rms | 59cfae756c39c85f53ad789d87b95e93e7839fb182f2c598c9d75a04a4c0dd62

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
16-02-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a058405d1e54704810b93f01742063bc.exe
Size

6.0MB
MD5

a058405d1e54704810b93f01742063bc
SHA1

dc9bcb107e6031b7e0f940d559e7e15e5e603517
SHA256

59cfae756c39c85f53ad789d87b95e93e7839fb182f2c598c9d75a04a4c0dd62
SHA512

71dd4c17baf009d6e696428c320cc0244cb953f42b00decc5f8a7972a61cfe2b3a7c6ebd57543a5a705668e5431697084963ed384bb59b1c1d09484c43c75f81
SSDEEP

98304:m20vX70nfFXtejsaxfBM8JStpRvVnjt6fqSp8vE39svDK5ExEA2:paX7u3ejsaVCY0pR9nj0fucsmXA2

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 108 set thread context of 320	108	a058405d1e54704810b93f01742063bc.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
320	a058405d1e54704810b93f01742063bc.exe
320	a058405d1e54704810b93f01742063bc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	320	a058405d1e54704810b93f01742063bc.exe
Token: SeTcbPrivilege	320	a058405d1e54704810b93f01742063bc.exe
Token: SeTcbPrivilege	320	a058405d1e54704810b93f01742063bc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
108	a058405d1e54704810b93f01742063bc.exe
320	a058405d1e54704810b93f01742063bc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28
PID 108 wrote to memory of 320	108	a058405d1e54704810b93f01742063bc.exe	28

C:\Users\Admin\AppData\Local\Temp\a058405d1e54704810b93f01742063bc.exe
"C:\Users\Admin\AppData\Local\Temp\a058405d1e54704810b93f01742063bc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\a058405d1e54704810b93f01742063bc.exe
  "C:\Users\Admin\AppData\Local\Temp\a058405d1e54704810b93f01742063bc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-2-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-4-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-6-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-7-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-8-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-9-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-10-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-11-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-12-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-13-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/320-16-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-17-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-18-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-19-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-20-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/320-21-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-22-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-23-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-24-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-25-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-26-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-28-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-27-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-30-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-32-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-33-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-35-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-34-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-37-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-38-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-36-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-41-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-40-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-43-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-44-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-45-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-46-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-47-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-48-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-49-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-50-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-54-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/320-58-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-59-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-62-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/320-68-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download