rms | 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
Size

4.0MB
MD5

fb0674fb9aac68ea53ec651f88d182c4
SHA1

841e243b1b5f409fc1c7c8e8cd273b1db405e445
SHA256

3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87
SHA512

c84467779c8c37ff6daf268707e4bdb9b6c1baa0a99cd8771f52d2a5bddbf9ea6f82fa83bf787d42fc41a02366ef08c10be9397c4fcd6ff1f9809df3c771bc12
SSDEEP

98304:C3dlA1MK9St7zGBYFXdou9kN98oVB0iPBziWI:Y6jJYFRaoiZS

Score

10^/10

rms persistence rat trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
files.000webhost.com
Port:
21
Username:
peg-top-hub

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	Lucasrt.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lucasrt.lnk	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe

Executes dropped EXE 2 IoCs

pid	Process
3692	Lucasrt.exe
3920	Lucasrt.exe

Loads dropped DLL 11 IoCs

pid	Process
4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
3692	Lucasrt.exe
3692	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe
4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Lucasrt = "\"C:\\Program Files (x86)\\Lucasrt\\Lucasrt\""	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Lucasrt\Lucasrt.exe	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
File created	C:\Program Files (x86)\Lucasrt\ssleay32.dll	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
File created	C:\Program Files (x86)\Lucasrt\libeay32.dll	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3692	Lucasrt.exe
3692	Lucasrt.exe
3692	Lucasrt.exe
3692	Lucasrt.exe
3692	Lucasrt.exe
3692	Lucasrt.exe
3692	Lucasrt.exe
3692	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	Lucasrt.exe
Token: SeTakeOwnershipPrivilege	3920	Lucasrt.exe
Token: SeTcbPrivilege	3920	Lucasrt.exe
Token: SeTcbPrivilege	3920	Lucasrt.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3692	Lucasrt.exe
3692	Lucasrt.exe
3692	Lucasrt.exe
3692	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe
3920	Lucasrt.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 3692	4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe	84
PID 4204 wrote to memory of 3692	4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe	84
PID 4204 wrote to memory of 3692	4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe	84
PID 4204 wrote to memory of 2172	4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe	99
PID 4204 wrote to memory of 2172	4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe	99
PID 4204 wrote to memory of 2172	4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe	99
PID 2172 wrote to memory of 5088	2172	cmd.exe	101
PID 2172 wrote to memory of 5088	2172	cmd.exe	101
PID 2172 wrote to memory of 5088	2172	cmd.exe	101
PID 4204 wrote to memory of 3656	4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe	102
PID 4204 wrote to memory of 3656	4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe	102
PID 4204 wrote to memory of 3656	4204	3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe	102
PID 3656 wrote to memory of 3036	3656	cmd.exe	104
PID 3656 wrote to memory of 3036	3656	cmd.exe	104
PID 3656 wrote to memory of 3036	3656	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
"C:\Users\Admin\AppData\Local\Temp\3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Program Files (x86)\Lucasrt\Lucasrt.exe
  "C:\Program Files (x86)\Lucasrt\Lucasrt.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3692
- - C:\Program Files (x86)\Lucasrt\Lucasrt.exe
    "C:\Program Files (x86)\Lucasrt\Lucasrt.exe" -second
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c certutil -f -decodehex C:\Users\Admin\AppData\Local\Temp\ID.txt C:\Users\Admin\AppData\Local\Temp\ID.txt>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\certutil.exe
    certutil -f -decodehex C:\Users\Admin\AppData\Local\Temp\ID.txt C:\Users\Admin\AppData\Local\Temp\ID.txt
    3⤵
    - Manipulates Digital Signatures
    PID:5088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SchTasks /create /f /XML %temp%\LogFile.xml /TN \microsoft\windows\defrag\scheduleddefrag && schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE && schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\schtasks.exe
    SchTasks /create /f /XML C:\Users\Admin\AppData\Local\Temp\LogFile.xml /TN \microsoft\windows\defrag\scheduleddefrag
    3⤵
    - Creates scheduled task(s)
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lucasrt\Lucasrt.exe

Filesize
11.2MB

MD5
51ffec7d16d89f59784e7cfad795df3c

SHA1
1c0a5ad4fd9c74f829b63e7b8bfe897120d24f00

SHA256
dae52d89f6b61329c806fd90b0e13fc3c3cf2cb5761b50321039b838ac0bc343

SHA512
5936e9d854c070e5d3ff8b31937729574a3d6cf69967558d8e6dc0096c720e44df0d59bf5ab419b73c44909d3e04f9b8da47f64c960ac338ff5e73f8749bba5d

Download Submit
C:\Program Files (x86)\Lucasrt\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files (x86)\Lucasrt\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Users\Admin\AppData\Local\Temp\ID.txt

Filesize
818B

MD5
848c499236ffa20d740b173e146603d7

SHA1
017772b5cb43fb11beebbb143cea5b878f9ecf63

SHA256
1784861dfd67e58fd454b789a1f4b5e7a18b1ef215a3be768f40529a798251e2

SHA512
3d44bc0313dcd67e889e91fd10ff4f6baa7ef9f3ed1df56c5a6b72cc7e4769f1b2882aa4a21af240e7435604fb3a5d1fa63953525505d5e7973391f7b58976af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ID.txt

Filesize
409B

MD5
7f2aa10e1263463c98741016ac78d7f6

SHA1
de6f9d85aff9a7a85afdb6ec0cc46fae4c1d0bec

SHA256
2627fce97173889fcac2efe723d4f2e6cc783a715d73b38af1bce867b33b8989

SHA512
ede1bc77cd7d1354324d9cb164ffe27f1f9ec9dc6666435a09858f018103df9c82b29c90a3223d28a4e3ea354b7cabe114d50e123fce3dab6092f37e1bb3b5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu45A5.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu45A5.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu45A5.tmp\nsExec.dll

Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu45A5.tmp\nsisFirewall.dll

Filesize
8KB

MD5
69f2e8c6fd141e9e720b2c4c366a8154

SHA1
a6279d93a102b6d7608dced32a36ddcd3e51994c

SHA256
2e204ee4f1d12b4ca35c8205cea0cabe354f2e79a471863cfb76a7cee83cf107

SHA512
bf23a5f3ce98e6a1c04fe8ae6b6f385483ceed62470cd109017c97f37c23adbf0203bfb43d09b007c6925aeb5da9617f33bc5c478618f00cc91da83a48cacaf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu45A5.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
memory/3692-16-0x0000000000400000-0x0000000000FE0000-memory.dmp

Filesize
11.9MB

Download
memory/3692-9-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/3920-20-0x0000000000400000-0x0000000000FE0000-memory.dmp

Filesize
11.9MB

Download
memory/3920-17-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/3920-59-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/3920-60-0x0000000000400000-0x0000000000FE0000-memory.dmp

Filesize
11.9MB

Download
memory/3920-65-0x0000000000400000-0x0000000000FE0000-memory.dmp

Filesize
11.9MB

Download
memory/3920-68-0x0000000000400000-0x0000000000FE0000-memory.dmp

Filesize
11.9MB

Download
memory/3920-69-0x0000000000400000-0x0000000000FE0000-memory.dmp

Filesize
11.9MB

Download
memory/3920-71-0x0000000000400000-0x0000000000FE0000-memory.dmp

Filesize
11.9MB

Download
memory/3920-72-0x0000000000400000-0x0000000000FE0000-memory.dmp

Filesize
11.9MB

Download