Overview

overview

10

Static

static

5d4e29a205...70.exe

windows7_x64

10

5d4e29a205...70.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d4e29a20566f61f735f1ba292255f34d2e2c7aa2c870e92335dfde91cca9c70.exe

  • Size

    14.6MB

  • MD5

    b042c917da056713438d4ba64c10be22

  • SHA1

    5bb43103095e5e42255568ef4e77b3acdfbed502

  • SHA256

    5d4e29a20566f61f735f1ba292255f34d2e2c7aa2c870e92335dfde91cca9c70

  • SHA512

    5f88bb7edc14d8c04a88f8eaed7cdcf1f62d55ce24edfb011eed0188c3aa43a7a4962c118f2da1965ec096d2612aa8e04a6f75c9755008ebe42c436642fc57b8

Score
10/10
rmsxmrigevasionminerpersistencerattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • UAC bypass 3 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d4e29a20566f61f735f1ba292255f34d2e2c7aa2c870e92335dfde91cca9c70.exe
    "C:\Users\Admin\AppData\Local\Temp\5d4e29a20566f61f735f1ba292255f34d2e2c7aa2c870e92335dfde91cca9c70.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode mode=disable
      2⤵
        PID:668
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set allprofiles state off
        2⤵
          PID:860
        • C:\Windows\SysWOW64\reg.exe
          reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          2⤵
          • Modifies registry key
          PID:1396
        • C:\Windows\SysWOW64\powercfg.exe
          powercfg.exe -h off
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:616
        • C:\Windows\SysWOW64\svhost.exe
          "C:\Windows\System32\svhost.exe"
          2⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1516
          • C:\Windows\SysWOW64\svhost.exe
            C:\Windows\SysWOW64\svhost.exe -second
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1788
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\del.cmd" "
          2⤵
          • Deletes itself
          PID:796

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/820-55-0x0000000076371000-0x0000000076373000-memory.dmp

        Filesize

        8KB

        Download

      • memory/820-56-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1516-62-0x00000000003B0000-0x00000000003B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-72-0x0000000004C80000-0x0000000004C81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-77-0x0000000005460000-0x0000000005570000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1788-71-0x0000000002890000-0x0000000002891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-74-0x0000000004F10000-0x0000000004F11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-73-0x0000000004E00000-0x0000000004E01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-75-0x00000000056E0000-0x00000000056E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-76-0x0000000005460000-0x0000000005570000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1788-70-0x00000000027F0000-0x00000000027F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-78-0x0000000005570000-0x0000000005571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-79-0x0000000005580000-0x0000000005581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-81-0x0000000005A00000-0x0000000005A01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-80-0x0000000005900000-0x0000000005901000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-82-0x0000000005A10000-0x0000000005A11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-83-0x0000000006540000-0x0000000006578000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1788-65-0x0000000000270000-0x0000000000271000-memory.dmp

        Filesize

        4KB

        Download