General

  • Target

    b56b445af056b621aeed9626cad47d42.exe

  • Size

    11.0MB

  • Sample

    210715-yxv97pbjkx

  • MD5

    b56b445af056b621aeed9626cad47d42

  • SHA1

    9ba5c968ff30ffdbd23fc589ea42f4659c532bc3

  • SHA256

    d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b

  • SHA512

    87c21adea1dfc96968c5b687136465db0a632cb6a3d6bf272f7a440ddcbdea5eddf4e61ccfea858d2935d21bc3c725f157772c1ab7a236256980c795daa53633

Score
10/10

Malware Config

Targets

    • Target

      b56b445af056b621aeed9626cad47d42.exe

    • Size

      11.0MB

    • MD5

      b56b445af056b621aeed9626cad47d42

    • SHA1

      9ba5c968ff30ffdbd23fc589ea42f4659c532bc3

    • SHA256

      d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b

    • SHA512

      87c21adea1dfc96968c5b687136465db0a632cb6a3d6bf272f7a440ddcbdea5eddf4e61ccfea858d2935d21bc3c725f157772c1ab7a236256980c795daa53633

    Score
    10/10
    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks