rms | e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2

Analysis

max time kernel
150s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe
Size

7.2MB
MD5

faf5021dc3a27579ea50efced8a4f137
SHA1

c06cc6593ac3b29af35566d96d649db45001db8e
SHA256

e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2
SHA512

01b495962b976c366b92381fd8c7031df446663b6c06f4f251a9c17017ffb00cbb1f08de55423a6aa6219454f472d2ef8a6a8eb245ceff690cd70540636b3eb4
SSDEEP

196608:DdbSqYn+fJi3qpm6JrfuDG4RRvLjqYSMoO4dsjkS2YfGo/v:DdSqYn+xi3qpmUOL4uj1tfGo/v

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Blocklisted process makes network request 4 IoCs

flow	pid	Process
51	2524	msiexec.exe
56	2524	msiexec.exe
58	2524	msiexec.exe
60	2524	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
4496	rutserv.exe
4864	rutserv.exe
1136	rutserv.exe
3476	rutserv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe

Loads dropped DLL 5 IoCs

pid	Process
1776	MsiExec.exe
4496	rutserv.exe
4864	rutserv.exe
1136	rutserv.exe
3476	rutserv.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Microsoft.VC90.CRT.manifest	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\msvcr90.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\msvcp90.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisDecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\gdiplus.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57deca.msi	msiexec.exe
File created	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\e57dec7.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}	msiexec.exe
File opened for modification	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86B0.tmp	msiexec.exe
File created	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dec7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7AF7.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
628	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\468760457E0CBD740A1C6D8C47ECB68D\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Version = "100602960"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Language = "1049"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\ProductIcon = "C:\\Windows\\Installer\\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\468760457E0CBD740A1C6D8C47ECB68D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\PackageName = "rms.host5.5ru_mod3.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\468760457E0CBD740A1C6D8C47ECB68D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\PackageCode = "F23A46DC50B831949B88AB866205389B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
60	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2524	msiexec.exe
2524	msiexec.exe
4496	rutserv.exe
4496	rutserv.exe
4496	rutserv.exe
4496	rutserv.exe
4496	rutserv.exe
4496	rutserv.exe
4864	rutserv.exe
4864	rutserv.exe
1136	rutserv.exe
1136	rutserv.exe
3476	rutserv.exe
3476	rutserv.exe
3476	rutserv.exe
3476	rutserv.exe
3476	rutserv.exe
3476	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeShutdownPrivilege	212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	212	msiexec.exe
Token: SeSecurityPrivilege	2524	msiexec.exe
Token: SeCreateTokenPrivilege	212	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	212	msiexec.exe
Token: SeLockMemoryPrivilege	212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	212	msiexec.exe
Token: SeMachineAccountPrivilege	212	msiexec.exe
Token: SeTcbPrivilege	212	msiexec.exe
Token: SeSecurityPrivilege	212	msiexec.exe
Token: SeTakeOwnershipPrivilege	212	msiexec.exe
Token: SeLoadDriverPrivilege	212	msiexec.exe
Token: SeSystemProfilePrivilege	212	msiexec.exe
Token: SeSystemtimePrivilege	212	msiexec.exe
Token: SeProfSingleProcessPrivilege	212	msiexec.exe
Token: SeIncBasePriorityPrivilege	212	msiexec.exe
Token: SeCreatePagefilePrivilege	212	msiexec.exe
Token: SeCreatePermanentPrivilege	212	msiexec.exe
Token: SeBackupPrivilege	212	msiexec.exe
Token: SeRestorePrivilege	212	msiexec.exe
Token: SeShutdownPrivilege	212	msiexec.exe
Token: SeDebugPrivilege	212	msiexec.exe
Token: SeAuditPrivilege	212	msiexec.exe
Token: SeSystemEnvironmentPrivilege	212	msiexec.exe
Token: SeChangeNotifyPrivilege	212	msiexec.exe
Token: SeRemoteShutdownPrivilege	212	msiexec.exe
Token: SeUndockPrivilege	212	msiexec.exe
Token: SeSyncAgentPrivilege	212	msiexec.exe
Token: SeEnableDelegationPrivilege	212	msiexec.exe
Token: SeManageVolumePrivilege	212	msiexec.exe
Token: SeImpersonatePrivilege	212	msiexec.exe
Token: SeCreateGlobalPrivilege	212	msiexec.exe
Token: SeShutdownPrivilege	4276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4276	msiexec.exe
Token: SeCreateTokenPrivilege	4276	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4276	msiexec.exe
Token: SeLockMemoryPrivilege	4276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4276	msiexec.exe
Token: SeMachineAccountPrivilege	4276	msiexec.exe
Token: SeTcbPrivilege	4276	msiexec.exe
Token: SeSecurityPrivilege	4276	msiexec.exe
Token: SeTakeOwnershipPrivilege	4276	msiexec.exe
Token: SeLoadDriverPrivilege	4276	msiexec.exe
Token: SeSystemProfilePrivilege	4276	msiexec.exe
Token: SeSystemtimePrivilege	4276	msiexec.exe
Token: SeProfSingleProcessPrivilege	4276	msiexec.exe
Token: SeIncBasePriorityPrivilege	4276	msiexec.exe
Token: SeCreatePagefilePrivilege	4276	msiexec.exe
Token: SeCreatePermanentPrivilege	4276	msiexec.exe
Token: SeBackupPrivilege	4276	msiexec.exe
Token: SeRestorePrivilege	4276	msiexec.exe
Token: SeShutdownPrivilege	4276	msiexec.exe
Token: SeDebugPrivilege	4276	msiexec.exe
Token: SeAuditPrivilege	4276	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4276	msiexec.exe
Token: SeChangeNotifyPrivilege	4276	msiexec.exe
Token: SeRemoteShutdownPrivilege	4276	msiexec.exe
Token: SeUndockPrivilege	4276	msiexec.exe
Token: SeSyncAgentPrivilege	4276	msiexec.exe
Token: SeEnableDelegationPrivilege	4276	msiexec.exe
Token: SeManageVolumePrivilege	4276	msiexec.exe
Token: SeImpersonatePrivilege	4276	msiexec.exe
Token: SeCreateGlobalPrivilege	4276	msiexec.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1228	1532	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe	83
PID 1532 wrote to memory of 1228	1532	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe	83
PID 1532 wrote to memory of 1228	1532	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe	83
PID 1228 wrote to memory of 4228	1228	cmd.exe	85
PID 1228 wrote to memory of 4228	1228	cmd.exe	85
PID 1228 wrote to memory of 4228	1228	cmd.exe	85
PID 1228 wrote to memory of 628	1228	cmd.exe	86
PID 1228 wrote to memory of 628	1228	cmd.exe	86
PID 1228 wrote to memory of 628	1228	cmd.exe	86
PID 1228 wrote to memory of 32	1228	cmd.exe	87
PID 1228 wrote to memory of 32	1228	cmd.exe	87
PID 1228 wrote to memory of 32	1228	cmd.exe	87
PID 1228 wrote to memory of 212	1228	cmd.exe	88
PID 1228 wrote to memory of 212	1228	cmd.exe	88
PID 1228 wrote to memory of 212	1228	cmd.exe	88
PID 1228 wrote to memory of 4276	1228	cmd.exe	90
PID 1228 wrote to memory of 4276	1228	cmd.exe	90
PID 1228 wrote to memory of 4276	1228	cmd.exe	90
PID 1228 wrote to memory of 4312	1228	cmd.exe	91
PID 1228 wrote to memory of 4312	1228	cmd.exe	91
PID 1228 wrote to memory of 4312	1228	cmd.exe	91
PID 1228 wrote to memory of 1352	1228	cmd.exe	92
PID 1228 wrote to memory of 1352	1228	cmd.exe	92
PID 1228 wrote to memory of 1352	1228	cmd.exe	92
PID 1228 wrote to memory of 1884	1228	cmd.exe	93
PID 1228 wrote to memory of 1884	1228	cmd.exe	93
PID 1228 wrote to memory of 1884	1228	cmd.exe	93
PID 1228 wrote to memory of 4460	1228	cmd.exe	94
PID 1228 wrote to memory of 4460	1228	cmd.exe	94
PID 1228 wrote to memory of 4460	1228	cmd.exe	94
PID 1228 wrote to memory of 4552	1228	cmd.exe	95
PID 1228 wrote to memory of 4552	1228	cmd.exe	95
PID 1228 wrote to memory of 4552	1228	cmd.exe	95
PID 1228 wrote to memory of 4068	1228	cmd.exe	96
PID 1228 wrote to memory of 4068	1228	cmd.exe	96
PID 1228 wrote to memory of 4068	1228	cmd.exe	96
PID 1228 wrote to memory of 4288	1228	cmd.exe	97
PID 1228 wrote to memory of 4288	1228	cmd.exe	97
PID 1228 wrote to memory of 4288	1228	cmd.exe	97
PID 1228 wrote to memory of 1888	1228	cmd.exe	98
PID 1228 wrote to memory of 1888	1228	cmd.exe	98
PID 1228 wrote to memory of 1888	1228	cmd.exe	98
PID 1228 wrote to memory of 60	1228	cmd.exe	99
PID 1228 wrote to memory of 60	1228	cmd.exe	99
PID 1228 wrote to memory of 60	1228	cmd.exe	99
PID 1228 wrote to memory of 3624	1228	cmd.exe	102
PID 1228 wrote to memory of 3624	1228	cmd.exe	102
PID 1228 wrote to memory of 3624	1228	cmd.exe	102
PID 2524 wrote to memory of 1776	2524	msiexec.exe	105
PID 2524 wrote to memory of 1776	2524	msiexec.exe	105
PID 2524 wrote to memory of 1776	2524	msiexec.exe	105
PID 2524 wrote to memory of 4496	2524	msiexec.exe	109
PID 2524 wrote to memory of 4496	2524	msiexec.exe	109
PID 2524 wrote to memory of 4496	2524	msiexec.exe	109
PID 2524 wrote to memory of 4864	2524	msiexec.exe	110
PID 2524 wrote to memory of 4864	2524	msiexec.exe	110
PID 2524 wrote to memory of 4864	2524	msiexec.exe	110
PID 2524 wrote to memory of 1136	2524	msiexec.exe	111
PID 2524 wrote to memory of 1136	2524	msiexec.exe	111
PID 2524 wrote to memory of 1136	2524	msiexec.exe	111

C:\Users\Admin\AppData\Local\Temp\e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe
"C:\Users\Admin\AppData\Local\Temp\e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:32
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {54067864-C0E7-47DB-A0C1-D6C874CE6BD8} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {B04BFE4C-7F11-49D8-ADFE-867939D886FA} /qn REBOOT=ReallySuppress
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {2B0A2EED-E2C8-40CE-A701-95B211A39B34} /qn REBOOT=ReallySuppress
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {11A90858-40BB-4858-A2DA-CA6495B5E907} /qn REBOOT=ReallySuppress
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {CD64A32F-8B05-4913-B988-BA68265083B9} /qn REBOOT=ReallySuppress
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:60
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /I "rms.host5.5ru_mod3.msi" /qn
    3⤵
    PID:3624

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 17C0733FD732AD55E5E5C78B339BBB37
  2⤵
  - Loads dropped DLL
  PID:1776
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1136

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
3d49b75df140bd962f7f83b7f3124607

SHA1
059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

SHA256
e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

SHA512
c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
3d49b75df140bd962f7f83b7f3124607

SHA1
059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

SHA256
e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

SHA512
c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
3d49b75df140bd962f7f83b7f3124607

SHA1
059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

SHA256
e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

SHA512
c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
3d49b75df140bd962f7f83b7f3124607

SHA1
059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

SHA256
e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

SHA512
c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
3d49b75df140bd962f7f83b7f3124607

SHA1
059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

SHA256
e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

SHA512
c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
1KB

MD5
d50d5abf61130986c22c1434c52dd303

SHA1
0ad25d3bc9d3d378d4c003213d1b2dd6b55e019b

SHA256
809a84544e09da151e9efaa1217276bc7c86b5602986f6ddec80fb800040e45d

SHA512
6fb570cb04819ce525f72d0fdd4472bbc8553a5649f3a7a0e0812ba4a2595af45f7892fb7877f8ae4ce26eafd8d64a9faf7b733af5837ac9dff7af1e4dc691a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host5.5ru_mod3.msi

Filesize
7.9MB

MD5
3f7771670a48eb758ca4782dcbdcece7

SHA1
2b591362464c3c1b060fed47ac5d2e07d8bdd61f

SHA256
674198f6bf6a5a840a81ed6957c1ddfa589aae99550d9ed2eef46f3bcf919545

SHA512
4e8c69fd45407b4c167c5b3ba61e0b1d535c6078c3a656d1237777ce117b5154d6cc4fc715a088dd21f563225e545631a88b0057f9c3a7487ee53fef323b3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
C:\Windows\Installer\MSI7AF7.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\MSI7AF7.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
memory/1136-169-0x0000000073470000-0x0000000073477000-memory.dmp

Filesize
28KB

Download
memory/4496-161-0x0000000073470000-0x0000000073477000-memory.dmp

Filesize
28KB

Download
memory/4496-160-0x0000000073470000-0x0000000073477000-memory.dmp

Filesize
28KB

Download
memory/4864-165-0x0000000073470000-0x0000000073477000-memory.dmp

Filesize
28KB

Download