General

  • Target

    42da9414a2faba94899ebaa84cd32841ac30db80d655c5be4d32ef568cc35014

  • Size

    6.6MB

  • Sample

    221130-p9z3bacd66

  • MD5

    b4d453087720b8fbf93147c039f4f8fb

  • SHA1

    cfc9c30a92a61d0009bc4e21a1a808180d278218

  • SHA256

    42da9414a2faba94899ebaa84cd32841ac30db80d655c5be4d32ef568cc35014

  • SHA512

    1d498db675a631d91821786ef657d94814eadc8fc6062ad8256692bd5cf3e35632fce94e96d4672993b0fa36ed424cd7815d3ba81862ce0a75df4feebe9e9c51

  • SSDEEP

    98304:9Xz+/uvg6x/emUKoJV5ElkmPNJgpEdneZi+H02YqAQcmJ3Q/mUfBA9qcu1ccH6i1:FK21H5WV5ElzMpYXY0fBQcb7BA2hHf

Malware Config

Targets

    • Target

      42da9414a2faba94899ebaa84cd32841ac30db80d655c5be4d32ef568cc35014

    • Size

      6.6MB

    • MD5

      b4d453087720b8fbf93147c039f4f8fb

    • SHA1

      cfc9c30a92a61d0009bc4e21a1a808180d278218

    • SHA256

      42da9414a2faba94899ebaa84cd32841ac30db80d655c5be4d32ef568cc35014

    • SHA512

      1d498db675a631d91821786ef657d94814eadc8fc6062ad8256692bd5cf3e35632fce94e96d4672993b0fa36ed424cd7815d3ba81862ce0a75df4feebe9e9c51

    • SSDEEP

      98304:9Xz+/uvg6x/emUKoJV5ElkmPNJgpEdneZi+H02YqAQcmJ3Q/mUfBA9qcu1ccH6i1:FK21H5WV5ElzMpYXY0fBQcb7BA2hHf

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • UAC bypass

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

2
T1158

Winlogon Helper DLL

1
T1004

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

Hidden Files and Directories

2
T1158

Impair Defenses

1
T1562

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Tasks