Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2024 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    8.3MB

  • MD5

    73f351beae5c881fafe36f42cde9a47c

  • SHA1

    dc1425cfd5569bd59f5d56432df875b59da9300b

  • SHA256

    a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

  • SHA512

    f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

  • SSDEEP

    196608:PdQ5Lq4eAGPJgBDpKLtW0tzHlYd3cvF8m9k/RRZpAp2FG0c+imhtO:P2VqyC8mQ0vxN79kpR40cUO

Score
10/10
rmsdiscoveryrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3748
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:440
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
        3⤵
          PID:1408
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 8BC9CD38A5E14B2727ACE1DF59DA1467
        2⤵
        • Loads dropped DLL
        PID:944
      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2016
      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1472
      • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
        "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2812
    • C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
      "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
        2⤵
        • Executes dropped EXE
        PID:4264
      • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
        "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4296
        • C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
          "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: SetClipboardViewer
          PID:1768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
      Filesize

      92KB

      MD5

      d613e46000457dc9c9ecc89054e02a64

      SHA1

      24e8aa691f3ce0a5a9fececc75867c82ed218948

      SHA256

      1cc71a4353ec45f1db9159d0aa9a3451afa2b7d10060cdb13b61d066ba941c38

      SHA512

      2080d4d81b320e99094ee2ad5987b2c2f1c3d5d5245699e62789cd1eabcf667b7efa57cf89337f34c586aa188adc22ab4f5dff16f667a1795b97c0d9bb109309

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
      Filesize

      381KB

      MD5

      54c9672457bc53a01537fb3c11ab2bb9

      SHA1

      b613273f49bf8707f503f507632e030127829192

      SHA256

      77933c96cac495f662a0c391135da3eff1f9c38231d8f260d3a0da346106645d

      SHA512

      b0ea9f0ce5b2d4b9170f01daec5341b242f865466822108b15916684afb4e453c61328caf69d64c1d6fdb66a4123600418760b2c12253aa1a3a6926eed5ee5d8

      Download Submit

    • C:\Windows\Installer\e575767.msi
      Filesize

      92KB

      MD5

      b32fdbab0310b5f9df4b5684f1869d5c

      SHA1

      291dc93b26430eb9560eb5be8d6d149e64171e17

      SHA256

      d6a0b0bd6846528ca3f3d505727b1eef8cd69062237b8b34378db8e1c7ece1e0

      SHA512

      e804cea0de422ca6268842eeba87cc22a6b26feafe89ae34bc8bc1f5f82f69883ed99ecf435690d5a68a41281491b58f39c226a6df0cbba7f9634d462cdc3049

      Download Submit

    • memory/1472-138-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/1472-117-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1768-145-0x0000000000400000-0x00000000009A8000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1768-144-0x0000000002770000-0x0000000002771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2016-105-0x0000000002760000-0x0000000002761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2016-106-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/2812-102-0x00000000028B0000-0x00000000028B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2812-103-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3748-123-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3748-14-0x0000000002840000-0x0000000002841000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4224-156-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/4224-160-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/4224-199-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/4224-195-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/4224-188-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/4224-146-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/4224-181-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/4224-149-0x0000000000C60000-0x0000000000C61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4224-124-0x0000000000C60000-0x0000000000C61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4224-174-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/4224-170-0x0000000000400000-0x0000000000AA3000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/4264-176-0x0000000000400000-0x00000000009A8000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4264-162-0x0000000000400000-0x00000000009A8000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4264-158-0x0000000000400000-0x00000000009A8000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4264-140-0x0000000002520000-0x0000000002521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4264-155-0x0000000002520000-0x0000000002521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4264-153-0x0000000000400000-0x00000000009A8000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4264-148-0x0000000000400000-0x00000000009A8000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4296-150-0x0000000000B60000-0x0000000000B61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4296-147-0x0000000000400000-0x00000000009A8000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4296-139-0x0000000000B60000-0x0000000000B61000-memory.dmp

      Filesize

      4KB

      Download