General

  • Target

    $RTWBRPB.exe

  • Size

    5.0MB

  • Sample

    220403-tpgsfsbeh7

  • MD5

    b8c24a19ae1706e4baf0253b8f33abe3

  • SHA1

    a6eb472bb97ddec488203467d10bc26e86dc8e53

  • SHA256

    3c855659332b10f81efb7574d83624a30db08c15fe3927cee1dbdb2c523d3554

  • SHA512

    2c18eea5f88c2cf0fcceacfa8df78d50d59cdcf9d21369c4cffea43a4e020f31a0ad27394ff22572585c2db7708d8c10c5b7e74000d83c1f543a3608190e5b68

Malware Config

Targets

    • Target

      $RTWBRPB.exe

    • Size

      5.0MB

    • MD5

      b8c24a19ae1706e4baf0253b8f33abe3

    • SHA1

      a6eb472bb97ddec488203467d10bc26e86dc8e53

    • SHA256

      3c855659332b10f81efb7574d83624a30db08c15fe3927cee1dbdb2c523d3554

    • SHA512

      2c18eea5f88c2cf0fcceacfa8df78d50d59cdcf9d21369c4cffea43a4e020f31a0ad27394ff22572585c2db7708d8c10c5b7e74000d83c1f543a3608190e5b68

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks