Overview

overview

10

Static

static

7

Torrent Game.zip

windows11-21h2-x64

1

Torrent Ga...ll.exe

windows11-21h2-x64

7

Torrent Ga...up.exe

windows11-21h2-x64

10

Torrent Ga...a0.exe

windows11-21h2-x64

1

Torrent Ga...a1.exe

windows11-21h2-x64

3

Torrent Ga...a2.bin

windows11-21h2-x64

3

Torrent Ga...a3.bin

windows11-21h2-x64

3

Torrent Ga...a4.bin

windows11-21h2-x64

3

Torrent Ga...a5.bin

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Torrent Game.zip

  • Size

    512.6MB

  • Sample

    240430-krt15agh7v

  • MD5

    5d38b2260ed26393f7bd0293ad6144ad

  • SHA1

    6600d31541c9ad449b6189a0fc979e8cf5ba53f5

  • SHA256

    6b419e21fad4a017b11cdde3e9358cd1ad872d47f9dbd905106d555acc111c18

  • SHA512

    e24ab6200155a136e8f8b2a8a8e8f143996b82f2d972b28cbc05f1f92a8448f845ceaff80bcedccc471856c2938cb1ca02e41ab87bad9f96473c7abd9d5a3a00

  • SSDEEP

    12582912:o9x9jo4mNTnYf/55KhGsAzQAzwG1Q+yYHw0rknVrhGUJS4wUHRSoWU:o9j04gc5PsAjzNeFY3kVYUJS4wmRSo7

Score
10/10
rmsdiscoveryevasionpersistenceratthemidatrojan

Malware Config

Targets

    • Target

      Torrent Game.zip

    • Size

      512.6MB

    • MD5

      5d38b2260ed26393f7bd0293ad6144ad

    • SHA1

      6600d31541c9ad449b6189a0fc979e8cf5ba53f5

    • SHA256

      6b419e21fad4a017b11cdde3e9358cd1ad872d47f9dbd905106d555acc111c18

    • SHA512

      e24ab6200155a136e8f8b2a8a8e8f143996b82f2d972b28cbc05f1f92a8448f845ceaff80bcedccc471856c2938cb1ca02e41ab87bad9f96473c7abd9d5a3a00

    • SSDEEP

      12582912:o9x9jo4mNTnYf/55KhGsAzQAzwG1Q+yYHw0rknVrhGUJS4wUHRSoWU:o9j04gc5PsAjzNeFY3kVYUJS4wmRSo7

    Score
    1/10
    behavioral1

    • Target

      Torrent Game/GameInstall.exe

    • Size

      100.0MB

    • MD5

      ff6a31844637ffb384e20d2a2aba0b63

    • SHA1

      51c1b62e10358fb1a0cc4904fd35a521373ce8c9

    • SHA256

      f993de8c7062c78b2a2be059069c8543dc4fe27ec288a621be0d9807adecf687

    • SHA512

      6ac68041344ebcf189ac52039cce4b43eb7ad7c96908ac833bfd7875f09eae655bf1814eebbbcd47b9d0fc39ce1c4d8d2e99c945d9c644e78c93dd8964352226

    • SSDEEP

      786432:Y4rVyDBH/hm5hDeSDAy3of1/RABxJgCokmB+MqZsFcBIx7Zf8FRM9NfJ6LSe/xJ5:/VCDf1/2OB+MqZE7ZL9NB6LNTbt

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral2

    • Target

      Torrent Game/Setup.exe

    • Size

      6.8MB

    • MD5

      f0f01fb9ad7ecab5d698da5679175f29

    • SHA1

      314198b1a6cf81cd3b64a91f4eab5ad881ecff2c

    • SHA256

      5f1c46da9e266b1f7f31953e593636c6b0e1968636e81e62e820122bfa40706f

    • SHA512

      c67c093543bd7ef126801dd6e42a6864471dede82d35bdf9c2c508d63af9d0effd6ca312c37bc1261925ba027d4162543ce5267eb93eb5d14abf6d2b89fabf9c

    • SSDEEP

      196608:+/Qr1IjiQrQg+2JraSvJ4NQ7Esnoy8aX8v:V1GiQrQ7HSvJRzoy8aXw

    Score
    10/10
    rmsdiscoveryevasionpersistenceratthemidatrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies Windows Defender notification settings

      evasiontrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Sets DLL path for service in the registry

      persistence

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3

    • Target

      Torrent Game/data0.bin

    • Size

      240.4MB

    • MD5

      9314b47fefaad03cfff812f81b8842ba

    • SHA1

      9774516344f22c3f41bc0c2973b4d2f2455b3b04

    • SHA256

      cef9fc96c36dbaef8c7fa65e3cc006f751e093e0cbcd3774b6d5185f55ff6720

    • SHA512

      dc941e986ba495833a26739502a2c73b3469509a8bd291f80f76348837e1fd158d0e2f89b5fc31e36eefbbf30ae159dbdf6b4351bffe91966d24c96db1183c19

    • SSDEEP

      6291456:oEXZf0MtgWp+qh6RQ8VXtsJYBLSSmRvvDppl7:hPtltUQ8VXDcvvDZ7

    Score
    1/10
    behavioral4

    • Target

      Torrent Game/data1.bin

    • Size

      100.0MB

    • MD5

      ff6a31844637ffb384e20d2a2aba0b63

    • SHA1

      51c1b62e10358fb1a0cc4904fd35a521373ce8c9

    • SHA256

      f993de8c7062c78b2a2be059069c8543dc4fe27ec288a621be0d9807adecf687

    • SHA512

      6ac68041344ebcf189ac52039cce4b43eb7ad7c96908ac833bfd7875f09eae655bf1814eebbbcd47b9d0fc39ce1c4d8d2e99c945d9c644e78c93dd8964352226

    • SSDEEP

      786432:Y4rVyDBH/hm5hDeSDAy3of1/RABxJgCokmB+MqZsFcBIx7Zf8FRM9NfJ6LSe/xJ5:/VCDf1/2OB+MqZE7ZL9NB6LNTbt

    Score
    3/10
    behavioral5

    • Target

      Torrent Game/data2.bin

    • Size

      100.0MB

    • MD5

      9520d7bc6fb1af021f7fca94acc590fe

    • SHA1

      8523e5354efa12720cd28239dd0697c751ba754c

    • SHA256

      8e6b21e5785d0a53c3cf3e2516a9d17a90e1cbfff374e2479111ac067f81ddd6

    • SHA512

      d3d64b26c860e26a84612c5028a9c0813640dbb5f2912e07ebc6a32cda7232a17aef599f002de112f890d4b0bbd3859d5d8129b3fb4caae4b4b38c8b1f78b6db

    • SSDEEP

      786432:cYeW7UIL23SbAqZYWhuXzyjco47GfZNN2t3j4IM9NfH6LkeQ:cY73L23SMqZq7GNxX9NP6LrQ

    Score
    3/10
    behavioral6

    • Target

      Torrent Game/data3.bin

    • Size

      100.0MB

    • MD5

      9e62d180b34701fd08f1a5f8aa8bc09c

    • SHA1

      e08a5415885fe8130450f6f02746b3a75ecb9099

    • SHA256

      3da0e1885901cc1a869bfd45daccdd6ece7e2f25f33bae34a9f81871b5b85a0f

    • SHA512

      26947173e2e6819ef8a3ba1df45b7a207a6635fe351a46766b22fa9efb686d280fd8035f58b3bcbc5152f36ff7e22056587027c224e6dbc23f00e2255afc698c

    • SSDEEP

      786432:/fYKt5yxJOCocZYeu7Q2kUjtg+/Sb4qZQWhh46fS2:nYKt5A1ZYLZzG+/SkqZt362

    Score
    3/10
    behavioral7

    • Target

      Torrent Game/data4.bin

    • Size

      100.0MB

    • MD5

      9d2f821a2e574bcf2bf7280a58a807d0

    • SHA1

      57e903a17be89d5caeeeeb87a2c41f239c8c41dd

    • SHA256

      2ff4e961f3d12bdba4cba240828d0bc3195bf72ab4490920bde282568f18f46c

    • SHA512

      027a0e0e4baf05e664fc7d156620dc2f56e8720c64f90924dd6769adcf8bf484efb0bcdc671f5a82463902a5c9d7a8d9dd204d1f43faed5d71c02cd18e8d37d7

    • SSDEEP

      786432:kZNOsiB75R4D66QWKDdPSy7RNNs4+ZefywXOoU:3R4DHU7RiQPX1U

    Score
    3/10
    behavioral8

    • Target

      Torrent Game/data5.bin

    • Size

      82.4MB

    • MD5

      e047d03be43d9cf8a37c59727c9c0055

    • SHA1

      746c7ae41d13d168c28c97ffa5a83f4bf300918b

    • SHA256

      4e124a5134889b7d88a8ce9fd4c5c2efa37d4d408716acd39a112e3f60c090b1

    • SHA512

      aef8e3f55522cdb2ab16f3d6442f24386f81277b460dcbe64d219a5d216f0d063a26c4bd7f0b3a19cbe2f8d36e4f3d93547fe1d3c7b2c4c9b6602d54ac49e7c4

    • SSDEEP

      1572864:oJxA9NA6L9/IMMw6LIMf1/2t5/aP4jHnur:oJQA6LVIc6Lhf1/85/uKHnur

    Score
    3/10
    behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

5
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

4
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks