General

  • Target

    24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe

  • Size

    6.0MB

  • Sample

    220514-27yspacaf2

  • MD5

    97a2185f37cdd11207322e349b344fb7

  • SHA1

    de2933539caac225cd11768d192bb97467e67010

  • SHA256

    24b0e23df17c77d44882a2e25ecbd4d3b07015af5d44cb325679a370b8304614

  • SHA512

    ca3fd27966cd4213ac5d469e91f69dcb8c098d432628a94061acfd3a5970df794233d8473c8f2216ad0b11c97d0609eb579b6cfefb5f9330c14fb1c18129dca5

Malware Config

Targets

    • Target

      24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe

    • Size

      6.0MB

    • MD5

      97a2185f37cdd11207322e349b344fb7

    • SHA1

      de2933539caac225cd11768d192bb97467e67010

    • SHA256

      24b0e23df17c77d44882a2e25ecbd4d3b07015af5d44cb325679a370b8304614

    • SHA512

      ca3fd27966cd4213ac5d469e91f69dcb8c098d432628a94061acfd3a5970df794233d8473c8f2216ad0b11c97d0609eb579b6cfefb5f9330c14fb1c18129dca5

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks