Overview

overview

10

Static

static

1

ClasSvc.exe

windows7-x64

10

ClasSvc.exe

windows10-2004-x64

10

Resubmissions

19-04-2023 01:43

230419-b5gtaafe75 10

Analysis

  • max time kernel
    142s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2023 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ClasSvc.exe

  • Size

    17.1MB

  • MD5

    305e71ec353a718b055ea9acaa6598a3

  • SHA1

    3d26bb3b0a669b98c5226bcdd3473440e47162d5

  • SHA256

    031f9345c33543366e9c66447f4f3fb085a2e04f3c2f98f562f191de6a413dd0

  • SHA512

    2f9c163ac5e2980825b536b384329714dc602079e4bd0b9e2654df40fcd659e67e4e2a17b338a81fc8ac39e0ff1ae83b625e102f9308a0734948412c4a4dc2eb

  • SSDEEP

    196608:uNjzJSeEtAVBt4/BixizJcPM5OzQ6UM6pZpKerXvob24hwhxbQLJC:uNjzJSeE0D4KiZ5OyM6pXTrXvMwrbQLM

Score
10/10
rmsrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ClasSvc.exe
    "C:\Users\Admin\AppData\Local\Temp\ClasSvc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4464
    • C:\Users\Admin\AppData\Local\Temp\ClasSvc.exe
      C:\Users\Admin\AppData\Local\Temp\ClasSvc.exe -run_agent -second
      2⤵
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:644

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/644-143-0x0000000004D40000-0x0000000004D41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/644-137-0x0000000004D40000-0x0000000004D41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/644-139-0x0000000005380000-0x0000000005381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/644-140-0x00000000054D0000-0x00000000054D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/644-141-0x00000000054E0000-0x00000000054E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/644-142-0x0000000000400000-0x00000000015C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/644-144-0x0000000000400000-0x00000000015C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/644-150-0x0000000000400000-0x00000000015C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/644-157-0x0000000000400000-0x00000000015C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/4464-135-0x0000000005090000-0x0000000005091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4464-134-0x0000000005040000-0x0000000005041000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4464-136-0x0000000000400000-0x00000000015C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/4464-133-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

    Filesize

    4KB

    Download