rms | 75d36fc4f14630cd347bce7e8fcf951b42bf47a7fc1e33af4a5ec7b2ec867a71

Analysis

max time kernel
146s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Word/RManServer.exe
Size

3.0MB
MD5

236fa5ee0c58372b51336a917fac7c4a
SHA1

67d371b2d0eee3f1b5af362cde5732bc42cef3cc
SHA256

c9abbef03faec7cf2b8ea364a20c38f56054c1ee6d42f648f71111ae4165cb02
SHA512

199e8f9ff9d6108090a0505001fab88cdc25399b3b2f95a06ef5003a7f120a578351f135e67949ae035d9d9b1336affa99608c0c14dbb3f94bcd1ca3dcd62188
SSDEEP

49152:09uBzsNcZSpHESjdRjuPRcSurl5hn/ZmDThTuW8Q1:euScxFurl5hn/0Y

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManFUSClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	840	RManServer.exe
Token: SeTcbPrivilege	840	RManServer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2552	RManFUSClient.exe
2552	RManFUSClient.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2552	RManFUSClient.exe
2552	RManFUSClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2552	840	RManServer.exe	29
PID 840 wrote to memory of 2552	840	RManServer.exe	29
PID 840 wrote to memory of 2552	840	RManServer.exe	29
PID 840 wrote to memory of 2552	840	RManServer.exe	29

C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
"C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe
  C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe /tray
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/840-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/840-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/840-5-0x0000000000400000-0x0000000000786000-memory.dmp

Filesize
3.5MB

Download
memory/2552-1-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2552-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2552-6-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download