rms | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

8.3MB
MD5

73f351beae5c881fafe36f42cde9a47c
SHA1

dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256

a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512

f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66
SSDEEP

196608:PdQ5Lq4eAGPJgBDpKLtW0tzHlYd3cvF8m9k/RRZpAp2FG0c+imhtO:P2VqyC8mQ0vxN79kpR40cUO

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	installer.exe

Executes dropped EXE 8 IoCs

pid	Process
2172	installer.exe
1360	rutserv.exe
224	rutserv.exe
3428	rutserv.exe
2776	rutserv.exe
1172	rfusclient.exe
400	rfusclient.exe
2932	rfusclient.exe

Loads dropped DLL 1 IoCs

pid	Process
4652	MsiExec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
28	3208	msiexec.exe
30	3208	msiexec.exe
32	3208	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57cf89.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID59F.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D9E14363-FD66-419D-9DC9-C62471755C9F}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\e57cf85.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID86F.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cf85.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2172	installer.exe
2172	installer.exe
2172	installer.exe
2172	installer.exe
2172	installer.exe
2172	installer.exe
2172	installer.exe
2172	installer.exe
2172	installer.exe
2172	installer.exe
3208	msiexec.exe
3208	msiexec.exe
1360	rutserv.exe
1360	rutserv.exe
1360	rutserv.exe
1360	rutserv.exe
1360	rutserv.exe
1360	rutserv.exe
224	rutserv.exe
224	rutserv.exe
3428	rutserv.exe
3428	rutserv.exe
2776	rutserv.exe
2776	rutserv.exe
2776	rutserv.exe
2776	rutserv.exe
2776	rutserv.exe
2776	rutserv.exe
1172	rfusclient.exe
1172	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2932	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4216	msiexec.exe
Token: SeSecurityPrivilege	3208	msiexec.exe
Token: SeCreateTokenPrivilege	4216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4216	msiexec.exe
Token: SeLockMemoryPrivilege	4216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4216	msiexec.exe
Token: SeMachineAccountPrivilege	4216	msiexec.exe
Token: SeTcbPrivilege	4216	msiexec.exe
Token: SeSecurityPrivilege	4216	msiexec.exe
Token: SeTakeOwnershipPrivilege	4216	msiexec.exe
Token: SeLoadDriverPrivilege	4216	msiexec.exe
Token: SeSystemProfilePrivilege	4216	msiexec.exe
Token: SeSystemtimePrivilege	4216	msiexec.exe
Token: SeProfSingleProcessPrivilege	4216	msiexec.exe
Token: SeIncBasePriorityPrivilege	4216	msiexec.exe
Token: SeCreatePagefilePrivilege	4216	msiexec.exe
Token: SeCreatePermanentPrivilege	4216	msiexec.exe
Token: SeBackupPrivilege	4216	msiexec.exe
Token: SeRestorePrivilege	4216	msiexec.exe
Token: SeShutdownPrivilege	4216	msiexec.exe
Token: SeDebugPrivilege	4216	msiexec.exe
Token: SeAuditPrivilege	4216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4216	msiexec.exe
Token: SeChangeNotifyPrivilege	4216	msiexec.exe
Token: SeRemoteShutdownPrivilege	4216	msiexec.exe
Token: SeUndockPrivilege	4216	msiexec.exe
Token: SeSyncAgentPrivilege	4216	msiexec.exe
Token: SeEnableDelegationPrivilege	4216	msiexec.exe
Token: SeManageVolumePrivilege	4216	msiexec.exe
Token: SeImpersonatePrivilege	4216	msiexec.exe
Token: SeCreateGlobalPrivilege	4216	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe
Token: SeRestorePrivilege	3208	msiexec.exe
Token: SeTakeOwnershipPrivilege	3208	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2172	installer.exe
1360	rutserv.exe
224	rutserv.exe
3428	rutserv.exe
2776	rutserv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2172	1244	tmp.exe	96
PID 1244 wrote to memory of 2172	1244	tmp.exe	96
PID 1244 wrote to memory of 2172	1244	tmp.exe	96
PID 2172 wrote to memory of 4216	2172	installer.exe	99
PID 2172 wrote to memory of 4216	2172	installer.exe	99
PID 2172 wrote to memory of 4216	2172	installer.exe	99
PID 3208 wrote to memory of 4652	3208	msiexec.exe	102
PID 3208 wrote to memory of 4652	3208	msiexec.exe	102
PID 3208 wrote to memory of 4652	3208	msiexec.exe	102
PID 3208 wrote to memory of 1360	3208	msiexec.exe	103
PID 3208 wrote to memory of 1360	3208	msiexec.exe	103
PID 3208 wrote to memory of 1360	3208	msiexec.exe	103
PID 3208 wrote to memory of 224	3208	msiexec.exe	104
PID 3208 wrote to memory of 224	3208	msiexec.exe	104
PID 3208 wrote to memory of 224	3208	msiexec.exe	104
PID 3208 wrote to memory of 3428	3208	msiexec.exe	105
PID 3208 wrote to memory of 3428	3208	msiexec.exe	105
PID 3208 wrote to memory of 3428	3208	msiexec.exe	105
PID 2776 wrote to memory of 400	2776	rutserv.exe	108
PID 2776 wrote to memory of 400	2776	rutserv.exe	108
PID 2776 wrote to memory of 400	2776	rutserv.exe	108
PID 2776 wrote to memory of 1172	2776	rutserv.exe	107
PID 2776 wrote to memory of 1172	2776	rutserv.exe	107
PID 2776 wrote to memory of 1172	2776	rutserv.exe	107
PID 2172 wrote to memory of 2404	2172	installer.exe	109
PID 2172 wrote to memory of 2404	2172	installer.exe	109
PID 2172 wrote to memory of 2404	2172	installer.exe	109
PID 1172 wrote to memory of 2932	1172	rfusclient.exe	111
PID 1172 wrote to memory of 2932	1172	rfusclient.exe	111
PID 1172 wrote to memory of 2932	1172	rfusclient.exe	111

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
    3⤵
    PID:2404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 205634C1F12310B8E876948EB616725E
  2⤵
  - Loads dropped DLL
  PID:4652
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1360
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:224
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3428

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2932
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cf88.rbs

Filesize
19KB

MD5
e457c396447aa319e95d1f2a13b15c2f

SHA1
e82f4b93e061a9f3889fa9559d076d5c046cfaef

SHA256
3b3ebd8b17bb2cf81a57e944f28b1f6a4e35fec774ac55ef4b2c7cdfc094e563

SHA512
5c792c43cab815ed6175413345af6eaec17ae32dd073d359bae1115f9e9f1054dd60374e2fee71b3f5e6509b1efaf871ab89013b3cce72c94004ccc9f5ae8382

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
bc25377ade68750b834c81fa71c233b8

SHA1
84dbb465dd2125f47668e2508e18af9bd6db2fd8

SHA256
9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

SHA512
205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
2ddfa39f5c2fd3f00681ef2970617e4b

SHA1
8152aa18afbacf398b92168995ec8696d3fe3659

SHA256
f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

SHA512
f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
512KB

MD5
9605601926669dbe4b75b14e5adc6295

SHA1
768578eb27c9e2ff15d0a8f5eef741963abd88fc

SHA256
8824bb730d0e264ee256a463430440f4996864c6f275f413470a4feadd9750b3

SHA512
527464b47e22d596aa263257969fbcf7844791f0f1801aa3e400be6d43ac66afbca4b9893d42fc4b4b09561d303fd56d5456006d710018f0f7fd57d87a5bb5c1

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
256KB

MD5
29b2e81229c2245ef4d4a6e413d33745

SHA1
017cb7f2f4704cc9e0f31e1e619b3ebf70e1eba7

SHA256
ca0d1fc869490fecbfcbd099304c2ccd9228baf01f44f9adc9ac366b34d4a1e5

SHA512
4d54f0e813f6c2815eb80ede03785c6ab7c5879a244d54b54d5f88eb2332ce4d59fc73ac32f9a23b64f3606cb82318b8625a2baa3b98778c76bb6c03cded4061

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
31KB

MD5
0d0e164d5ffb273d6263f3e73c447599

SHA1
55359d4b5fee3260cc27409012652021dab45502

SHA256
ee28f3928a2e2c385d4851a391a51d6db0e790fc96d2125b4e20278f340c7988

SHA512
b2365920fc4f001830ed6095f9363f5460bdccf09e5698fbf2d345b26a1e1e0ca9c10e5f45259b04eb5ca00e6f86ed10b86b544ddfa44d823c286ff0a57b95cf

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
5.1MB

MD5
76ebe5fd077a62161d0ab560208b9f94

SHA1
614c218d35ba531f0bad791d52e5dcf57df5c742

SHA256
f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

SHA512
baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
2.2MB

MD5
9f0222125fece61f176a9908b0e679a7

SHA1
1ffb2c781316d51bbbfb0cc5786b1f066d8cfe7c

SHA256
c1631f5f8ff899efd11830ef9b75f99eb4e3904b8d57abc6f3ecb8e666530900

SHA512
78aa40c83b82cb4899c4b2bedb9680f1e51159b8ed1ce257f0467e798f1592bb06c280cc2210356f834e8364482875cc954512825991f445631a8b3939f226bd

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
378KB

MD5
292a1748850d1fdc91d4ec23b02d6902

SHA1
8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d

SHA256
acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f

SHA512
cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
411KB

MD5
e11e9d13a59f1a027ce07a1f2bdd7b46

SHA1
45c5f4e3977396274ef4d126ec54dddf7380e704

SHA256
2f12d3a2b1cc0522edb492f5270f9f046912cba70f67ce235afc11389216fa67

SHA512
32fa13b5209123171750804fecbfcacade88a0c60fb6d44c2ba94d6da61b439eff4e3aa5271a24ece98d63da3d53392211e8b281a7cd55dae726097c5957552f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
258KB

MD5
038bf9f3a58560ad1130eeb85cdc1a87

SHA1
3571eb7293a2a3a5bf6eb21e1569cd151d995d1a

SHA256
d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d

SHA512
8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
320KB

MD5
463ef4c54f34546d28632fe542643c7d

SHA1
1b9123a06746ada4df47aa2775bb05c55dae7231

SHA256
318b0ef25836b0ad1b2df61505ef6080e563f713cc8c2e9429b07981a168dd31

SHA512
e6ace5bfa93d3d0c71bbd11421fd512b212be617edd87f95d58356cf104ba8ec35e2bdc7ff6e2b1a5344d2125226d1c946f902e7a4156df5435580784316d954

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

Filesize
256KB

MD5
08c96841f5084e787b15566f30f0f82f

SHA1
467b59227c1200e35ad35e43e4cc94b36b55286b

SHA256
10d06a73a6bdb0ce1b95b2890d0731518f3c19f9c79c1cfb70b913fcff73053b

SHA512
f5047052e1b15cf63385ff6c34d5abf0b0472dc0d104f56357e837d294a329d73eca1e4ecab59c6e0f9b87beec9fca1b620b9efe508e9a4e30dc41b3bcd56c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

Filesize
1.5MB

MD5
158da639c0c326fddb817067f978bc7c

SHA1
2ef40951a31e01bbf66c6c343cea9d2268473cb4

SHA256
fa90914da3860609dca836fd3ad9dcef66302916be4605b202315d46b5e89099

SHA512
2ffe91aada42d319923d99b4900016464c3665cab462c26fb5860083b0949f5748692a310d2b75ccc5c8cc9f06ed0577f0e6fffbfb431f336d5340216b2187cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\killself.bat

Filesize
411B

MD5
c2ac85b000427a4a00f19da237aaaf86

SHA1
459ecb5e64576348e6c654724e87825772c06ea8

SHA256
b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352

SHA512
e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b

Download Submit
C:\Windows\Installer\MSID59F.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\e57cf89.msi

Filesize
7.4MB

MD5
73e578a44265558d3ace212869d43cbb

SHA1
d2c15578def8996ed0ae4a44754055b774b095a7

SHA256
8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

SHA512
fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
memory/224-107-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/224-106-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/400-158-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/400-151-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/400-155-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/400-166-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/400-176-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/400-148-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/400-139-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1172-154-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1172-140-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1172-147-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1360-103-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1360-104-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2172-117-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2172-14-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2172-138-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-156-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-184-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-153-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2776-195-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-149-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-191-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-188-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-159-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-163-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-120-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2776-174-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-144-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-181-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2932-145-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2932-146-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3428-135-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3428-118-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download