Resubmissions

28-11-2022 09:53

221128-lwp4eaea33 10

17-11-2022 04:28

221117-e328zsdf69 10

07-11-2022 10:35

221107-mm272secgj 10

General

  • Target

    221107-hzpp9sded3_pw_infected.zip

  • Size

    60.1MB

  • Sample

    221128-lwp4eaea33

  • MD5

    feb01da21ab174bcbe90f377ca93b57c

  • SHA1

    a4b44b71d19ee65d8870cbc74c1e975caea25de1

  • SHA256

    cde3720e9c1d758e606495f4eb216e165e0e2bbe80c9018f32287ae31f553693

  • SHA512

    29a09cfdc3b9e72f2a82699e32e5401ac8728d31ff8cc070cad9bfc26cfca63832bb42c9341a8669fc9cc92798691ef92e2c543eda219dfb4a79a8d1528a56f4

  • SSDEEP

    786432:Cu6OhMOeGbkv7+Js+n95UrwBurSL7bJRqY4tZ8uWbtbphjymJ7UBaH555knSfyGF:25hQk7+JhHvLR7uONomVoaH54e4eLwiX

Malware Config

Targets

    • Target

      update.rar

    • Size

      60.2MB

    • MD5

      b77955061c0f46de8059c20128ebb156

    • SHA1

      bd9ba700caec09387bfcf97bd9cc0a2e846836ca

    • SHA256

      ca94c8bbbb10febb8187f8c709affaa91911f646cf0ac99e857bf45b3a709091

    • SHA512

      83f07b66be1138e5f3f1c1f2504d3222bcc1bb1c1626a98e2346408cde7c771a64a998fa38c23ac66097f0b610f70c6309ea914e0c9c95ecff588a385aeb69aa

    • SSDEEP

      1572864:DdjkMwgaV4gRNzu1zCcFA4o/UDDvX94UKfytNxZhDa:FJGuMzuHnXDKfeN5Da

    • Modifies Windows Defender Real-time Protection settings

    • Modifies system executable filetype association

    • Modifies visiblity of hidden/system files in Explorer

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner payload

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Registers COM server for autorun

    • Registers new Print Monitor

    • Sets DLL path for service in the registry

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

3
T1031

Change Default File Association

1
T1042

Hidden Files and Directories

1
T1158

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

4
T1060

Winlogon Helper DLL

1
T1004

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

10
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

1
T1158

Bypass User Account Control

1
T1088

Virtualization/Sandbox Evasion

1
T1497

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

7
T1082

Network Service Scanning

1
T1046

Peripheral Device Discovery

1
T1120

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks