rms | 916d53e09da4c910f04585026f5aab7410c391e30c0d560159ad16e936272eeb

Analysis

max time kernel
141s
max time network
199s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe
Size

4.1MB
MD5

3eaf114e7d481c57147ed8b8ba3c4caa
SHA1

62ce40d8a9c47527e88dab1e3e60e8495cad6029
SHA256

916d53e09da4c910f04585026f5aab7410c391e30c0d560159ad16e936272eeb
SHA512

0112492901fccec1f5045860b5a1093c38cd859ee3f531ae7aed7ce3c01ea2d9df05420cb93293876b68c5f9ab91b293316df0a068f059c0ba27d6d93de2b2fc
SSDEEP

98304:6gCJYcoRB/Om0t7MZwAvPcVx0qa96SQ7p1YGt4Q24DEBziWz:6gCScaB/Om0tkw2EEqh1YVV4QV

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 3 IoCs

Processes:

osmserv.exeosmserv.exeosmserv.exe

pid process

1504 osmserv.exe
1496 osmserv.exe
840 osmserv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

osmserv.exeosmserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	osmserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	osmserv.exe

Loads dropped DLL 11 IoCs

Processes:

916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exeosmserv.exeosmserv.exeosmserv.exe

pid	process
1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe
1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe
1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe
1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe
1504	osmserv.exe
1504	osmserv.exe
1496	osmserv.exe
1496	osmserv.exe
1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe
840	osmserv.exe
840	osmserv.exe

Drops file in Program Files directory 3 IoCs

Processes:

916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe

description	ioc	process
File created	C:\Program Files\OSM\osmserv.exe	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe
File created	C:\Program Files\OSM\ssleay32.dll	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe
File created	C:\Program Files\OSM\libeay32.dll	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1340 schtasks.exe

pid	process
1340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

osmserv.exeosmserv.exeosmserv.exe

pid	process
1504	osmserv.exe
1504	osmserv.exe
1504	osmserv.exe
1504	osmserv.exe
1504	osmserv.exe
1504	osmserv.exe
1496	osmserv.exe
1496	osmserv.exe
1496	osmserv.exe
1496	osmserv.exe
1496	osmserv.exe
1496	osmserv.exe
840	osmserv.exe
840	osmserv.exe
840	osmserv.exe
840	osmserv.exe
840	osmserv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

osmserv.exeosmserv.exe

description	pid	process
Token: SeDebugPrivilege	1504	osmserv.exe
Token: SeTakeOwnershipPrivilege	1496	osmserv.exe
Token: SeTcbPrivilege	1496	osmserv.exe
Token: SeTcbPrivilege	1496	osmserv.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

osmserv.exeosmserv.exeosmserv.exe

pid	process
1504	osmserv.exe
1504	osmserv.exe
1504	osmserv.exe
1504	osmserv.exe
1496	osmserv.exe
1496	osmserv.exe
1496	osmserv.exe
1496	osmserv.exe
840	osmserv.exe
840	osmserv.exe
840	osmserv.exe
840	osmserv.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.execmd.exetaskeng.exe

description	pid	process	target process
PID 1776 wrote to memory of 1504	1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe	osmserv.exe
PID 1776 wrote to memory of 1504	1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe	osmserv.exe
PID 1776 wrote to memory of 1504	1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe	osmserv.exe
PID 1776 wrote to memory of 1504	1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe	osmserv.exe
PID 1776 wrote to memory of 828	1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe	cmd.exe
PID 1776 wrote to memory of 828	1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe	cmd.exe
PID 1776 wrote to memory of 828	1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe	cmd.exe
PID 1776 wrote to memory of 828	1776	916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe	cmd.exe
PID 828 wrote to memory of 1340	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1340	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1340	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1340	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1356	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1356	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1356	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1356	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1112	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1112	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1112	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 1112	828	cmd.exe	schtasks.exe
PID 1808 wrote to memory of 840	1808	taskeng.exe	osmserv.exe
PID 1808 wrote to memory of 840	1808	taskeng.exe	osmserv.exe
PID 1808 wrote to memory of 840	1808	taskeng.exe	osmserv.exe
PID 1808 wrote to memory of 840	1808	taskeng.exe	osmserv.exe

C:\Users\Admin\AppData\Local\Temp\916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe
"C:\Users\Admin\AppData\Local\Temp\916D53E09DA4C910F04585026F5AAB7410C391E30C0D5.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files\OSM\osmserv.exe
"C:\Program Files\OSM\osmserv.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Program Files\OSM\osmserv.exe
"C:\Program Files\OSM\osmserv.exe" -second
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SchTasks /create /f /XML %temp%\Log360.xml /TN \microsoft\windows\defrag\scheduleddefrag && schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE && schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\schtasks.exe
SchTasks /create /f /XML C:\Users\Admin\AppData\Local\Temp\Log360.xml /TN \microsoft\windows\defrag\scheduleddefrag
3⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE
3⤵
PID:1356

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
3⤵
PID:1112

C:\Windows\system32\taskeng.exe
taskeng.exe {C4A35032-FE20-4ADA-94CC-A32D0E1E2F8A} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files\OSM\osmserv.exe
"C:\Program Files\OSM\osmserv.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\OSM\libeay32.dll
Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files\OSM\osmserv.exe
Filesize
11.2MB

MD5
472741c5c56e6bc0abda9e34615f3e6d

SHA1
93f34ab3e7787ac577837904c3a4eb6374c25aaa

SHA256
87846d788c3a189eed07822136e23d63413c4da216a08e1ea0e1cfadb54093fd

SHA512
437bf378acc09141c2f41f63d5b3afd2b17e4f51b88d8ff5a5c306cc85ad0dcb57dc5c8474b64f40b070530aac93b94fa46c0d0b8550d1027e8459d76b05d89e

Download Submit
C:\Program Files\OSM\osmserv.exe
Filesize
11.2MB

MD5
472741c5c56e6bc0abda9e34615f3e6d

SHA1
93f34ab3e7787ac577837904c3a4eb6374c25aaa

SHA256
87846d788c3a189eed07822136e23d63413c4da216a08e1ea0e1cfadb54093fd

SHA512
437bf378acc09141c2f41f63d5b3afd2b17e4f51b88d8ff5a5c306cc85ad0dcb57dc5c8474b64f40b070530aac93b94fa46c0d0b8550d1027e8459d76b05d89e

Download Submit
C:\Program Files\OSM\osmserv.exe
Filesize
11.2MB

MD5
472741c5c56e6bc0abda9e34615f3e6d

SHA1
93f34ab3e7787ac577837904c3a4eb6374c25aaa

SHA256
87846d788c3a189eed07822136e23d63413c4da216a08e1ea0e1cfadb54093fd

SHA512
437bf378acc09141c2f41f63d5b3afd2b17e4f51b88d8ff5a5c306cc85ad0dcb57dc5c8474b64f40b070530aac93b94fa46c0d0b8550d1027e8459d76b05d89e

Download Submit
C:\Program Files\OSM\osmserv.exe
Filesize
11.2MB

MD5
472741c5c56e6bc0abda9e34615f3e6d

SHA1
93f34ab3e7787ac577837904c3a4eb6374c25aaa

SHA256
87846d788c3a189eed07822136e23d63413c4da216a08e1ea0e1cfadb54093fd

SHA512
437bf378acc09141c2f41f63d5b3afd2b17e4f51b88d8ff5a5c306cc85ad0dcb57dc5c8474b64f40b070530aac93b94fa46c0d0b8550d1027e8459d76b05d89e

Download Submit
C:\Program Files\OSM\ssleay32.dll
Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log360.xml
Filesize
1KB

MD5
19bee630b0262c8cfaa3352c6bc3cbc7

SHA1
cbf015af4909c920af7268430e757015cb5d1d26

SHA256
1235422a8be537021b5688cd129b60fc145f33af7c46e35ba2b59e77cd48352d

SHA512
65e7db3dffa067641149e2556a140eabc14edeb13ae132754f292d1a3f484df45facbf16722cefd9cc958a1f7026a310b41755552a10438984a61a6772fb3d1f

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\OSM\libeay32.dll
Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\Program Files\OSM\libeay32.dll
Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\Program Files\OSM\libeay32.dll
Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\Program Files\OSM\osmserv.exe
Filesize
11.2MB

MD5
472741c5c56e6bc0abda9e34615f3e6d

SHA1
93f34ab3e7787ac577837904c3a4eb6374c25aaa

SHA256
87846d788c3a189eed07822136e23d63413c4da216a08e1ea0e1cfadb54093fd

SHA512
437bf378acc09141c2f41f63d5b3afd2b17e4f51b88d8ff5a5c306cc85ad0dcb57dc5c8474b64f40b070530aac93b94fa46c0d0b8550d1027e8459d76b05d89e

Download Submit
\Program Files\OSM\ssleay32.dll
Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\Program Files\OSM\ssleay32.dll
Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\Program Files\OSM\ssleay32.dll
Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\Users\Admin\AppData\Local\Temp\nsoEEE3.tmp\NSISList.dll
Filesize
105KB

MD5
4b0617493f32b2b5fe5e838eeb885819

SHA1
336e84380420a9caaa9c12af7c8e530135e63c57

SHA256
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402

SHA512
5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

Download Submit
\Users\Admin\AppData\Local\Temp\nsoEEE3.tmp\System.dll
Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsoEEE3.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
\Users\Admin\AppData\Local\Temp\nsoEEE3.tmp\registry.dll
Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
memory/828-73-0x0000000000000000-mapping.dmp

Download
memory/840-78-0x0000000000000000-mapping.dmp

Download
memory/1112-77-0x0000000000000000-mapping.dmp

Download
memory/1340-74-0x0000000000000000-mapping.dmp

Download
memory/1356-76-0x0000000000000000-mapping.dmp

Download
memory/1504-60-0x0000000000000000-mapping.dmp

Download
memory/1776-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1776-57-0x0000000000570000-0x0000000000594000-memory.dmp

Filesize
144KB

Download