Overview

overview

10

Static

static

7

agent.exe

windows7-x64

10

agent.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    agent.exe

  • Size

    9.6MB

  • MD5

    f318f33943ac090b9872a8ac4045bedf

  • SHA1

    974da2c9186ca7534a29c9f907cb910668368e5f

  • SHA256

    75fb9e1511f1005f07cd73c8cc836fcdecc645e4a633c48e7816958e7d792d25

  • SHA512

    3c46bf23c1ed51e5acada3f4abcf26199283b879d9da0b5ca9b7e4813084c048aade6378a0282ae4a3708b9fd5aef1dfddbdba476812a087bcadc455ebfc7bd2

  • SSDEEP

    196608:Ph8kqvWOgbU9z8PQ4EXqWkNGC/TkLZ04CTp2CKoojMHXF7lb5ryP1IPJ8czzT:Ph8/vW49zgQ4E6aykl04CkTMhDa+j

Score
10/10
rmsrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 10 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\agent.exe
    "C:\Users\Admin\AppData\Local\Temp\agent.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\rfusclient.exe
      "C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\rfusclient.exe" -deploy
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rfusclient.exe
        "C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rfusclient.exe" -run_agent
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rutserv.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1472
          • C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rutserv.exe
            C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rutserv.exe -second
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:880
            • C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rfusclient.exe
              C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rfusclient.exe /tray /user
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\EULA.rtf
    Filesize

    114KB

    MD5

    c3d7db3461db0dbb8a1d2a937b1d6252

    SHA1

    35fafe6c6812f20454c709b0a43a21bf7e9f66bf

    SHA256

    cf8e39ce145e36d672cb2a140b3f33e0a1337975d7840e1d6a1920ce560bba46

    SHA512

    9759895e5d4f289e6227f65f46b24ad7f2607443bebd9b039f1cf42bd74c986a597d5de4bef70510c4463874a01695ca2f7ccbd231d6ef5316250d7492c48675

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\English.lg
    Filesize

    52KB

    MD5

    294227da6f9c610c49d38e3965bcdb71

    SHA1

    a6f694235a68fe35ece21d39e736e16053f4b91d

    SHA256

    55fb4c823838b383d077b5c45df2be5fa47abc798054701c23fde5f312379755

    SHA512

    0f3661ca19385d08bbee4419178f7bf9ee7701385c981b94fe81a60438f486c8bea2c048b1bdaf1387265e2d4a1ed4cec2558b7f7fa6d69916c5abbb0b7689a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\RIPCServer.dll
    Filesize

    150KB

    MD5

    59068498190113e051d94fd0b5ef98aa

    SHA1

    6b64bb29763c43a86a4be87fcbc94b2f4697ced3

    SHA256

    097c87769734699254c4f85a6268539c2d90245650930f44d245e75bcc4a3e46

    SHA512

    f7093d9b544fcbd3d7336b42eb9c79e17aa2b01910b3a1a23e23036d6230116e1dc3bde0602ab18efcd53c184c77d57348b2dea889c313a4a605d0714ec35ef8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\RWLN.dll
    Filesize

    966KB

    MD5

    56c10161ff350d143fe51affe777d19f

    SHA1

    54abec9bcf95904b666fa5dbdc9b976acb59e79d

    SHA256

    4d4dd771e72a4654063dfb06dafef1fd0701ed93c407e68b0f10782e453564c8

    SHA512

    229fdf7503f76ed00f05711c58d1978df9327b085c750873714a52e10db7d53bc702e800d280bb086faa3b360f0b2eecf7aa953b0f9ed1be7eabdd9793493d85

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\Russian.lg
    Filesize

    57KB

    MD5

    cc99020d311e97d6127ab9ddd44c980b

    SHA1

    57746de06ba0f206f6ef34c453b5d5cc1f00e136

    SHA256

    37c133f5c437a56c85ee3ca4c921f61c4532b375975c2b2dd9b4b5983e51c66b

    SHA512

    4122f3ef2e454382967ab3ac4e7d5f44f5156b0a97e6ebe98467d399a4281a72bc1a87f26b7f67893a64dbcb6d34e1b7775effaff969e87873b42c43eca336fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\rfusclient.exe
    Filesize

    5.5MB

    MD5

    b274f6fe4595bd970e2a14ca27c0ed51

    SHA1

    1829e2c4c725e363b566dd0267265dd84f3f924d

    SHA256

    6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0

    SHA512

    237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\rutserv.exe
    Filesize

    9.5MB

    MD5

    d10dae1197db0b694c832ae512b34024

    SHA1

    24757c07c814d53ded645547bc53e29c98919077

    SHA256

    74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be

    SHA512

    f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\vp8decoder.dll
    Filesize

    380KB

    MD5

    1ea62293ac757a0c2b64e632f30db636

    SHA1

    8c8ac6f8f28f432a514c3a43ea50c90daf66bfba

    SHA256

    970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df

    SHA512

    857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\vp8encoder.dll
    Filesize

    1.6MB

    MD5

    89770647609ac26c1bbd9cf6ed50954e

    SHA1

    349eed120070bab7e96272697b39e786423ac1d3

    SHA256

    7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4

    SHA512

    a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\webmmux.dll
    Filesize

    260KB

    MD5

    d29f7070ee379544aeb19913621c88e6

    SHA1

    499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be

    SHA256

    654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf

    SHA512

    4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\webmvorbisdecoder.dll
    Filesize

    365KB

    MD5

    7a9eeac3ceaf7f95f44eb5c57b4db2e3

    SHA1

    be1048c254aa3114358f76d08c55667c4bf2d382

    SHA256

    b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88

    SHA512

    b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{72EC7F16-189E-4957-803C-263B4696AB56}\webmvorbisencoder.dll
    Filesize

    860KB

    MD5

    5308b9945e348fbe3a480be06885434c

    SHA1

    5c3cb39686cca3e9586e4b405fc8e1853caaf8ff

    SHA256

    9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a

    SHA512

    4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    75c1f29aaf98fb86737b8b1fb8084de8

    SHA1

    dd94ba045835112258551534ea9f003ce2786ea7

    SHA256

    5692bcee0e43f9a5c74a9df0c81a0939d2f75350797c34866a29d40bde028404

    SHA512

    0442e4d7dfd8bd56e209f8c7ffbe009adc905cc1579c14f3110c4e0095956779ef2c417509574d221b0c8c46c462f2ceaa8b5196387f2478889b947e375f98c6

    Download Submit

  • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    bf9790b86ea708cdcd6741d85b537e0a

    SHA1

    7fa0459dce7f8522be172c88fd838396554fb0d6

    SHA256

    7eb2e3d0e27f5e42aaa60eb4b89d1a3bbe582c3b3699605047732c89b9698d6f

    SHA512

    11ae574b95d1c84e3f44e8ba6dc1d773b6a691d41928b327c30ee62916c655dc27a04de4c4dc90eeab45e6768df71e0187409030fc2c5b95c7a95b341940b2dd

    Download Submit

  • C:\Windows\Temp\TarB8AA.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • memory/880-208-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/880-223-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/880-238-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/880-233-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/880-228-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/880-220-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/880-218-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/880-215-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/880-211-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/1472-91-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/1592-89-0x0000000000400000-0x0000000000A08000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2704-212-0x0000000000400000-0x0000000000A08000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2704-209-0x0000000000400000-0x0000000000A08000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2776-62-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2776-82-0x0000000000400000-0x0000000000A08000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2904-0-0x0000000000400000-0x0000000000EC5000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2904-83-0x0000000000400000-0x0000000000EC5000-memory.dmp

    Filesize

    10.8MB

    Download