rms | b9919c0c512281f0af99d6dc34bf55d6d6e6faab040e5db2b0dcc0702b0f7b3b

Analysis

max time kernel
24s
max time network
163s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-01-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
Size

6.2MB
MD5

c92c59fa1503d65d1d67a578928e3c55
SHA1

0cb1106bde45dd5be118bb7b9ebb2be3e41b7203
SHA256

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50
SHA512

1f8c714bfc23bd642ec6f4e5539ac1585e0cd8a54ba2b72ff06d7b4f0dd94589a8e6ab41b689f11f51425067784e071eeffc7e803470d55793492d38f6d11241
SSDEEP

196608:CIgAn6JaxBEvXUJyXEJDNfZJoExr77dZWoNMUyr:SA6YxBYXY+sJokFZWdUy

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Processes:

netsh.exe

pid	Process
856	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winserv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 2 IoCs

Processes:

winserv.exewinserv.exe

pid	Process
2588	winserv.exe
1680	winserv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2832	schtasks.exe
2724	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2996	timeout.exe

NTFS ADS 2 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exewinserv.exe

pid	Process
1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
2588	winserv.exe
2588	winserv.exe
2588	winserv.exe
2588	winserv.exe
2588	winserv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

winserv.exe

description	pid	Process
Token: SeDebugPrivilege	2588	winserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

winserv.exe

pid	Process
2588	winserv.exe
2588	winserv.exe
2588	winserv.exe
2588	winserv.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

description	pid	Process	procid_target
PID 1340 wrote to memory of 2724	1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	28
PID 1340 wrote to memory of 2724	1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	28
PID 1340 wrote to memory of 2724	1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	28
PID 1340 wrote to memory of 2832	1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	30
PID 1340 wrote to memory of 2832	1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	30
PID 1340 wrote to memory of 2832	1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	30
PID 1340 wrote to memory of 2588	1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	33
PID 1340 wrote to memory of 2588	1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	33
PID 1340 wrote to memory of 2588	1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	33
PID 1340 wrote to memory of 2588	1340	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
"C:\Users\Admin\AppData\Local\Temp\4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2724
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2832
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2588
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    - Executes dropped EXE
    PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  PID:868
- - C:\Windows\system32\net.exe
    net user John 12345 /add
    3⤵
    PID:472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user John 12345 /add
      4⤵
      PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  PID:1624
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного управления" john /add" John /add
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  PID:1040
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  PID:1844
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    PID:856
- C:\Windows\system32\cmd.exe
  cmd /c C:\Programdata\Install\del.bat
  2⤵
  PID:1584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
1⤵
PID:1904

C:\Windows\system32\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
1⤵
PID:1968
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  PID:2356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
PID:2340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
1⤵
PID:2324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
1⤵
PID:2096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
1⤵
PID:1724

C:\Windows\system32\net.exe
net localgroup "Remote Desktop Users" john /add
1⤵
PID:2420

C:\Windows\system32\net.exe
net localgroup "Administradores" John /add
1⤵
PID:1956

C:\Windows\system32\net.exe
net localgroup "Administrators" John /add
1⤵
PID:1088

C:\Windows\system32\net.exe
net localgroup "Администраторы" John /add
1⤵
PID:2368

C:\Windows\system32\taskeng.exe
taskeng.exe {7B3BF69D-24B5-4468-AFA1-676055D3C698} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
1⤵
PID:1028
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  PID:1940
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
  2⤵
  PID:2352

C:\Windows\system32\timeout.exe
timeout 5
1⤵
- Delays execution with timeout.exe
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
92KB

MD5
e477ef37a4536ab0f409d18ecf01d670

SHA1
69e63c61ddd60b848a3fbbd3d0257002dbd17e6d

SHA256
149942e778ba20af8b5d6eef7383e51e20814f7325801290ddf2506c704a367d

SHA512
daafd9596d8258c639b8139bb81452388e8b00515c5139fee80df801937eaf7bc5b8cdc1f83832f7a294c6685b7ae701139aa6794068da9249ff7c96477400b4

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1.9MB

MD5
d7d99e409a76b2835f2994879162fdc1

SHA1
5c5f8f453362eec56fe32c1afb7e4b4372a1e124

SHA256
67e1c92aaeed60364c48c05fa0ec11d9765112ff295e95b3bbeb59e3744d33a4

SHA512
b546038b708968e769d27248ac8ede133eb59be2251586d36feb1accbe481d90b436efbd4c1b6cdd57762498f35314a46fe06c701faf4c62674ca02edfc84ba5

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
92KB

MD5
8478c78ac940122365ae6e70bb86e1df

SHA1
93690bf628442429d9b48c1874baedd7b14e5f8a

SHA256
d7c0446af28c1d0df9d9833e36538612f7a2165421f69b45d3020128aa59a3ef

SHA512
c0dd0df337632c24a588515dd4842baf0da63feabee7b21f63b5f8a3a78814561f7236668e067896ffcaaa2a456a0739683acf56c78d5c3a777911adc481deda

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
122KB

MD5
1ddeef7f4426dfc91380e4cdc03b100e

SHA1
ea22306e07d8cf3bc6b0f248db4557cffbfd9514

SHA256
55764d6de97ba96dce098f322ed1b3f910f46b63e33cee3572e9c0d04f18a70b

SHA512
053b0c326308db5068e19eb2a506eebf3e893e26b6e61c16dfa9961ca548658cdb4f8b2d76f81dbd2f2c5134ea28952098077b94ea9dc988a8a2abe85fa02e2b

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA29A.tmp

Filesize
32KB

MD5
8fe278bd8eac660d0161a869da96b8d8

SHA1
eac6f73862d89fc8c49b5331cabe89b6a57019b1

SHA256
e8a6de34603eb9e91ba82f555080758e480ab044ffa9c140028706f916eb2c0a

SHA512
b180b8df22e421493dcc75a2caed123f7c7756295f691579ea5c426c741f80e381b4960b5cbd6b5e87547d75e44ab654d1c4704fe34b4b743a57f334bd05846c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAC4D.tmp

Filesize
92KB

MD5
71e4ce8b3a1b89f335a6936bbdafce4c

SHA1
6e0d450eb5f316a9924b3e58445b26bfb727001e

SHA256
a5edfae1527d0c8d9fe5e7a2c5c21b671e61f9981f3bcf9e8cc9f9bb9f3b44c5

SHA512
b80af88699330e1ff01e409daabdedeef350fe7d192724dfa8622afa71e132076144175f6e097f8136f1bba44c7cb30cfdd0414dbe4e0a4712b3bad7b70aeff7

Download Submit
\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
92KB

MD5
bf462f3614c9b613c6df7f32f376c597

SHA1
7125168fb883f58349579cdc32bf90ba9af7d440

SHA256
2b7ef0a199fdfd1747c1d181ed04febde5222bed7172291ef99dafee4931329a

SHA512
2061540c32de863f7105baa288351ec200d3b6c8da9165b5683ee1021aff7971fa270d3cdd5bb69dd503fd1082480b33f0cf503a6b95f67f5ae6661c0176b438

Download Submit
memory/1680-26-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-43-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/1680-24-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-25-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-76-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-27-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-28-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-29-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-30-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/1680-31-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1680-32-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-33-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1680-34-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/1680-35-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-37-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-39-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1680-40-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-46-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/1680-45-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/1680-44-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/1680-47-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/1680-50-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/1680-48-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/1680-57-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1680-42-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/1680-41-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/1680-38-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/1680-52-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1844-74-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1844-70-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1940-71-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1940-73-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1940-72-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2352-133-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2352-135-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2352-134-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2588-16-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2588-19-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2588-15-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2588-14-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2588-13-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2588-11-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2588-22-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2588-17-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2588-18-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download