Overview

overview

10

Static

static

7

update.exe

windows7-x64

10

update.exe

windows10-2004-x64

10

Resubmissions

28-11-2022 09:53

221128-lwp4eaea33 10

17-11-2022 04:28

221117-e328zsdf69 10

07-11-2022 10:35

221107-mm272secgj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    221107-hzpp9sded3_pw_infected.zip

  • Size

    60.1MB

  • Sample

    221117-e328zsdf69

  • MD5

    feb01da21ab174bcbe90f377ca93b57c

  • SHA1

    a4b44b71d19ee65d8870cbc74c1e975caea25de1

  • SHA256

    cde3720e9c1d758e606495f4eb216e165e0e2bbe80c9018f32287ae31f553693

  • SHA512

    29a09cfdc3b9e72f2a82699e32e5401ac8728d31ff8cc070cad9bfc26cfca63832bb42c9341a8669fc9cc92798691ef92e2c543eda219dfb4a79a8d1528a56f4

  • SSDEEP

    786432:Cu6OhMOeGbkv7+Js+n95UrwBurSL7bJRqY4tZ8uWbtbphjymJ7UBaH555knSfyGF:25hQk7+JhHvLR7uONomVoaH54e4eLwiX

Score
10/10
rmsxmrigdiscoveryevasionminerpersistenceratthemidatrojanupx

Malware Config

Targets

    • Target

      update.rar

    • Size

      60.2MB

    • MD5

      b77955061c0f46de8059c20128ebb156

    • SHA1

      bd9ba700caec09387bfcf97bd9cc0a2e846836ca

    • SHA256

      ca94c8bbbb10febb8187f8c709affaa91911f646cf0ac99e857bf45b3a709091

    • SHA512

      83f07b66be1138e5f3f1c1f2504d3222bcc1bb1c1626a98e2346408cde7c771a64a998fa38c23ac66097f0b610f70c6309ea914e0c9c95ecff588a385aeb69aa

    • SSDEEP

      1572864:DdjkMwgaV4gRNzu1zCcFA4o/UDDvX94UKfytNxZhDa:FJGuMzuHnXDKfeN5Da

    Score
    10/10
    evasionpersistencethemidatrojanrmsxmrigdiscoveryminerratupx

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Registers new Print Monitor

      persistence

    • Sets DLL path for service in the registry

      persistence

    • Stops running service(s)

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1
T1059

Scheduled Task

1
T1053

Persistence

Account Manipulation

1
T1098

Hidden Files and Directories

1
T1158

Modify Existing Service

3
T1031

Registry Run Keys / Startup Folder

3
T1060

Scheduled Task

1
T1053

Winlogon Helper DLL

1
T1004

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

2
T1089

File and Directory Permissions Modification

1
T1222

Hidden Files and Directories

1
T1158

Impair Defenses

1
T1562

Modify Registry

8
T1112

Virtualization/Sandbox Evasion

1
T1497

Web Service

1
T1102

Credential Access

Account Manipulation

1
T1098

Discovery

Network Service Scanning

1
T1046

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

7
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks