Overview

overview

10

Static

static

5

2d84bb5d8d...a3.exe

windows7-x64

10

2d84bb5d8d...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2024 16:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d84bb5d8d9e13ba352212cb64a3d7a3.exe

  • Size

    22.4MB

  • MD5

    2d84bb5d8d9e13ba352212cb64a3d7a3

  • SHA1

    7d8607042fd26b12d32e3509ce81eedbfe9e3b36

  • SHA256

    69868a1882f9a02e5c5b32858e8f3cbdc74a648413242db3913a2737efcc0775

  • SHA512

    321c4c05ef43851dff450e47c61d278ddf39930f1255f83a7ec86a606551f5125955624037c8356c2434691c3bb39a800dbadfb24b958f35658a503ebc22599d

  • SSDEEP

    393216:Fm9EvdSYwu8mATh3qfs0eXIM/mKDz0c+xxoG3uuBt8VN0AfbDlITDdpjIIfq5+:Fm4NJATh3oeXXJ0REG+uBtfgqVpjIIfD

Score
10/10
rmsdiscoveryrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 12 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Embeds OpenSSL 1 IoCs

    Embeds OpenSSL, may be used to circumvent TLS interception.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d84bb5d8d9e13ba352212cb64a3d7a3.exe
    "C:\Users\Admin\AppData\Local\Temp\2d84bb5d8d9e13ba352212cb64a3d7a3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\rfusclient.exe
      "C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\rfusclient.exe" -run_agent
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\rutserv.exe
        "C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\rutserv.exe" -run_agent
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:216
        • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\rutserv.exe" -run_agent -second
          4⤵
          • Drops file in System32 directory
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:264
          • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\rfusclient.exe
            "C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\rfusclient.exe" /tray /user
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\EULA.rtf
    Filesize

    137KB

    MD5

    65b04b706ac06e31210f4ffb1e92994e

    SHA1

    b005637b3de903cbd7960637d77ff993897c5a63

    SHA256

    e9acc22a02bc2148ae07ec7cbe741e6e1cbc90de3856aae8f32a31fb5c338566

    SHA512

    5b708d069434a384738efd5f4621f257fc79a7f5a32d8ae9c1d29e21efe1eeb2c393ec67da39714c0c73f2217b68091ee7196c72331838a0a7eca872faf09a09

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\branding.ini
    Filesize

    822B

    MD5

    9d2264fd52c96922fd34757339d9cf24

    SHA1

    60bd58796d878c5dd40b5349bbf9070bd81ca6c7

    SHA256

    ed5c83740371fe7efe6e1c01cb02c732eb60baeb7b600770af8d5e8104ef95c0

    SHA512

    e0a6221d1ef3cc076f052aeaae9076a3e0523b8c46ab8ab79a0a29346067256054c5c699d4425b1fee4615a6b3edd74b96c904e67101a2f31601d14ccd8a4a93

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\eventmsg.dll
    Filesize

    57KB

    MD5

    6610a420c60c420fde9394f651de6b92

    SHA1

    10afef408d37a5b35ff9f72e22ac576077051c4c

    SHA256

    a80225cf40c2824327d50601ae067383dd53d45fdf0e2c064408e7f3eef6d891

    SHA512

    f37aa430d61e966cedfae955c1315f17ff648bb18405b3b066325a8564ad7f9e916960b2f08d8748d6848530655c97f97c421250269210438a63cea56e1f3d26

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\libasset32.dll
    Filesize

    8.8MB

    MD5

    1df0c01b671ac516a8972159f60b0a6e

    SHA1

    8dfd81b98b73bf1435c5906e7774fd1a7f693080

    SHA256

    7556d3a559d6967ce35bc8646d0a285e5ed5c3936d8d9709572c2bceeb2aab36

    SHA512

    5888c4da7a4a48e5361b2512ce41ce9a5285be18a4ca4f61fb9d73432b7fa5f27ea178f4641beb69cff24c59a994ca0f691d6f517dc9d084086020e7b143c842

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\libcodec32.dll
    Filesize

    6.8MB

    MD5

    e9d7061f35a74afa8699d9bc6f5474b6

    SHA1

    10720488700e8ffe252a3f8fb8e4d20b3c4cf176

    SHA256

    afef8e83303e7d7ede74e5fea19c22bfe3c66e3ef3b2a6a24ffe7484b1ccd99d

    SHA512

    457a47d7c44b8461e5fbff3c60b99eabe8a11894a115d84a411498f5af3b69e50e06803eb6265f48dce70fab60e0d4ec34b954704b8792c53b6e5da01dab1717

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\logo.png
    Filesize

    287KB

    MD5

    7a45882e018870a76cbb4b41561aa387

    SHA1

    b9f67a818cc5dbc420c2f40d0c0b920a233c9239

    SHA256

    1dd279892e566f6616ae89b1edc8e3f0ad750e0f7ddd34e9a501ed9e02a9f640

    SHA512

    def9faed2715590140144ddab3adfbd81d1eeb07f4c1f0d5bdd3dea0eaf3086844b345df9c81d8958af10aef2955e82d286f2773b4acc23199c0fe56f4235011

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\rfusclient.exe
    Filesize

    10.6MB

    MD5

    2f0d3d1abd463ac64aa4e743b50aa055

    SHA1

    8e782dd229d0a7b19ca99219a974d740d85a9a96

    SHA256

    499607e5c62078c00107bd08610441143d9e447916dc20596a068ba01149314e

    SHA512

    b8af8897c420ed3ea329c1cce8e8359c2cf58bed4b41929e965e576d66b0f75428d67d1633d6c2c960c4242c5eede8c7e6e4c4e909327ed95bb77800b1216d92

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\rutserv.exe
    Filesize

    21.0MB

    MD5

    4251bb135cc9a31dd42f0be1fbc30a86

    SHA1

    e8136675e22d5702da6c9095384ad0b0035689f7

    SHA256

    e3742d88b1b74e80c1f144387904f3dd7544e7ae4c291d91943a1b4b91db77ae

    SHA512

    5b09adfd8829a4f59488c43b8c32ce608f0f050f7b2e7d469940af616fc9503524ced14063b0fdd0ec4e70262473e6a056d60935370f443381768cdfcd755e2c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\settings.dat
    Filesize

    12KB

    MD5

    23af589729d0639ba20d99ea74f53a82

    SHA1

    5a92faa49c8e47bd4769acb970f4cb8a9984516f

    SHA256

    ce40ebaa569ca54af6f544aa235741bdcf6b75a8155995c0e196a11588cff800

    SHA512

    6bd57c4222487506fa369aa3343c1b593ed27182a177b83f31c7f5c5d3de470f7a819be15f345e3a65a5540b569bc71558f43e9f4a8f2bb6accbdda5f5ffb7c0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\vp8decoder.dll
    Filesize

    379KB

    MD5

    e247666cdea63da5a95aebc135908207

    SHA1

    4642f6c3973c41b7d1c9a73111a26c2d7ac9c392

    SHA256

    b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33

    SHA512

    06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\vp8encoder.dll
    Filesize

    1.6MB

    MD5

    d5c2a6ac30e76b7c9b55adf1fe5c1e4a

    SHA1

    3d841eb48d1a32b511611d4b9e6eed71e2c373ee

    SHA256

    11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428

    SHA512

    3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\webmmux.dll
    Filesize

    259KB

    MD5

    49c51ace274d7db13caa533880869a4a

    SHA1

    b539ed2f1a15e2d4e5c933611d736e0c317b8313

    SHA256

    1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b

    SHA512

    13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\webmvorbisdecoder.dll
    Filesize

    364KB

    MD5

    eda07083af5b6608cb5b7c305d787842

    SHA1

    d1703c23522d285a3ccdaf7ba2eb837d40608867

    SHA256

    c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d

    SHA512

    be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RMS Agent\70510\B0368C3EAB\webmvorbisencoder.dll
    Filesize

    859KB

    MD5

    642dc7e57f0c962b9db4c8fb346bc5a7

    SHA1

    acee24383b846f7d12521228d69135e5704546f6

    SHA256

    63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede

    SHA512

    fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

    Download Submit

  • memory/216-95-0x0000000072BF0000-0x000000007329A000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/216-94-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-188-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-123-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-173-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-168-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-183-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-143-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-124-0x0000000072BF0000-0x000000007329A000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/264-178-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-163-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-158-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-128-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-153-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-133-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-148-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/264-138-0x0000000000720000-0x0000000001CD9000-memory.dmp

    Filesize

    21.7MB

    Download

  • memory/1216-126-0x0000000072BF0000-0x000000007329A000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1216-125-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-145-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-135-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-150-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-130-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-155-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-175-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-160-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-140-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-165-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-185-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-170-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/1216-180-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/3512-12-0x0000000000110000-0x0000000003110000-memory.dmp

    Filesize

    48.0MB

    Download

  • memory/3512-85-0x0000000000110000-0x0000000003110000-memory.dmp

    Filesize

    48.0MB

    Download

  • memory/3512-17-0x00000000039E0000-0x00000000039E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-84-0x0000000003E60000-0x0000000003E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-91-0x0000000072BF0000-0x000000007329A000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4936-89-0x0000000000B60000-0x00000000016B1000-memory.dmp

    Filesize

    11.3MB

    Download