Overview

overview

10

Static

static

64946c1fda...3b.exe

windows7_x64

10

64946c1fda...3b.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b

  • Size

    10.5MB

  • Sample

    220326-d1lyjscegr

  • MD5

    09da7a0456617a66512a87036aafbb8c

  • SHA1

    419bed34eb0b596b593754d49adc54182c684602

  • SHA256

    64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b

  • SHA512

    2fd8a9e3b7aed71a6570a438d139aeb58ff1367a58cff8e9d62c8f7f51d91545baf02e8ca058346f18a22f83b5fa1c229e8f809d020386a767dcd7935b3e962e

Score
10/10
rmsdiscoveryevasionminerpersistenceratspywarestealertrojanupx

Malware Config

Targets

    • Target

      64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b

    • Size

      10.5MB

    • MD5

      09da7a0456617a66512a87036aafbb8c

    • SHA1

      419bed34eb0b596b593754d49adc54182c684602

    • SHA256

      64946c1fdaad0f24ae883ad9a283af95fd6e9ebd8c3dd0be0819991718f8843b

    • SHA512

      2fd8a9e3b7aed71a6570a438d139aeb58ff1367a58cff8e9d62c8f7f51d91545baf02e8ca058346f18a22f83b5fa1c229e8f809d020386a767dcd7935b3e962e

    Score
    10/10
    rmsdiscoveryevasionminerpersistenceratspywarestealertrojanupx

    • Modifies firewall policy service

      evasion

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • UAC bypass

      evasiontrojan

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

      miner

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets DLL path for service in the registry

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Stops running service(s)

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Cryptocurrency Miner

      Makes network request to known mining pool URL.

      miner

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Hidden Files and Directories

2
T1158

Modify Existing Service

3
T1031

Registry Run Keys / Startup Folder

2
T1060

Winlogon Helper DLL

1
T1004

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

File and Directory Permissions Modification

1
T1222

Hidden Files and Directories

2
T1158

Impair Defenses

1
T1562

Install Root Certificate

1
T1130

Modify Registry

7
T1112

Web Service

1
T1102

Credential Access

Account Manipulation

1
T1098

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks