Overview

overview

10

Static

static

3

467389d955...72.exe

windows7-x64

10

467389d955...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2025, 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    467389d955368445c1c749556e894f918d193637df00f175c715ed2c9b5c2672.exe

  • Size

    4.4MB

  • MD5

    78fe208105d90f83f43a0c07c6210541

  • SHA1

    8ad19f227cf5e2e9f4ff6ef2a98735b43f328dd3

  • SHA256

    467389d955368445c1c749556e894f918d193637df00f175c715ed2c9b5c2672

  • SHA512

    dfaaacfa3a4c7ecca4581d24ec2a2ba6fbbd0218ff27c30f273b3cdc8a0cfc369d39b13e2e662ae3b36613765c844908e839c2f33a476ad4964e468ce8c08849

  • SSDEEP

    98304:/4S1Gym+c3UILv5sUuGkz3RQ8Ke+OLFvMXhIHpxfs7:/4mG+ILvsGk9Q8tR9MXhy/s7

Score
10/10
rmsaspackv2discoveryrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Rms family
    rms
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Drops file in System32 directory 16 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 2 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\467389d955368445c1c749556e894f918d193637df00f175c715ed2c9b5c2672.exe
    "C:\Users\Admin\AppData\Local\Temp\467389d955368445c1c749556e894f918d193637df00f175c715ed2c9b5c2672.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HavijCracked.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Users\Admin\AppData\Local\Temp\HavijCracked.exe
        HavijCracked.exe /p1234
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMS.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3680
          • C:\Users\Admin\AppData\Local\Temp\RMS.exe
            RMS.exe /p1234
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\System32\SysFilesCatalog\install.vbs"
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3476
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\SysFilesCatalog\install.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3508
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im rutserv.exe
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3236
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im rfusclient.exe
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5796
                • C:\Windows\SysWOW64\reg.exe
                  reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:880
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s "regedit.reg"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:1472
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Delays execution with timeout.exe
                  PID:1356
                • C:\Windows\SysWOW64\SysFilesCatalog\rutserv.exe
                  rutserv.exe /silentinstall
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:5548
                • C:\Windows\SysWOW64\SysFilesCatalog\rutserv.exe
                  rutserv.exe /firewall
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:1408
                • C:\Windows\SysWOW64\SysFilesCatalog\rutserv.exe
                  rutserv.exe /start
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:4088
  • C:\Windows\SysWOW64\SysFilesCatalog\rutserv.exe
    C:\Windows\SysWOW64\SysFilesCatalog\rutserv.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5476
    • C:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exe
      C:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5412
      • C:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exe
        C:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exe /tray
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: SetClipboardViewer
        PID:3016
    • C:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exe
      C:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exe /tray
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HavijCracked.bat
    Filesize

    40B

    MD5

    ea5fb7bef8049dd1b276215ac72ba860

    SHA1

    fb0beaf4a9a78e3a596acbac069a99b3adbec602

    SHA256

    6ce14adee0448d4f7f1cf001a45ea1dcfa7c9b9cd0a8a795eeb8b9eee2942813

    SHA512

    2c248ec97d5d150a0a048c43b9dd9532527f7098beaeada9e016dbe4c7e54c1867afcb84d42a005198a1a89c37299d4947f9950bb6df1ba0d79cfab68474252d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HavijCracked.exe
    Filesize

    4.2MB

    MD5

    21a8be33fb31bd8f4d58b6943f12719c

    SHA1

    411146e9bc09188466051a090348172d6df8a64a

    SHA256

    d5eaa74b76a85c556aa41b7520a2380fb71886950c87be0e227ee23ca4c4a577

    SHA512

    8ddef36e2fe5a93a796a9ae7481ba4b1dfb4644619da2b08f31b221af59541693eb4f6a937390bfe8ef16b6c27c455416b57493ead8430715e8b89ca3a38db4c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RMS.bat
    Filesize

    31B

    MD5

    3fdb252bee147ef14aa44035b4b6208b

    SHA1

    c13b54b0c29167afac2ace60a47d1b12254476fc

    SHA256

    77e5b000bf7b78f8d5bf81dbd9df8b2c98baebaaf94d218471d680179a131182

    SHA512

    6078de6e59b6ee396b51f24fe625a208c60f544c89d4d2d361e52286ae224a803cfbdb7d8bbef94ff2c717ef8df6113d0b69324752c2d3d2ae932faabd4aab92

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RMS.exe
    Filesize

    4.1MB

    MD5

    6682674116a76c8f9a118782d2e0b334

    SHA1

    b243152e66a1a2b0792bb52b6bb6f053360cc734

    SHA256

    61bf61a4e46b2799e2c7ec674feb5638717883b4df8b823ad25e22b36ffef6a1

    SHA512

    c2c093a192dd80aa447df40a810623e0d8c5f186f98cdeb4ceb3380c321991432f8bef0bcf54a3f59768f2265f0b2e2315eb137aa42dd4025cfb80223a7b635d

    Download Submit

  • C:\Windows\SysWOW64\SysFilesCatalog\install.bat
    Filesize

    480B

    MD5

    99db27d776e103cad354b531ee1f20b9

    SHA1

    0b82d146df8528f66d1d14756f211fd3a8b1b91a

    SHA256

    240020a1a1941d1455135b5cb134e502a13b148be16cbb1552482aa03c29f8f3

    SHA512

    bc2ed33495c0a752397b2f1b9b7ba65f94ea5be82dde74c618342c83b68f1b92a4783b672cd427843533799e1af0875e0fd000b12236852e9e2fa93005d7ac69

    Download Submit

  • C:\Windows\SysWOW64\SysFilesCatalog\install.vbs
    Filesize

    117B

    MD5

    65fc32766a238ff3e95984e325357dbb

    SHA1

    3ac16a2648410be8aa75f3e2817fbf69bb0e8922

    SHA256

    a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

    SHA512

    621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

    Download Submit

  • C:\Windows\SysWOW64\SysFilesCatalog\regedit.reg
    Filesize

    12KB

    MD5

    3d0cb95fd41272e7ac77b510b6bad639

    SHA1

    eba5e783fd1b00bb51939ffdfc4831693bb29298

    SHA256

    692960329d595a028149698f6ef762f33df9f21e1e9efb64910686c853231a1a

    SHA512

    588f595c79f420db55e472bcf257d0c5d6ab0abcaff19a48a8234c434ad27a7a88308606710caf07eb19fa8b0c95807872ca42d8efa326278810110b6f3aaaad

    Download Submit

  • C:\Windows\SysWOW64\SysFilesCatalog\rfusclient.exe
    Filesize

    1.5MB

    MD5

    b8667a1e84567fcf7821bcefb6a444af

    SHA1

    9c1f91fe77ad357c8f81205d65c9067a270d61f0

    SHA256

    dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

    SHA512

    ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

    Download Submit

  • C:\Windows\SysWOW64\SysFilesCatalog\rutserv.exe
    Filesize

    1.7MB

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

    Download Submit

  • C:\Windows\SysWOW64\SysFilesCatalog\vp8decoder.dll
    Filesize

    155KB

    MD5

    88318158527985702f61d169434a4940

    SHA1

    3cc751ba256b5727eb0713aad6f554ff1e7bca57

    SHA256

    4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

    SHA512

    5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

    Download Submit

  • C:\Windows\SysWOW64\SysFilesCatalog\vp8encoder.dll
    Filesize

    593KB

    MD5

    6298c0af3d1d563834a218a9cc9f54bd

    SHA1

    0185cd591e454ed072e5a5077b25c612f6849dc9

    SHA256

    81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

    SHA512

    389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

    Download Submit

  • memory/1408-53-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1408-51-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1408-56-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1408-52-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1408-50-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1408-54-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3016-99-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-96-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-100-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-101-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-97-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-95-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-98-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3988-88-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3988-94-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3988-108-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3988-85-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3988-125-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3988-117-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3988-81-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3988-83-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3988-82-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3988-104-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4088-60-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4088-84-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4088-63-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4088-58-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4088-62-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4088-61-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/4088-59-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5412-80-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5412-79-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5412-77-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5412-87-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5412-93-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5412-78-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5412-76-0x0000000000400000-0x00000000009B6000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5476-106-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-68-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-123-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-69-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-115-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-111-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-70-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-67-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-65-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5476-66-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5548-43-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5548-42-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5548-48-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5548-47-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5548-45-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5548-46-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/5548-44-0x0000000000400000-0x0000000000AB9000-memory.dmp

    Filesize

    6.7MB

    Download