Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

111.exe

windows7-x64

10

111.exe

windows10-2004-x64

10

Word/HookDrv.dll

windows7-x64

3

Word/HookDrv.dll

windows10-2004-x64

3

Word/RManF...nt.exe

windows7-x64

3

Word/RManF...nt.exe

windows10-2004-x64

3

Word/RManServer.exe

windows7-x64

10

Word/RManServer.exe

windows10-2004-x64

10

blat.dll

windows7-x64

3

blat.dll

windows10-2004-x64

3

blat.exe

windows7-x64

3

blat.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2024, 13:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Word/RManServer.exe

  • Size

    3.0MB

  • MD5

    236fa5ee0c58372b51336a917fac7c4a

  • SHA1

    67d371b2d0eee3f1b5af362cde5732bc42cef3cc

  • SHA256

    c9abbef03faec7cf2b8ea364a20c38f56054c1ee6d42f648f71111ae4165cb02

  • SHA512

    199e8f9ff9d6108090a0505001fab88cdc25399b3b2f95a06ef5003a7f120a578351f135e67949ae035d9d9b1336affa99608c0c14dbb3f94bcd1ca3dcd62188

  • SSDEEP

    49152:09uBzsNcZSpHESjdRjuPRcSurl5hn/ZmDThTuW8Q1:euScxFurl5hn/0Y

Score
10/10
rmsdiscoveryrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Rms family
    rms
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe
    "C:\Users\Admin\AppData\Local\Temp\Word\RManServer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe
      C:\Users\Admin\AppData\Local\Temp\Word\RManFUSClient.exe /tray
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/840-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/840-4-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/840-5-0x0000000000400000-0x0000000000786000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2552-1-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2552-7-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2552-6-0x0000000000400000-0x0000000000717000-memory.dmp

    Filesize

    3.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.