rms | d70368abeadb9de98385ac715a25801a3ccfdda83c65b0e0c54e82e5482d2f04

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/10/2022, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D70368ABEADB9DE98385AC715A25801A3CCFDDA83C65B.exe
Size

16.2MB
MD5

4a8eddb0a7769d48e2e9dbc571fcc03e
SHA1

d3638cdaeebd29522c8cabe40839b3c03acbd90c
SHA256

d70368abeadb9de98385ac715a25801a3ccfdda83c65b0e0c54e82e5482d2f04
SHA512

2eeba0d50f822b46d222861ab89d270e7d065de162774d9eb3065f3446cd963a958ec2d24348b39ae37e8b50baf79afc867478d1a39b45c36f280a83efc63a9c
SSDEEP

393216:CBP2aI/z/yF/bqHpXQ0b2MR8l1s5Iqbakj:CBuak7yFuP2jl65IlO

Score

10^/10

rms rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 4 IoCs

pid	Process
1988	rfusclient.exe
1732	rutserv.exe
560	rutserv.exe
1712	rfusclient.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1764-55-0x0000000000400000-0x00000000027CA000-memory.dmp	upx
behavioral1/memory/1764-59-0x0000000000400000-0x00000000027CA000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	rutserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Loads dropped DLL 9 IoCs

pid	Process
1764	D70368ABEADB9DE98385AC715A25801A3CCFDDA83C65B.exe
1988	rfusclient.exe
1988	rfusclient.exe
1988	rfusclient.exe
1988	rfusclient.exe
1732	rutserv.exe
1732	rutserv.exe
560	rutserv.exe
560	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1988	rfusclient.exe
1988	rfusclient.exe
1732	rutserv.exe
1732	rutserv.exe
1732	rutserv.exe
1732	rutserv.exe
1732	rutserv.exe
1732	rutserv.exe
560	rutserv.exe
560	rutserv.exe
560	rutserv.exe
560	rutserv.exe
560	rutserv.exe
560	rutserv.exe
1712	rfusclient.exe
1712	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	rutserv.exe
Token: SeTakeOwnershipPrivilege	560	rutserv.exe
Token: SeTcbPrivilege	560	rutserv.exe
Token: SeTcbPrivilege	560	rutserv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1712	rfusclient.exe
1712	rfusclient.exe
1712	rfusclient.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1712	rfusclient.exe
1712	rfusclient.exe
1712	rfusclient.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1732	rutserv.exe
1732	rutserv.exe
1732	rutserv.exe
1732	rutserv.exe
560	rutserv.exe
560	rutserv.exe
560	rutserv.exe
560	rutserv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1988	1764	D70368ABEADB9DE98385AC715A25801A3CCFDDA83C65B.exe	26
PID 1764 wrote to memory of 1988	1764	D70368ABEADB9DE98385AC715A25801A3CCFDDA83C65B.exe	26
PID 1764 wrote to memory of 1988	1764	D70368ABEADB9DE98385AC715A25801A3CCFDDA83C65B.exe	26
PID 1764 wrote to memory of 1988	1764	D70368ABEADB9DE98385AC715A25801A3CCFDDA83C65B.exe	26
PID 1988 wrote to memory of 1732	1988	rfusclient.exe	27
PID 1988 wrote to memory of 1732	1988	rfusclient.exe	27
PID 1988 wrote to memory of 1732	1988	rfusclient.exe	27
PID 1988 wrote to memory of 1732	1988	rfusclient.exe	27
PID 560 wrote to memory of 1712	560	rutserv.exe	29
PID 560 wrote to memory of 1712	560	rutserv.exe	29
PID 560 wrote to memory of 1712	560	rutserv.exe	29
PID 560 wrote to memory of 1712	560	rutserv.exe	29

C:\Users\Admin\AppData\Local\Temp\D70368ABEADB9DE98385AC715A25801A3CCFDDA83C65B.exe
"C:\Users\Admin\AppData\Local\Temp\D70368ABEADB9DE98385AC715A25801A3CCFDDA83C65B.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rfusclient.exe
  "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rfusclient.exe" -run_agent
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe
    "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe" -run_agent
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1732
  - - C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe
      "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe" -run_agent -second
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rfusclient.exe
        
        "C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rfusclient.exe" /tray /user
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\branding.ini

Filesize
688B

MD5
94afcd811afc83f2e7c38cb33f22e2f5

SHA1
12694934bf87d10d82bcf1eaf127cc43ac0c7c3a

SHA256
385ae3bedfd118d5694f0059db7b69f5c7053d15a655d42f3723cf3da0c8fdc9

SHA512
9db621136777c9cee6414b7ae3106b906369be62780128888a45afc5253a9580e5376d10a11ca9ab8729afcc6867aa19ecf3ec8da5bf4ec1b63a0aa4edcd048d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\eventmsg.dll

Filesize
51KB

MD5
4e84df6558c385bc781cddea34c9fba3

SHA1
6d63d87c19c11bdbfa484a5835ffffd7647296c8

SHA256
0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d

SHA512
c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\libeay32.dll

Filesize
1.3MB

MD5
f8fbc228c3139532971f66881262b940

SHA1
f1655c3b836c764fdc0bb07661c3ef70a9f51318

SHA256
e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604

SHA512
cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\logo.png

Filesize
11KB

MD5
3a20dd99ac24d81fe9307e6eb4c64c17

SHA1
2ac09f091208e3f506740614d847d8518753909a

SHA256
8807c77a8a4d57d11f4318a2731eb135245a56227d945b03eb42e1285e65e8f2

SHA512
4e154bdf01fd4c6f9c4f633655a82331c320df4ece6675d0583a148152d3465ed4aeec2286e045fd59522f112024f91244218a16cb09431b1524a1982791ae93

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rfusclient.exe

Filesize
11.1MB

MD5
0bde36e64c97bc8c2cb02aa05249fe28

SHA1
7939e68abddb44f1d91acb2694e3c56ef85371eb

SHA256
6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d

SHA512
2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rfusclient.exe

Filesize
11.1MB

MD5
0bde36e64c97bc8c2cb02aa05249fe28

SHA1
7939e68abddb44f1d91acb2694e3c56ef85371eb

SHA256
6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d

SHA512
2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rfusclient.exe

Filesize
11.1MB

MD5
0bde36e64c97bc8c2cb02aa05249fe28

SHA1
7939e68abddb44f1d91acb2694e3c56ef85371eb

SHA256
6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d

SHA512
2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\settings.dat

Filesize
12KB

MD5
b8fc3cd2944c8ec1200e551a8767dcda

SHA1
f55a096d5a9c1261486b1cdc87e5e8924d25db70

SHA256
8f7f167b92ba1056384ec4dfec0e3ece65a4163d00534d48a13e8ceaaf4ee5f8

SHA512
d9d19e89e620d122f485ea5730d6b87a55f8c1aaa73763814e819dd29b4718e49e19a50aae6564f6960eaa1229a18a3898e2a53637609ebd26f6ad77d9e81558

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\ssleay32.dll

Filesize
336KB

MD5
fe8cda03e1df3c3a6dc8375263e790c3

SHA1
67955da301ef89cd0429074e403769721e7594be

SHA256
1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd

SHA512
0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\vp8decoder.dll

Filesize
379KB

MD5
e247666cdea63da5a95aebc135908207

SHA1
4642f6c3973c41b7d1c9a73111a26c2d7ac9c392

SHA256
b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33

SHA512
06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\vp8encoder.dll

Filesize
1.6MB

MD5
d5c2a6ac30e76b7c9b55adf1fe5c1e4a

SHA1
3d841eb48d1a32b511611d4b9e6eed71e2c373ee

SHA256
11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428

SHA512
3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\webmmux.dll

Filesize
259KB

MD5
49c51ace274d7db13caa533880869a4a

SHA1
b539ed2f1a15e2d4e5c933611d736e0c317b8313

SHA256
1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b

SHA512
13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\webmvorbisdecoder.dll

Filesize
364KB

MD5
eda07083af5b6608cb5b7c305d787842

SHA1
d1703c23522d285a3ccdaf7ba2eb837d40608867

SHA256
c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d

SHA512
be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\webmvorbisencoder.dll

Filesize
859KB

MD5
642dc7e57f0c962b9db4c8fb346bc5a7

SHA1
acee24383b846f7d12521228d69135e5704546f6

SHA256
63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede

SHA512
fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

Download Submit
\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\libeay32.dll

Filesize
1.3MB

MD5
f8fbc228c3139532971f66881262b940

SHA1
f1655c3b836c764fdc0bb07661c3ef70a9f51318

SHA256
e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604

SHA512
cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

Download Submit
\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\libeay32.dll

Filesize
1.3MB

MD5
f8fbc228c3139532971f66881262b940

SHA1
f1655c3b836c764fdc0bb07661c3ef70a9f51318

SHA256
e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604

SHA512
cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

Download Submit
\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rfusclient.exe

Filesize
11.1MB

MD5
0bde36e64c97bc8c2cb02aa05249fe28

SHA1
7939e68abddb44f1d91acb2694e3c56ef85371eb

SHA256
6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d

SHA512
2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

Download Submit
\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\rutserv.exe

Filesize
18.0MB

MD5
a4ebaae03c33f847be0938570445aeaa

SHA1
8665c2c26924e3fe70c39a2b8513d7f076dba10b

SHA256
423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8

SHA512
e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

Download Submit
\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\ssleay32.dll

Filesize
336KB

MD5
fe8cda03e1df3c3a6dc8375263e790c3

SHA1
67955da301ef89cd0429074e403769721e7594be

SHA256
1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd

SHA512
0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

Download Submit
\Users\Admin\AppData\Roaming\RMS Agent\70020\FAC719FD36\ssleay32.dll

Filesize
336KB

MD5
fe8cda03e1df3c3a6dc8375263e790c3

SHA1
67955da301ef89cd0429074e403769721e7594be

SHA256
1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd

SHA512
0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

Download Submit
memory/1764-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1764-59-0x0000000000400000-0x00000000027CA000-memory.dmp

Filesize
35.8MB

Download
memory/1764-55-0x0000000000400000-0x00000000027CA000-memory.dmp

Filesize
35.8MB

Download