rms | 8edbedff95b25d5e437e4ff1ff5197c50ebce68020c9531ccaa09510c6f94a13

Analysis

max time kernel
156s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d864a0ac635e811332124e1df1458257.exe
Size

10.4MB
MD5

d864a0ac635e811332124e1df1458257
SHA1

8d2e8e36ad08c6d7a38fdb3304ce25181586cd5c
SHA256

8edbedff95b25d5e437e4ff1ff5197c50ebce68020c9531ccaa09510c6f94a13
SHA512

f1cf8119708965ecf5052be88732e23031afc47676da3482227ce93b90f06064e363012448fb699ee4fdf1bd8643b3aad647de1b77d36ae0a74c6ff8f5ab0f1b
SSDEEP

196608:xoeZUtx0psIKcQEgNvR5ffalRn2amSNJiWa:xlqSsIiEgNvbfSlB2amSNJir

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	d864a0ac635e811332124e1df1458257.exe

Executes dropped EXE 7 IoCs

pid	Process
4732	rutserv.exe
1508	rutserv.exe
4344	rutserv.exe
4796	rutserv.exe
1444	rfusclient.exe
1844	rfusclient.exe
4664	rfusclient.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dsfVorbisDecoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.exe	cmd.exe
File created	C:\Windows\SysWOW64\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\dsfVorbisDecoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\RIPCServer.dll	cmd.exe
File created	C:\Windows\SysWOW64\RWLN.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\vp8encoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\RIPCServer.dll	cmd.exe
File created	C:\Windows\SysWOW64\rutserv.exe	cmd.exe
File created	C:\Windows\SysWOW64\vp8encoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
1100	regedit.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4732	rutserv.exe
4732	rutserv.exe
1508	rutserv.exe
1508	rutserv.exe
4344	rutserv.exe
4344	rutserv.exe
4796	rutserv.exe
4796	rutserv.exe
4796	rutserv.exe
4796	rutserv.exe
4796	rutserv.exe
4796	rutserv.exe
1444	rfusclient.exe
1444	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4664	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4732	rutserv.exe
Token: SeDebugPrivilege	4344	rutserv.exe
Token: SeTakeOwnershipPrivilege	4796	rutserv.exe
Token: SeTcbPrivilege	4796	rutserv.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 2632	32	d864a0ac635e811332124e1df1458257.exe	100
PID 32 wrote to memory of 2632	32	d864a0ac635e811332124e1df1458257.exe	100
PID 32 wrote to memory of 2632	32	d864a0ac635e811332124e1df1458257.exe	100
PID 2632 wrote to memory of 4940	2632	cmd.exe	103
PID 2632 wrote to memory of 4940	2632	cmd.exe	103
PID 2632 wrote to memory of 4940	2632	cmd.exe	103
PID 2632 wrote to memory of 4732	2632	cmd.exe	104
PID 2632 wrote to memory of 4732	2632	cmd.exe	104
PID 2632 wrote to memory of 4732	2632	cmd.exe	104
PID 2632 wrote to memory of 1508	2632	cmd.exe	105
PID 2632 wrote to memory of 1508	2632	cmd.exe	105
PID 2632 wrote to memory of 1508	2632	cmd.exe	105
PID 2632 wrote to memory of 1100	2632	cmd.exe	107
PID 2632 wrote to memory of 1100	2632	cmd.exe	107
PID 2632 wrote to memory of 1100	2632	cmd.exe	107
PID 2632 wrote to memory of 4344	2632	cmd.exe	109
PID 2632 wrote to memory of 4344	2632	cmd.exe	109
PID 2632 wrote to memory of 4344	2632	cmd.exe	109
PID 4796 wrote to memory of 1444	4796	rutserv.exe	113
PID 4796 wrote to memory of 1444	4796	rutserv.exe	113
PID 4796 wrote to memory of 1444	4796	rutserv.exe	113
PID 4796 wrote to memory of 1844	4796	rutserv.exe	114
PID 4796 wrote to memory of 1844	4796	rutserv.exe	114
PID 4796 wrote to memory of 1844	4796	rutserv.exe	114
PID 1444 wrote to memory of 4664	1444	rfusclient.exe	120
PID 1444 wrote to memory of 4664	1444	rfusclient.exe	120
PID 1444 wrote to memory of 4664	1444	rfusclient.exe	120

C:\Users\Admin\AppData\Local\Temp\d864a0ac635e811332124e1df1458257.exe
"C:\Users\Admin\AppData\Local\Temp\d864a0ac635e811332124e1df1458257.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:32
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2D64.tmp\1213.bat" "
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /silentinstall
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /firewall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1508
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "settings.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1100
- - C:\Windows\SysWOW64\rutserv.exe
    "C:\Windows\System32\rutserv.exe" /start
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4344

C:\Windows\SysWOW64\rutserv.exe
C:\Windows\SysWOW64\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\rfusclient.exe
  C:\Windows\SysWOW64\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\rfusclient.exe
    C:\Windows\SysWOW64\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:4664
- C:\Windows\SysWOW64\rfusclient.exe
  C:\Windows\SysWOW64\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2D64.tmp\1213.bat

Filesize
1KB

MD5
a1b4263a202c77f63141c716e836a4ab

SHA1
f3859ca14556b04192ed95ff0d9876500a9ab52d

SHA256
3c85a85ca0516b3763fa370e8347da94b65b047d194847756879c8f482d78231

SHA512
64498944db72ca33ff2877d60f375e67f42fc5c9624a2b7617fe5b5776db06c66f4af3763b6bb2e3b6c654a1b148494e7397286e5d69f76aaa35e3abdfbf41bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D64.tmp\RIPCServer.dll

Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D64.tmp\RWLN.dll

Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D64.tmp\dsfVorbisDecoder.dll

Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D64.tmp\rfusclient.exe

Filesize
1.4MB

MD5
8eac1ffa9d50c194293575bd6bbe4724

SHA1
7a6d412c052878c601a03aab9e54db77be1f560a

SHA256
7ff0316b497f2389892de97a7c19173c28e6f5e8450d44f3a11605758ff7c5d9

SHA512
6a37f72118994f417031147a1ca40d292480617435e6737d19849230f2c87c1bec4d3611e83882db40de267dce6bcc00fdddbc8784030067e84718710c2e3962

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D64.tmp\rutserv.exe

Filesize
260KB

MD5
4a4522c07d09bc0bdd5736d8cbbd46ac

SHA1
084fba256ab6b2080f6a2dc6ae36e17ae260123a

SHA256
c552c50ff58ab289bb004c79c7f2d09f975a8d1a9a21e4e9625b68c296ef0bb5

SHA512
5c8e8835765d43c268eac6074a7d9ed5c7bcbaa89be06d72cacba12362253693a709c1618b07a09ec1bf0add8f0ce58f8a6bf7f2f7e6910425132df627ad7f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D64.tmp\settings.reg

Filesize
22KB

MD5
f70d5b1d76e8bd8aebcb4f5082c0f909

SHA1
6ab4bbf4e87c994b192282ae79136ba55d4cc82f

SHA256
e6302eed15fb6ac7e71382e298c7e15e20195874a5dfa2f5075f85ac72963f38

SHA512
c15e341f25cc282b15dd889e5c29db45d224f81716342786f673b7a5739866dcf203f9aceb7329ba045fda4428330dac9d084bad58c0eea20729213dedbe41b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D64.tmp\vp8decoder.dll

Filesize
403KB

MD5
6f6bfe02e84a595a56b456f72debd4ee

SHA1
90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

SHA256
5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

SHA512
ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D64.tmp\vp8encoder.dll

Filesize
685KB

MD5
c638bca1a67911af7f9ed67e7b501154

SHA1
0fd74d2f1bd78f678b897a776d8bce36742c39b7

SHA256
519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

SHA512
ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

Download Submit
C:\Windows\SysWOW64\rfusclient.exe

Filesize
3.9MB

MD5
511ab5d90c2e370a942fc3b9077c38d3

SHA1
a7d4f2dc7ab8ca93a4bec1bac2468166c0ed3f86

SHA256
0f07353d08de0a6265d25b66a273fabeef807f868779ad79559cd17c203e313c

SHA512
82861f55433d9bc6daeb9657c9b8c056fa7cfc7c09bc51d3e4cef7684e3ca4d78036ad1a07ad2336e5e49510bab41fa5a3888dae80ef674a7ff5c16305e240c4

Download Submit
C:\Windows\SysWOW64\rfusclient.exe

Filesize
1.9MB

MD5
fc668605380aa3fcced9f4b8e8e05f59

SHA1
61d113ff14369b84b5ecacf02165ae98bec471bb

SHA256
0500ed1f738018dd6a561d8eb061eb1b00a66723a0a4afcd62b1a787ec0b3fba

SHA512
d86cb492fa3d966083b90b197e9b245c12c32b8eeb5cbab39a4e926f65c03831707c794e05c8631a7dbfdfca42beb6ed7f91130205cce888c04ebf828242fa52

Download Submit
C:\Windows\SysWOW64\rfusclient.exe

Filesize
2.0MB

MD5
1571e62336988019ef19154fc8f44b2a

SHA1
6fef98c2d618e8bb615fd2ba786ba854f7b9bc07

SHA256
3f637ba82022dfc150a2a6f59ae99683a3b4baffc30c5fb57859b59ab057e8fc

SHA512
0d60d2e99bbd43802f46f0c9c21da983defcf4adeab6ddd53e08e3920897e1c4bb9b3bede63b8e335adc046858d2ac39ec506bfbb34070b10e6fab29e36f37c3

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
3.2MB

MD5
79022945b9f0bd39b3d6616924b7647e

SHA1
63ed82edde8258b0cbb6692d5e7555e5495bdd9a

SHA256
0ecbd1ed8c8fcbfd2afbd2503112887e05da99f702aa0d060e5b500eff879659

SHA512
63344e24999a1a08dd8844c372d2879fcccef201287a506d44257ccc766a9ce4f3af43f3187f1aed0da00f4bc433ea4a9dadfa2e558c6048f1ae4e4fdf953b77

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
3.3MB

MD5
291b417db2d0eb90e2eba252632fb933

SHA1
86b1a502b30c58bec7f760744407384100a5a2c1

SHA256
47eab6d282c3dec0413c8550a1852db0a264a44a7e705308267bd078ee1f7a72

SHA512
ac5152baa472df5d2aa4a585f2eeda7288898e9a676d7e4db6c0e65e35d28ddd1d56f97b9bdf14a0f412bdbae3625d11c42b860c1d9cbde1e037f0b018ee01c2

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
3.5MB

MD5
36c4230b0fc43999e97e5084319f225c

SHA1
02ffeb2b21aa1e550279d7bcfbaf7ee531a27f74

SHA256
f2ed06e247f47dc629512fcdd0f7e1dc9a68e52fc87a60b6cc33ec2cdbe34073

SHA512
8cd85597b443d9bd94508f1aaaa35723c217ad9d18321fee711aa018e2d45a3202191bedb00c0caec170f825d534e8f6b04eb4a334dccbbe900289db3fd85e88

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
1.4MB

MD5
65185cfc2bd33065de88de1b372bd48a

SHA1
9bf94155a9ea82c2e55f9da94bbd04a4e57266fb

SHA256
c6ff8729d8e0b4eb57bfded9bfa6b6f99bde4527d4fd5b038dc99d4ef501eb32

SHA512
00448881218df9d582d661b565af948e269a8b9700332b7c85bacf51b2d0d998d58b8a3d3f6fa2ed0398be3b8b85c9ed541efd694f657f47b3d50ef6e52748c1

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
4.7MB

MD5
4b528d3392dbd69301ed25d816baed9f

SHA1
e9d6dc6fd5765e0d177dd990788898b834560fd1

SHA256
7dcf2ff3f5d01c4a0ed4cfef05fbd03f2ccaa794d6330fdb6012696b2ae7dd03

SHA512
f4003e3c5abcc41a294414c6f41db37829b16bc19eb25120fabd68cebfe1318a13147c693f74473baeb49fab9383cd96b84ae99d5bbbcfcdd10b523bd2ce2a05

Download Submit
C:\Windows\SysWOW64\rutserv.exe

Filesize
3.8MB

MD5
b14bfa657e853a9104c4f6c345cba0ac

SHA1
8ce12ba25a6dff85e1b066cd9c3a21de76460615

SHA256
f21f44fe18e844b08291a8398317ee2c453caae8bb89c9fd0108a3cd13c3bce8

SHA512
c289258f95cbc134d82aa80e8e919193828d9b9888cd0188e350be6b361e8c4c8efe8d576819922fc37beab172db6c1a6e832eb0e7989795edba6a1c02708368

Download Submit
memory/1444-71-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1444-63-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1444-80-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1508-49-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/1508-48-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1844-76-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1844-89-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1844-62-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1844-82-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1844-77-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1844-72-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/4344-52-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4344-64-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4664-70-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/4664-69-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4732-46-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4732-44-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/4796-79-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4796-67-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4796-74-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4796-87-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4796-54-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4796-94-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4796-101-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4796-108-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/4796-115-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download