Overview

overview

10

Static

static

5

a91de2cf1e...09.exe

windows7-x64

10

a91de2cf1e...09.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a91de2cf1e3983aba4591ade5de60c09.exe

  • Size

    6.1MB

  • Sample

    221004-p3gx6aahh7

  • MD5

    a91de2cf1e3983aba4591ade5de60c09

  • SHA1

    7bca47ffd723620f382cc9ac503277481e6d7afa

  • SHA256

    4a0354e05e77a9fdd435d70493c99650a8d5452399a058b64951e7b8d544f1a4

  • SHA512

    b7a4706433898caaaf854612b8bab6f87d6935b8c58e3e08b1d3c3ee63924341fae50c0acfd59e052a56ac3c0ccc017bd31ecf1f9bcd4362b739ac50b17b3f6e

  • SSDEEP

    196608:5bMfbHQ06JaxBEvXUJyXEJDNfZJoExr77dZWoNaUyr:NeH4YxBYXY+sJokFZWLUy

Score
10/10
rmsevasionpersistencerattrojan

Malware Config

Targets

    • Target

      a91de2cf1e3983aba4591ade5de60c09.exe

    • Size

      6.1MB

    • MD5

      a91de2cf1e3983aba4591ade5de60c09

    • SHA1

      7bca47ffd723620f382cc9ac503277481e6d7afa

    • SHA256

      4a0354e05e77a9fdd435d70493c99650a8d5452399a058b64951e7b8d544f1a4

    • SHA512

      b7a4706433898caaaf854612b8bab6f87d6935b8c58e3e08b1d3c3ee63924341fae50c0acfd59e052a56ac3c0ccc017bd31ecf1f9bcd4362b739ac50b17b3f6e

    • SSDEEP

      196608:5bMfbHQ06JaxBEvXUJyXEJDNfZJoExr77dZWoNaUyr:NeH4YxBYXY+sJokFZWLUy

    Score
    10/10
    rmsevasionpersistencerattrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets DLL path for service in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Account Manipulation

1
T1098

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Winlogon Helper DLL

1
T1004

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks