General

  • Target

    5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe

  • Size

    6.8MB

  • Sample

    210706-vfy4w7kkwj

  • MD5

    82f18d250b9262253e3f358b26d8888b

  • SHA1

    94412e471583266dd4b89daea0e2ca4238c0ac95

  • SHA256

    5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330

  • SHA512

    c17abb82c904735a845dd50ee5a48b5cbc14526eeedc9de07cef72ac3b78d6fe00abf3f65521ae1048a2d4ffbd64f62e0703ee61ccc08059625bae15d939c4a6

Malware Config

Targets

    • Target

      5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe

    • Size

      6.8MB

    • MD5

      82f18d250b9262253e3f358b26d8888b

    • SHA1

      94412e471583266dd4b89daea0e2ca4238c0ac95

    • SHA256

      5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330

    • SHA512

      c17abb82c904735a845dd50ee5a48b5cbc14526eeedc9de07cef72ac3b78d6fe00abf3f65521ae1048a2d4ffbd64f62e0703ee61ccc08059625bae15d939c4a6

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks