General

  • Target

    981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe

  • Size

    6MB

  • Sample

    221206-tcjfhsbh65

  • MD5

    bfb6121383e3e301ec4267ecb9cacb56

  • SHA1

    d36b7cd218b3e88a03fa3a9c681e6f6fad3b415d

  • SHA256

    981e6b7e07d549903c7c91f149b643c9a75ab98e0e0cba8f0845bef2e162ea7c

  • SHA512

    845559ef9f6cbd7c03f39c60a403b0058b1cfd09e8e84581e8f5dd11501708d06139d5a949cfc9bb1d52537e3cde468ceeee8bd0dcb299c8f29b1496d1f542f3

  • SSDEEP

    98304:MjMgl8EOJi4JhgiIVqskETxGaYequQ+vVNYENTGBxX9WVLE8zjNBumjiQcNOyfAV:MYg8EBEZSeaYeqS8UYWtzmmUJAV

Score
10/10

Malware Config

Targets

    • Target

      981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe

    • Size

      6MB

    • MD5

      bfb6121383e3e301ec4267ecb9cacb56

    • SHA1

      d36b7cd218b3e88a03fa3a9c681e6f6fad3b415d

    • SHA256

      981e6b7e07d549903c7c91f149b643c9a75ab98e0e0cba8f0845bef2e162ea7c

    • SHA512

      845559ef9f6cbd7c03f39c60a403b0058b1cfd09e8e84581e8f5dd11501708d06139d5a949cfc9bb1d52537e3cde468ceeee8bd0dcb299c8f29b1496d1f542f3

    • SSDEEP

      98304:MjMgl8EOJi4JhgiIVqskETxGaYequQ+vVNYENTGBxX9WVLE8zjNBumjiQcNOyfAV:MYg8EBEZSeaYeqS8UYWtzmmUJAV

    Score
    10/10
    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks