rms | 59cfae756c39c85f53ad789d87b95e93e7839fb182f2c598c9d75a04a4c0dd62

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a058405d1e54704810b93f01742063bc.exe
Size

6.0MB
MD5

a058405d1e54704810b93f01742063bc
SHA1

dc9bcb107e6031b7e0f940d559e7e15e5e603517
SHA256

59cfae756c39c85f53ad789d87b95e93e7839fb182f2c598c9d75a04a4c0dd62
SHA512

71dd4c17baf009d6e696428c320cc0244cb953f42b00decc5f8a7972a61cfe2b3a7c6ebd57543a5a705668e5431697084963ed384bb59b1c1d09484c43c75f81
SSDEEP

98304:m20vX70nfFXtejsaxfBM8JStpRvVnjt6fqSp8vE39svDK5ExEA2:paX7u3ejsaVCY0pR9nj0fucsmXA2

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Suspicious use of SetThreadContext 1 IoCs

Processes:

a058405d1e54704810b93f01742063bc.exe

description	pid	Process	procid_target
PID 3952 set thread context of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a058405d1e54704810b93f01742063bc.exe

pid	Process
4872	a058405d1e54704810b93f01742063bc.exe
4872	a058405d1e54704810b93f01742063bc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a058405d1e54704810b93f01742063bc.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	4872	a058405d1e54704810b93f01742063bc.exe
Token: SeTcbPrivilege	4872	a058405d1e54704810b93f01742063bc.exe
Token: SeTcbPrivilege	4872	a058405d1e54704810b93f01742063bc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a058405d1e54704810b93f01742063bc.exea058405d1e54704810b93f01742063bc.exe

pid	Process
3952	a058405d1e54704810b93f01742063bc.exe
4872	a058405d1e54704810b93f01742063bc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a058405d1e54704810b93f01742063bc.exe

description	pid	Process	procid_target
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82
PID 3952 wrote to memory of 4872	3952	a058405d1e54704810b93f01742063bc.exe	82

C:\Users\Admin\AppData\Local\Temp\a058405d1e54704810b93f01742063bc.exe
"C:\Users\Admin\AppData\Local\Temp\a058405d1e54704810b93f01742063bc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\a058405d1e54704810b93f01742063bc.exe
  "C:\Users\Admin\AppData\Local\Temp\a058405d1e54704810b93f01742063bc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4872-2-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-3-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-4-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-5-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-6-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/4872-7-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-8-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-9-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-10-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-11-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-12-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-13-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-14-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-16-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-18-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-20-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-19-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-22-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-21-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-24-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-25-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-23-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-27-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-28-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-29-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-30-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-31-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-32-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-33-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-34-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-35-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-37-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-42-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/4872-44-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-47-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-56-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/4872-63-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download