rms | 8edbedff95b25d5e437e4ff1ff5197c50ebce68020c9531ccaa09510c6f94a13

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d864a0ac635e811332124e1df1458257.exe
Size

10.4MB
MD5

d864a0ac635e811332124e1df1458257
SHA1

8d2e8e36ad08c6d7a38fdb3304ce25181586cd5c
SHA256

8edbedff95b25d5e437e4ff1ff5197c50ebce68020c9531ccaa09510c6f94a13
SHA512

f1cf8119708965ecf5052be88732e23031afc47676da3482227ce93b90f06064e363012448fb699ee4fdf1bd8643b3aad647de1b77d36ae0a74c6ff8f5ab0f1b
SSDEEP

196608:xoeZUtx0psIKcQEgNvR5ffalRn2amSNJiWa:xlqSsIiEgNvbfSlB2amSNJir

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid	Process
2836	rutserv.exe
2664	rutserv.exe
2564	rutserv.exe
2932	rutserv.exe
1992	rfusclient.exe
1936	rfusclient.exe
1656	rfusclient.exe

Loads dropped DLL 5 IoCs

Processes:

cmd.exerutserv.exe

pid	Process
2736	cmd.exe
2736	cmd.exe
2736	cmd.exe
2932	rutserv.exe
2932	rutserv.exe

Drops file in System32 directory 16 IoCs

Processes:

cmd.exerutserv.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\vp8encoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\vp8decoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\rutserv.exe	cmd.exe
File created	C:\Windows\SysWOW64\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.exe	cmd.exe
File created	C:\Windows\SysWOW64\RWLN.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dsfVorbisDecoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\RIPCServer.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RIPCServer.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\vp8encoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\dsfVorbisDecoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rfusclient.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid	Process
1520	regedit.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	Process
2836	rutserv.exe
2836	rutserv.exe
2664	rutserv.exe
2664	rutserv.exe
2564	rutserv.exe
2564	rutserv.exe
2932	rutserv.exe
2932	rutserv.exe
2932	rutserv.exe
2932	rutserv.exe
1936	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid	Process
1656	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rutserv.exerutserv.exerutserv.exe

description	pid	Process
Token: SeDebugPrivilege	2836	rutserv.exe
Token: SeDebugPrivilege	2564	rutserv.exe
Token: SeTakeOwnershipPrivilege	2932	rutserv.exe
Token: SeTcbPrivilege	2932	rutserv.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

d864a0ac635e811332124e1df1458257.execmd.exerutserv.exerfusclient.exe

description	pid	Process	procid_target
PID 2668 wrote to memory of 2736	2668	d864a0ac635e811332124e1df1458257.exe	28
PID 2668 wrote to memory of 2736	2668	d864a0ac635e811332124e1df1458257.exe	28
PID 2668 wrote to memory of 2736	2668	d864a0ac635e811332124e1df1458257.exe	28
PID 2668 wrote to memory of 2736	2668	d864a0ac635e811332124e1df1458257.exe	28
PID 2736 wrote to memory of 2704	2736	cmd.exe	30
PID 2736 wrote to memory of 2704	2736	cmd.exe	30
PID 2736 wrote to memory of 2704	2736	cmd.exe	30
PID 2736 wrote to memory of 2704	2736	cmd.exe	30
PID 2736 wrote to memory of 2836	2736	cmd.exe	31
PID 2736 wrote to memory of 2836	2736	cmd.exe	31
PID 2736 wrote to memory of 2836	2736	cmd.exe	31
PID 2736 wrote to memory of 2836	2736	cmd.exe	31
PID 2736 wrote to memory of 2664	2736	cmd.exe	35
PID 2736 wrote to memory of 2664	2736	cmd.exe	35
PID 2736 wrote to memory of 2664	2736	cmd.exe	35
PID 2736 wrote to memory of 2664	2736	cmd.exe	35
PID 2736 wrote to memory of 1520	2736	cmd.exe	32
PID 2736 wrote to memory of 1520	2736	cmd.exe	32
PID 2736 wrote to memory of 1520	2736	cmd.exe	32
PID 2736 wrote to memory of 1520	2736	cmd.exe	32
PID 2736 wrote to memory of 2564	2736	cmd.exe	34
PID 2736 wrote to memory of 2564	2736	cmd.exe	34
PID 2736 wrote to memory of 2564	2736	cmd.exe	34
PID 2736 wrote to memory of 2564	2736	cmd.exe	34
PID 2932 wrote to memory of 1992	2932	rutserv.exe	37
PID 2932 wrote to memory of 1992	2932	rutserv.exe	37
PID 2932 wrote to memory of 1992	2932	rutserv.exe	37
PID 2932 wrote to memory of 1992	2932	rutserv.exe	37
PID 2932 wrote to memory of 1936	2932	rutserv.exe	36
PID 2932 wrote to memory of 1936	2932	rutserv.exe	36
PID 2932 wrote to memory of 1936	2932	rutserv.exe	36
PID 2932 wrote to memory of 1936	2932	rutserv.exe	36
PID 1936 wrote to memory of 1656	1936	rfusclient.exe	38
PID 1936 wrote to memory of 1656	1936	rfusclient.exe	38
PID 1936 wrote to memory of 1656	1936	rfusclient.exe	38
PID 1936 wrote to memory of 1656	1936	rfusclient.exe	38

C:\Users\Admin\AppData\Local\Temp\d864a0ac635e811332124e1df1458257.exe
"C:\Users\Admin\AppData\Local\Temp\d864a0ac635e811332124e1df1458257.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3340.tmp\1213.bat" "
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /silentinstall
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "settings.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1520
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /start
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /firewall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2664

C:\Windows\SysWOW64\rutserv.exe
C:\Windows\SysWOW64\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\rfusclient.exe
  C:\Windows\SysWOW64\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\rfusclient.exe
    C:\Windows\SysWOW64\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1656
- C:\Windows\SysWOW64\rfusclient.exe
  C:\Windows\SysWOW64\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3340.tmp\1213.bat

Filesize
1KB

MD5
a1b4263a202c77f63141c716e836a4ab

SHA1
f3859ca14556b04192ed95ff0d9876500a9ab52d

SHA256
3c85a85ca0516b3763fa370e8347da94b65b047d194847756879c8f482d78231

SHA512
64498944db72ca33ff2877d60f375e67f42fc5c9624a2b7617fe5b5776db06c66f4af3763b6bb2e3b6c654a1b148494e7397286e5d69f76aaa35e3abdfbf41bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3340.tmp\RIPCServer.dll

Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3340.tmp\RWLN.dll

Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3340.tmp\dsfVorbisDecoder.dll

Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3340.tmp\rfusclient.exe

Filesize
2.5MB

MD5
a2a25244fb8d29ed9fe2e3b4f4cd83b3

SHA1
6589952c4473f690f64eb4a34ad3ae9ce910a5b0

SHA256
7cff408d051eac72870637b8906cab0d26a353ddbc43bc2e3375401e1616a0c3

SHA512
b4fcdeaa6a69638167ed4e634f6ddb36fd23e9c9e3f6ab1d61009d90a57c139b8adb723f34835e4b06c853ffa5cb13d814e64881a0492aa0b0675ea58f25d441

Download Submit
C:\Users\Admin\AppData\Local\Temp\3340.tmp\rutserv.exe

Filesize
3.0MB

MD5
b60933db4ab36414b960b60003fb7771

SHA1
529ae1dd9f3c095c1d91ba900ab27bc788334234

SHA256
11359bdd5effebeca4e80187c5b3dab656a411f68c23d40884f169a5b95ba43a

SHA512
2c894faebf5655b7fbc27ae0c6483f3e6f5b46675eec40ad1d24f2237f04479c895cbc296326f1ec293df889c385728d36ab82cb5c9ef80e231050c99e3e75d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3340.tmp\settings.reg

Filesize
22KB

MD5
f70d5b1d76e8bd8aebcb4f5082c0f909

SHA1
6ab4bbf4e87c994b192282ae79136ba55d4cc82f

SHA256
e6302eed15fb6ac7e71382e298c7e15e20195874a5dfa2f5075f85ac72963f38

SHA512
c15e341f25cc282b15dd889e5c29db45d224f81716342786f673b7a5739866dcf203f9aceb7329ba045fda4428330dac9d084bad58c0eea20729213dedbe41b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3340.tmp\vp8decoder.dll

Filesize
403KB

MD5
6f6bfe02e84a595a56b456f72debd4ee

SHA1
90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

SHA256
5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

SHA512
ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3340.tmp\vp8encoder.dll

Filesize
685KB

MD5
c638bca1a67911af7f9ed67e7b501154

SHA1
0fd74d2f1bd78f678b897a776d8bce36742c39b7

SHA256
519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

SHA512
ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
2.4MB

MD5
b14977abc462f1219dff95d644350af7

SHA1
df36a91b18420ffb45c3b045333a01acf677bf5b

SHA256
7df5a95ec3a2d87ca66ed19a864faeed05755738430025964403c476d03e6ec8

SHA512
38944b1e4204e6e074d8b6d3db314688b9694c0ad4aed59b9e1e72ff4105bd59d269b568c4bf153c0aef9f110aa253ab6cf214647b4701ada9680916972bbc47

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
2.4MB

MD5
ea8f90b09f8e3b91c55a710ff0596b6d

SHA1
c108bbf0a6b8601bad35f0d430a6b74372e6c039

SHA256
db19be72d32c6c1c803eb590fe68001a3b2d89c8b417f7c2c7a9893e6157811c

SHA512
cc50fec14b82104cc4c5aa75d13195f0efda69bae1a15dbee6a10f1c970ca5aa35e06f3777db097f1469ea7f46767e6283aecaef1324422b1a1edf731807957f

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
1.4MB

MD5
a2540230187f9b5ac5b4fcf04af58199

SHA1
5fd183818da2c35a8414b71f5e0556292ae70b26

SHA256
aeb006f2735d0a316af9062c4cb5c2b16e587c6d75ba8ee9aa341d5c4b36ab37

SHA512
78351a10569ede70b192d1423bf1f8587e980fffa844c70a42372a806725fcf573a7d824e450ad7f90769910f320ec85c4242edbeeb7a15fedfc0590fbcf2614

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
92KB

MD5
fbf52410a768051999724c5958c001e9

SHA1
8509eb24d66ecbd70ce7516384ff8e75e1b36d19

SHA256
a29de4d482d140ec517cedd14ac115f2002db569b2aa595ad262bf9346b0ddea

SHA512
8a175b677ff79eae2ea7988050fc504ce1d635ef6f68a1aab1255d2d869d805fe90d12cf21239ef9ed21a1e8c49dbd749008a3fa8627a3b2a5f8a061c2a9dfd2

Download Submit
\Windows\SysWOW64\rutserv.exe

Filesize
2.4MB

MD5
1f7f1664ade2f17d8f4b1d0d13a3c69f

SHA1
78e8493bde40e36dace03e16a950a1ac33063cb7

SHA256
440ec6fc11e85aa387c2c3d6271102b9133d5a2b29bf13848e0b99ca26723a87

SHA512
0e73fe69dcd25062355ae97208de2d0b6e98fd1649e299bc48d7094ef3cba8af5dd033982bd92e37adee0bfd8e15a476e45a27ae2fdde5bdd7018e4d849c68c8

Download Submit
\Windows\SysWOW64\rutserv.exe

Filesize
1.9MB

MD5
656ea98097892583effda22e7c3abbf7

SHA1
a0a3be6b1ee2d54e1fff3196e80609c3a06243d9

SHA256
b5aece0640551195ebeaf4cc662cca0477800e770ecaa49e06ad1970892dada3

SHA512
102e12c78f3f2e44883c18015f1f45f6762b6fb5da60f0604c8d03e7794adbf701d4d78c84810360fcf908e111d8a17cb6bbe1d491191d9069815ddee10b0da7

Download Submit
\Windows\SysWOW64\rutserv.exe

Filesize
381KB

MD5
f65821343b067e427c06e5b099bc0d4d

SHA1
00c55a877f85f0d17655d5e933d85c798bbbce90

SHA256
8056e00ee570dd0818b73224d81c0bd5f75cc9c78eadc0624d10a6b4192a8dec

SHA512
365e3b6ac4557aaece0b485ff56d84cee37da8db002987a6afd73a38b376fc9a2887e4c2cdaaa0a0f1ae3442d863fef281788d676ca43c559ae60dc49d891df4

Download Submit
memory/1656-87-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1656-88-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1936-90-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1936-83-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1936-96-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1992-120-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1992-91-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1992-84-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1992-95-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1992-98-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1992-101-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2564-82-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2564-70-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2664-63-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-64-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2836-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2836-58-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2932-113-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2932-99-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2932-89-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2932-106-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2932-109-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2932-72-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2932-117-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2932-92-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2932-121-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2932-128-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2932-135-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2932-138-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download