General

  • Target

    0A54948420DCF901A5B89475DC02DF021E0E6A49D8170.exe

  • Size

    6.1MB

  • Sample

    230220-dhwd9sgh7s

  • MD5

    61d9514cebec966ba845c3969d44d10c

  • SHA1

    3941bfb1b5b463b8cbdfe4e423997c537dc6eb2a

  • SHA256

    0a54948420dcf901a5b89475dc02df021e0e6a49d81700f5ae971c7660e4d15a

  • SHA512

    fde72236c5d132dca7d82239817ffe94266cb22ca44fdddb0c82945639d94e1f877ba301590be08d6e8b162a21c222329a0c67d23ec6391b71f453f3c762e7a8

  • SSDEEP

    98304:kBMgliJi4JhgiIVqskETxGaYequQ+vVNYENTGBxX9WVLE8zjNBumjiQcNOyfAU:kOglEZSeaYeqS8UYWtzmmUJAU

Score
10/10

Malware Config

Targets

    • Target

      0A54948420DCF901A5B89475DC02DF021E0E6A49D8170.exe

    • Size

      6.1MB

    • MD5

      61d9514cebec966ba845c3969d44d10c

    • SHA1

      3941bfb1b5b463b8cbdfe4e423997c537dc6eb2a

    • SHA256

      0a54948420dcf901a5b89475dc02df021e0e6a49d81700f5ae971c7660e4d15a

    • SHA512

      fde72236c5d132dca7d82239817ffe94266cb22ca44fdddb0c82945639d94e1f877ba301590be08d6e8b162a21c222329a0c67d23ec6391b71f453f3c762e7a8

    • SSDEEP

      98304:kBMgliJi4JhgiIVqskETxGaYequQ+vVNYENTGBxX9WVLE8zjNBumjiQcNOyfAU:kOglEZSeaYeqS8UYWtzmmUJAU

    Score
    10/10
    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks