Overview

overview

10

Static

static

7

agent.exe

windows7-x64

10

agent.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    agent.exe

  • Size

    9.6MB

  • MD5

    f318f33943ac090b9872a8ac4045bedf

  • SHA1

    974da2c9186ca7534a29c9f907cb910668368e5f

  • SHA256

    75fb9e1511f1005f07cd73c8cc836fcdecc645e4a633c48e7816958e7d792d25

  • SHA512

    3c46bf23c1ed51e5acada3f4abcf26199283b879d9da0b5ca9b7e4813084c048aade6378a0282ae4a3708b9fd5aef1dfddbdba476812a087bcadc455ebfc7bd2

  • SSDEEP

    196608:Ph8kqvWOgbU9z8PQ4EXqWkNGC/TkLZ04CTp2CKoojMHXF7lb5ryP1IPJ8czzT:Ph8/vW49zgQ4E6aykl04CkTMhDa+j

Score
10/10
rmsrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\agent.exe
    "C:\Users\Admin\AppData\Local\Temp\agent.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\rfusclient.exe
      "C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\rfusclient.exe" -deploy
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rfusclient.exe
        "C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rfusclient.exe" -run_agent
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rutserv.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3652
          • C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rutserv.exe
            C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rutserv.exe -second
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rfusclient.exe
              C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\E6178AFFB3\rfusclient.exe /tray /user
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\EULA.rtf
    Filesize

    114KB

    MD5

    c3d7db3461db0dbb8a1d2a937b1d6252

    SHA1

    35fafe6c6812f20454c709b0a43a21bf7e9f66bf

    SHA256

    cf8e39ce145e36d672cb2a140b3f33e0a1337975d7840e1d6a1920ce560bba46

    SHA512

    9759895e5d4f289e6227f65f46b24ad7f2607443bebd9b039f1cf42bd74c986a597d5de4bef70510c4463874a01695ca2f7ccbd231d6ef5316250d7492c48675

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\English.lg
    Filesize

    52KB

    MD5

    294227da6f9c610c49d38e3965bcdb71

    SHA1

    a6f694235a68fe35ece21d39e736e16053f4b91d

    SHA256

    55fb4c823838b383d077b5c45df2be5fa47abc798054701c23fde5f312379755

    SHA512

    0f3661ca19385d08bbee4419178f7bf9ee7701385c981b94fe81a60438f486c8bea2c048b1bdaf1387265e2d4a1ed4cec2558b7f7fa6d69916c5abbb0b7689a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\RIPCServer.dll
    Filesize

    150KB

    MD5

    59068498190113e051d94fd0b5ef98aa

    SHA1

    6b64bb29763c43a86a4be87fcbc94b2f4697ced3

    SHA256

    097c87769734699254c4f85a6268539c2d90245650930f44d245e75bcc4a3e46

    SHA512

    f7093d9b544fcbd3d7336b42eb9c79e17aa2b01910b3a1a23e23036d6230116e1dc3bde0602ab18efcd53c184c77d57348b2dea889c313a4a605d0714ec35ef8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\RWLN.dll
    Filesize

    966KB

    MD5

    56c10161ff350d143fe51affe777d19f

    SHA1

    54abec9bcf95904b666fa5dbdc9b976acb59e79d

    SHA256

    4d4dd771e72a4654063dfb06dafef1fd0701ed93c407e68b0f10782e453564c8

    SHA512

    229fdf7503f76ed00f05711c58d1978df9327b085c750873714a52e10db7d53bc702e800d280bb086faa3b360f0b2eecf7aa953b0f9ed1be7eabdd9793493d85

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\Russian.lg
    Filesize

    57KB

    MD5

    cc99020d311e97d6127ab9ddd44c980b

    SHA1

    57746de06ba0f206f6ef34c453b5d5cc1f00e136

    SHA256

    37c133f5c437a56c85ee3ca4c921f61c4532b375975c2b2dd9b4b5983e51c66b

    SHA512

    4122f3ef2e454382967ab3ac4e7d5f44f5156b0a97e6ebe98467d399a4281a72bc1a87f26b7f67893a64dbcb6d34e1b7775effaff969e87873b42c43eca336fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\rfusclient.exe
    Filesize

    5.5MB

    MD5

    b274f6fe4595bd970e2a14ca27c0ed51

    SHA1

    1829e2c4c725e363b566dd0267265dd84f3f924d

    SHA256

    6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0

    SHA512

    237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\rutserv.exe
    Filesize

    9.5MB

    MD5

    d10dae1197db0b694c832ae512b34024

    SHA1

    24757c07c814d53ded645547bc53e29c98919077

    SHA256

    74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be

    SHA512

    f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\vp8decoder.dll
    Filesize

    380KB

    MD5

    1ea62293ac757a0c2b64e632f30db636

    SHA1

    8c8ac6f8f28f432a514c3a43ea50c90daf66bfba

    SHA256

    970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df

    SHA512

    857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\vp8encoder.dll
    Filesize

    1.6MB

    MD5

    89770647609ac26c1bbd9cf6ed50954e

    SHA1

    349eed120070bab7e96272697b39e786423ac1d3

    SHA256

    7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4

    SHA512

    a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\webmmux.dll
    Filesize

    260KB

    MD5

    d29f7070ee379544aeb19913621c88e6

    SHA1

    499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be

    SHA256

    654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf

    SHA512

    4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\webmvorbisdecoder.dll
    Filesize

    365KB

    MD5

    7a9eeac3ceaf7f95f44eb5c57b4db2e3

    SHA1

    be1048c254aa3114358f76d08c55667c4bf2d382

    SHA256

    b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88

    SHA512

    b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RUT_{8553F95B-DE24-4700-97EF-53DF8E6FE4B4}\webmvorbisencoder.dll
    Filesize

    860KB

    MD5

    5308b9945e348fbe3a480be06885434c

    SHA1

    5c3cb39686cca3e9586e4b405fc8e1853caaf8ff

    SHA256

    9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a

    SHA512

    4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412

    Download Submit

  • memory/1568-110-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/1568-135-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/1568-125-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/1568-138-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/1568-128-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/1568-116-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/1568-113-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/1568-108-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2524-85-0x0000000000400000-0x0000000000A08000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2884-111-0x0000000000400000-0x0000000000A08000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2884-114-0x0000000000400000-0x0000000000A08000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2884-109-0x0000000000400000-0x0000000000A08000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3092-58-0x0000000002B00000-0x0000000002B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3092-81-0x0000000000400000-0x0000000000A08000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3652-87-0x0000000000400000-0x0000000000E29000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/4548-0-0x0000000000400000-0x0000000000EC5000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4548-83-0x0000000000400000-0x0000000000EC5000-memory.dmp

    Filesize

    10.8MB

    Download