Overview

overview

10

Static

static

10

sss/Install/Del3.bat

windows7-x64

1

sss/Install/Del3.bat

windows10-2004-x64

1

sss/Instal...te.bat

windows7-x64

1

sss/Instal...te.bat

windows10-2004-x64

1

sss/Install/del.bat

windows7-x64

1

sss/Install/del.bat

windows10-2004-x64

1

sss/Install/smss.exe

windows7-x64

10

sss/Install/smss.exe

windows10-2004-x64

10

sss/RDPWinst.exe

windows7-x64

1

sss/RDPWinst.exe

windows10-2004-x64

1

sss/ReaIte...st.exe

windows7-x64

10

sss/ReaIte...st.exe

windows10-2004-x64

10

sss/ReaIte...tw.exe

windows7-x64

9

sss/ReaIte...tw.exe

windows10-2004-x64

9

sss/Window...rv.exe

windows7-x64

10

sss/Window...rv.exe

windows10-2004-x64

10

sss/Window...MD.exe

windows7-x64

1

sss/Window...MD.exe

windows10-2004-x64

1

sss/Window...le.exe

windows7-x64

1

sss/Window...le.exe

windows10-2004-x64

1

sss/Window...st.exe

windows7-x64

1

sss/Window...st.exe

windows10-2004-x64

1

sss/Window...64.sys

windows7-x64

1

sss/Window...64.sys

windows10-2004-x64

1

sss/Window...dg.exe

windows7-x64

9

sss/Window...dg.exe

windows10-2004-x64

9

sss/Window...on.bat

windows7-x64

1

sss/Window...on.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    1042s
  • max time network
    1054s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    30-03-2024 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sss/Windows Tasks Service/winserv.exe

  • Size

    10.2MB

  • MD5

    3f4f5a6cb95047fea6102bd7d2226aa9

  • SHA1

    fc09dd898b6e7ff546e4a7517a715928fbafc297

  • SHA256

    99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98

  • SHA512

    de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688

  • SSDEEP

    196608:iz+UZcWP4jBrfWgEgIV8Rzy7Vj4FZvEo:i6UZcWWeVj4FZ

Score
10/10
rmsrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sss\Windows Tasks Service\winserv.exe
    "C:\Users\Admin\AppData\Local\Temp\sss\Windows Tasks Service\winserv.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\sss\Windows Tasks Service\winserv.exe
      "C:\Users\Admin\AppData\Local\Temp\sss\Windows Tasks Service\winserv.exe" -second
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3044
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\JoinSuspend.gif
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7d12ce40e00fb6ed12bf40beea46a163

    SHA1

    dfb998c699f24187e990da444f9864ac2cd834f8

    SHA256

    9ff2824e7ed029a42fd0fc381785aff643507d6f572b0ec283b97ebac0d480d1

    SHA512

    f4e444ca1cb0ed0028a8fb9578e45f49bbc3ed9bfa95769a33a704edb66aded0fadfa87fe9e80b6f36ebe749e1b8ea42125dab78a4996ce9dac721c0fbef659d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4da0c10c720c05b5bc8f75f8541632c6

    SHA1

    c719be385ca95269997592502227cec67308f365

    SHA256

    a3f2e610f91e3c0455136e5e013a89d16855fba97ee3210f1d2100296bcef60b

    SHA512

    98d22bb7898769bc202849092e85ee475b7cf07315aff3c5f4ef6dbcc81d50a2050cc81d6f12aa5527f03b68f8653da299f6461213c076e5691a0d1e6c8fcf71

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7925d035b0605544d2bb4945af85b1f7

    SHA1

    2e821bfcd4e550298f6bc78493a09127adaa167c

    SHA256

    a36b54ed29a12c782bdb01f540578da81fdc70e7a3e8a94d99323640c0df5207

    SHA512

    dbade9c9001922607925137a583cd0e6ab4e8b1b0548dee0468e64a9e317df8d55da9f4d48c1db7b71b9539ed81fb9939aeec8d9bacff7fe76160ac17b259457

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7e3c937526e235a06fefb7019552460b

    SHA1

    bdefe69c8f9ee9d9de9a55b96c601bc3851ff99e

    SHA256

    9bc7dd793dc766732096b19bd88f3d8ecbb6d3cf1f04451d829161e022abb21b

    SHA512

    0f6d2f372b6d2b6ced10b704988955078cdcf786e0d7bd87faaae050dc14e9562e40d109e9955b1046ffef5bf1c3a66a7ca3c80d1c746bc8d13fd9d29072855d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2cb5a4b23094385fc16880c43fe97dad

    SHA1

    7d14a1d4a00bb95f5e80ef6c8ccf938c987cac58

    SHA256

    1b2f4c2b4e0b27f025da0a2d4a40f63b61dec3cafd7026099f7dcd7792b783bb

    SHA512

    db24d0a9d7e8dd6cfefc89f15b0129c2ccbbcdf0284ed2e0717ba7f583c78bea6eec6a676f4653abc180eaf5eabf412bb27f4c8a2ce21f416b2fae7d0d8312ae

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8e5c6947fed371fb450beeb9dd38607d

    SHA1

    be83983e504a09bcdf6c6220dcaad8a5d8749992

    SHA256

    fb7cc2dd8a8628f7dafb49549e40aba5b91827d92c6c30582dffdb0ff52cefd1

    SHA512

    2e8b0975fa1ab5dfb3046ee7ff93a59804d84333418a86a297b634e6411cedbf1999a87f162062ad5c29fa699820d61bba22187dbb600180f52baf6b83c333fe

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    974e0896c1d02ac8e2e4cde15f7f3e98

    SHA1

    f50e89a3e46424e2c298b220bd0f833c7e41418e

    SHA256

    6df8417a9d7bb987ffe27e81650f81b49a1f41fe506ccb15a1b2f428a8ef8af0

    SHA512

    c3249e5290cf4b0f9ae22f917113716ddb20d7a96effa9cccc6c824305be1830e23ba2a2173037a12bb8c41d9584c31f48bf431a69e67894ae33c09f5fb5488e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0373efc54548885ec85ba7c0e3da78c4

    SHA1

    e9ec16edd10ddd6cf671a035f73cbce89efe839f

    SHA256

    ab5e8628776e1e65cb23cc812e29950a3f49d09af8c4998807ad704ed11ececc

    SHA512

    789e26dd210e257aec79369130e88bb772dfe6563e34605800d47aa21a19daf03ca92e26aca53239707f4039c2fe5f7c6a582d292eda174965447b2698b17bcb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    de66ad6ef09e048cb56b875e4cefd74c

    SHA1

    ac2fea3c5de7299c017227a35f78846fd057fc50

    SHA256

    aff19a6eec5c170a3545053dc0fe6207d4e71249e49fccf51015ee9ebd1bec82

    SHA512

    1fd38dc9e73e59417843fc369551001a7b0da86678c617f875ae659fe39de95b4b9d8ac6b08b8d38c252e058d4e5d3906d37426b08f4531b14948f47bce1c4ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabEB4C.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarEC2D.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • memory/2480-0-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2480-4-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2480-3-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2480-2-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2480-1-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-12-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-32-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-24-0x00000000058E0000-0x00000000058E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-21-0x0000000005930000-0x0000000005931000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-20-0x0000000005890000-0x0000000005891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-19-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-18-0x00000000050E0000-0x00000000050E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-17-0x0000000005270000-0x0000000005271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-16-0x0000000005110000-0x0000000005111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-15-0x00000000050F0000-0x00000000050F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-29-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-30-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-31-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-25-0x0000000005C20000-0x0000000005C21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-26-0x0000000005D60000-0x0000000005D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-28-0x0000000005E60000-0x0000000005E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-27-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-23-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-22-0x0000000005840000-0x0000000005841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-13-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-11-0x0000000004620000-0x0000000004621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-10-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-9-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-8-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-6-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-5-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3044-527-0x0000000000400000-0x0000000000E31000-memory.dmp

    Filesize

    10.2MB

    Download