Overview

overview

10

Static

static

3

e6fb0e2e89...6d.exe

windows7-x64

10

e6fb0e2e89...6d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d

  • Size

    9.6MB

  • Sample

    250320-za3n9sx1ft

  • MD5

    6e9d2ef6a2146bb9ae5a5cf4d89759bb

  • SHA1

    3eff5752741da1c8f786d07021cad8f1237c23e8

  • SHA256

    e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d

  • SHA512

    713362bc1d2b25f4a8ed695f30bd2d340a43df336cbc598d43fafb3f1505c35585ca8ebaa5dadcfb4a0cbab75abc32a33d1ab17b2aee5d1272c60549d5309e18

  • SSDEEP

    196608:S3o9iCKRyyrUG5LO875QA++LsjNZuxzqCbcsf3KwUyHXpP9wcoAt7RXGR:ahfLxNa0L8Z2Pgsf3KwUy3JKcjtpGR

Score
10/10
rmsdefense_evasiondiscoveryexecutionpersistencerattrojan

Malware Config

Targets

    • Target

      e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d

    • Size

      9.6MB

    • MD5

      6e9d2ef6a2146bb9ae5a5cf4d89759bb

    • SHA1

      3eff5752741da1c8f786d07021cad8f1237c23e8

    • SHA256

      e6fb0e2e891b20b476020c45c78560263ec22302035bb72b61934ec6cac64f6d

    • SHA512

      713362bc1d2b25f4a8ed695f30bd2d340a43df336cbc598d43fafb3f1505c35585ca8ebaa5dadcfb4a0cbab75abc32a33d1ab17b2aee5d1272c60549d5309e18

    • SSDEEP

      196608:S3o9iCKRyyrUG5LO875QA++LsjNZuxzqCbcsf3KwUyHXpP9wcoAt7RXGR:ahfLxNa0L8Z2Pgsf3KwUy3JKcjtpGR

    Score
    10/10
    rmsdefense_evasiondiscoveryexecutionpersistencerattrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Rms family

      rms

    • UAC bypass

      defense_evasiontrojan

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks