rms | cc9198700821977a72f3cf3a1ff22f75044202dbfa560669a70986dc5fb99f36

Analysis

max time kernel
0s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1146874becb449c9ff62ee9d013c36cc.exe
Size

4.4MB
MD5

1146874becb449c9ff62ee9d013c36cc
SHA1

fc9dc8bb69b0903ce9ebdc1d48d04ebc351b47f3
SHA256

cc9198700821977a72f3cf3a1ff22f75044202dbfa560669a70986dc5fb99f36
SHA512

96c9d7c28568390d1af915d0c2a37558dc9b8441e6d663c7b4766b9b60197d6d3339b79497d000bec1259c4a05377f4e30268ed491e92949dc0db3781b373b20
SSDEEP

98304:J738/JMxiHed8+il7Sem/x5MO1+/pY0g/W23WjXfqd1e3vGO/D:J7EOG+il7Sem/UxhEe2oXfqze3e6

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2808	timeout.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
2228	taskkill.exe
1972	taskkill.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid	Process
1592	regedit.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1146874becb449c9ff62ee9d013c36cc.exe

description	pid	Process	procid_target
PID 2344 wrote to memory of 2776	2344	1146874becb449c9ff62ee9d013c36cc.exe	32
PID 2344 wrote to memory of 2776	2344	1146874becb449c9ff62ee9d013c36cc.exe	32
PID 2344 wrote to memory of 2776	2344	1146874becb449c9ff62ee9d013c36cc.exe	32
PID 2344 wrote to memory of 2776	2344	1146874becb449c9ff62ee9d013c36cc.exe	32

C:\Users\Admin\AppData\Local\Temp\1146874becb449c9ff62ee9d013c36cc.exe
"C:\Users\Admin\AppData\Local\Temp\1146874becb449c9ff62ee9d013c36cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbs"
  2⤵
  PID:2776

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"
1⤵
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\System\install.bat" "
  2⤵
  PID:2512
- - C:\Program Files (x86)\System\rutserv.exe
    rutserv.exe /start
    3⤵
    PID:1356
- - C:\Program Files (x86)\System\rutserv.exe
    rutserv.exe /firewall
    3⤵
    PID:1568
- - C:\Program Files (x86)\System\rutserv.exe
    rutserv.exe /silentinstall
    3⤵
    PID:2548

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
1⤵
- Kills process with taskkill
PID:2228

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
1⤵
PID:1644

C:\Windows\SysWOW64\timeout.exe
timeout 2
1⤵
- Delays execution with timeout.exe
PID:2808

C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
1⤵
- Runs .reg file with regedit
PID:1592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
1⤵
- Kills process with taskkill
PID:1972

C:\Users\Admin\AppData\Local\Temp\RarSFX1\proxy.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\proxy.exe"
1⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\RarSFX0\proxy.sfx.exe
proxy.sfx.exe -pschool
1⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
1⤵
PID:2060

C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe" /tray
1⤵
PID:1932

C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe"
1⤵
PID:1348
- C:\Program Files (x86)\System\rfusclient.exe
  "C:\Program Files (x86)\System\rfusclient.exe" /tray
  2⤵
  PID:816

C:\Program Files (x86)\System\rutserv.exe
"C:\Program Files (x86)\System\rutserv.exe"
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-117-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/816-111-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/816-116-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/816-110-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/816-115-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/816-113-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/816-112-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/816-114-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1348-125-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1348-91-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1348-119-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1348-99-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1348-104-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1348-102-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1348-94-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1348-97-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1356-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1356-73-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1356-69-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1356-70-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1356-68-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1356-71-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1356-72-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1356-74-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1396-121-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1396-122-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-76-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-149-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-78-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-145-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-82-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1396-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-79-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-142-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-135-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-96-0x00000000034A0000-0x0000000003A56000-memory.dmp

Filesize
5.7MB

Download
memory/1396-128-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-118-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1396-90-0x00000000034A0000-0x0000000003A56000-memory.dmp

Filesize
5.7MB

Download
memory/1568-66-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1568-63-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1568-60-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1568-59-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1568-65-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1568-62-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1568-61-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1568-64-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1932-130-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1932-101-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1932-103-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1932-92-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1932-120-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1932-95-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1932-144-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1932-100-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1932-105-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1932-126-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1932-137-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1932-124-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2512-49-0x0000000002350000-0x0000000002A09000-memory.dmp

Filesize
6.7MB

Download
memory/2548-52-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2548-54-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2548-55-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2548-53-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2548-57-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2548-50-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2548-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2548-51-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download