize
337KB

MD5
197da919e4c91125656bf905877c9b5a

SHA1
9574ec3e87bb0f7acce72d4d59d176296741aa83

SHA256
303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

SHA512
33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

Download Submit
C:\Users\Public\Lightshot Screenshots\ssleay32.dll

Filesize
337KB

MD5
197da919e4c91125656bf905877c9b5a

SHA1
9574ec3e87bb0f7acce72d4d59d176296741aa83

SHA256
303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

SHA512
33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

Download Submit
C:\Users\Public\Lightshot Screenshots\ssleay32.dll

Filesize
337KB

MD5
197da919e4c91125656bf905877c9b5a

SHA1
9574ec3e87bb0f7acce72d4d59d176296741aa83

SHA256
303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

SHA512
33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

Download Submit
memory/1516-136-0x00000000029A0000-0x00000000029D1000-memory.dmp

Filesize
196KB

Download