rms | 65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e

Analysis

max time kernel
115s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
Size

4.4MB
MD5

a4ef524bb21b66a9e6267ed8bc871cef
SHA1

4363f160e06afea785f43261c69ea2c3d11b3207
SHA256

65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e
SHA512

eba6c78c3c2b1ce195b4a16f75c332c35001b860a359bd1182277580347d6c0825fdba109ab1644b61b2ab3c0e4f403d12554af2807dceda6aa944503e0086a8
SSDEEP

98304:FXKa77HBa1WujIh01MeYvMHXEWxXV4cVYs:F3lFh0KTEEWxXnWs

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 4 IoCs

Processes:

7z.exerutserv.exerutserv.exerutserv.exe

pid process

4880 7z.exe
3656 rutserv.exe
1784 rutserv.exe
2340 rutserv.exe

pid	process
4880	7z.exe
3656	rutserv.exe
1784	rutserv.exe
2340	rutserv.exe

Loads dropped DLL 8 IoCs

Processes:

65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe7z.exerutserv.exerutserv.exerutserv.exe

pid	process
4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
4880	7z.exe
4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
3656	rutserv.exe
4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
1784	rutserv.exe
4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
2340	rutserv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft® Maintenance Scheduler = "C:\\Windows\\system32\\sysfiles\\dllhost.exe"	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe

Drops file in System32 directory 42 IoCs

Processes:

7z.exe65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\sysfiles\RIPCServer.dll	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\winmm.dll	7z.exe
File created	C:\Windows\SysWOW64\7z.exe	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
File created	C:\Windows\SysWOW64\7z.dll	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
File created	C:\Windows\SysWOW64\sysfiles\English.lg	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\gdiplus.dll	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\hideprlib.dll	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcp90.dll	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\winmm.dll	7z.exe
File created	C:\Windows\SysWOW64\sysfiles.7z	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\rfusclient.exe	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\dsfVorbisDecoder.dll	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\msvcp90.dll	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\vp8decoder.dll	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8encoder.dll	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles.7z	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\Microsoft.VC90.CRT.manifest	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\ProcessList.txt	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\English.lg	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\dsfVorbisEncoder.dll	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\RWLN.dll	7z.exe
File opened for modification	C:\Windows\SysWOW64\7z.exe	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
File created	C:\Windows\SysWOW64\sysfiles\Russian.lg	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\Russian.lg	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\RIPCServer.dll	7z.exe
File opened for modification	C:\Windows\SysWOW64\7z.dll	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
File created	C:\Windows\SysWOW64\sysfiles\dsfVorbisEncoder.dll	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\hideprlib.dll	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\Logs	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\vp8encoder.dll	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\Microsoft.VC90.CRT.manifest	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\ProcessList.txt	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\rfusclient.exe	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcr90.dll	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\msvcr90.dll	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8decoder.dll	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\rutserv.exe	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\rutserv.exe	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\dsfVorbisDecoder.dll	7z.exe
File created	C:\Windows\SysWOW64\sysfiles\gdiplus.dll	7z.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\RWLN.dll	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rutserv.exerutserv.exerutserv.exe

pid process

3656 rutserv.exe
3656 rutserv.exe
1784 rutserv.exe
1784 rutserv.exe
2340 rutserv.exe
2340 rutserv.exe

pid	process
3656	rutserv.exe
3656	rutserv.exe
1784	rutserv.exe
1784	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe

description	pid	process	target process
PID 4804 wrote to memory of 4880	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	7z.exe
PID 4804 wrote to memory of 4880	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	7z.exe
PID 4804 wrote to memory of 4880	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	7z.exe
PID 4804 wrote to memory of 3656	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	rutserv.exe
PID 4804 wrote to memory of 3656	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	rutserv.exe
PID 4804 wrote to memory of 3656	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	rutserv.exe
PID 4804 wrote to memory of 1784	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	rutserv.exe
PID 4804 wrote to memory of 1784	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	rutserv.exe
PID 4804 wrote to memory of 1784	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	rutserv.exe
PID 4804 wrote to memory of 2340	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	rutserv.exe
PID 4804 wrote to memory of 2340	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	rutserv.exe
PID 4804 wrote to memory of 2340	4804	65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe	rutserv.exe

C:\Users\Admin\AppData\Local\Temp\65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe
"C:\Users\Admin\AppData\Local\Temp\65e4497f14b0945a2144f28fb14364aa379b642512f6f09a1e6138a9ac2b365e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\7z.exe
"7z.exe" x -p1234 sysfiles.7z
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4880

C:\Windows\SysWOW64\sysfiles\rutserv.exe
"C:\Windows\system32\sysfiles\rutserv.exe" /silentinstall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3656

C:\Windows\SysWOW64\sysfiles\rutserv.exe
"C:\Windows\system32\sysfiles\rutserv.exe" /firewall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\SysWOW64\sysfiles\rutserv.exe
"C:\Windows\system32\sysfiles\rutserv.exe" /start
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsq82F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq82F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq82F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq82F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Windows\SysWOW64\7z.dll
Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Windows\SysWOW64\7z.dll
Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Windows\SysWOW64\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Windows\SysWOW64\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Windows\SysWOW64\sysfiles.7z
Filesize
3.9MB

MD5
3bc1615336a0b00af88d4810f1e647ba

SHA1
ee5b26ad9122a40eb557bc28d20b641166046c72

SHA256
ba2570baf4bef06059419affb7c6658ad79726c4e044e4b7ac11b6fd796d6010

SHA512
4ec61c411df3b24fdecacc0a899014955783f6cb8b0a43b972679bef8d26d54bb45f32ff33ebd0ec11ffdf3aa58002a67575d7df45627b79d9efda1b562a8c42

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe
Filesize
5.7MB

MD5
84abcb8cc5427479c3e4ebe66300c78a

SHA1
4227f7850eaebf08f18aa6a2769a600a05bfbf70

SHA256
a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd

SHA512
2f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe
Filesize
5.7MB

MD5
84abcb8cc5427479c3e4ebe66300c78a

SHA1
4227f7850eaebf08f18aa6a2769a600a05bfbf70

SHA256
a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd

SHA512
2f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe
Filesize
5.7MB

MD5
84abcb8cc5427479c3e4ebe66300c78a

SHA1
4227f7850eaebf08f18aa6a2769a600a05bfbf70

SHA256
a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd

SHA512
2f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe
Filesize
5.7MB

MD5
84abcb8cc5427479c3e4ebe66300c78a

SHA1
4227f7850eaebf08f18aa6a2769a600a05bfbf70

SHA256
a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd

SHA512
2f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a

Download Submit
C:\Windows\SysWOW64\sysfiles\winmm.dll
Filesize
21KB

MD5
91b769ba7d48157f452bd26be72160ec

SHA1
b61e2369084235ebc0bc277c16d3a56ac20a95b9

SHA256
58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

SHA512
1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

Download Submit
C:\Windows\SysWOW64\sysfiles\winmm.dll
Filesize
21KB

MD5
91b769ba7d48157f452bd26be72160ec

SHA1
b61e2369084235ebc0bc277c16d3a56ac20a95b9

SHA256
58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

SHA512
1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

Download Submit
C:\Windows\SysWOW64\sysfiles\winmm.dll
Filesize
21KB

MD5
91b769ba7d48157f452bd26be72160ec

SHA1
b61e2369084235ebc0bc277c16d3a56ac20a95b9

SHA256
58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

SHA512
1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

Download Submit
C:\Windows\SysWOW64\sysfiles\winmm.dll
Filesize
21KB

MD5
91b769ba7d48157f452bd26be72160ec

SHA1
b61e2369084235ebc0bc277c16d3a56ac20a95b9

SHA256
58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

SHA512
1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

Download Submit
memory/1784-148-0x0000000000000000-mapping.dmp

Download
memory/1784-151-0x0000000073F40000-0x0000000073F47000-memory.dmp

Filesize
28KB

Download
memory/2340-153-0x0000000000000000-mapping.dmp

Download
memory/2340-156-0x0000000073F40000-0x0000000073F47000-memory.dmp

Filesize
28KB

Download
memory/3656-146-0x0000000074150000-0x0000000074157000-memory.dmp

Filesize
28KB

Download
memory/3656-145-0x0000000074150000-0x0000000074157000-memory.dmp

Filesize
28KB

Download
memory/3656-140-0x0000000000000000-mapping.dmp

Download
memory/4880-133-0x0000000000000000-mapping.dmp

Download