General
-
Target
Setup-pass-2024.zip
-
Size
220.1MB
-
Sample
240614-wan94azgne
-
MD5
4492dd761c82f68cd73b6251526cfa2f
-
SHA1
369ec52dbaa9bb23239a72da30e05dcba44ec1ee
-
SHA256
0f03e2c3dd7ee9b656858db0aa799d3488dcce581d3f0ca03ee76b198f900432
-
SHA512
dff81194294aeb055e9deae39a0da4d21baba9b8eb9fd8a206980c206a5f56931795b2afc603711f2cfb092332136b92b62d4b6d1f1765f1540c99678cbf3d9a
-
SSDEEP
6291456:AtpmBQZgKhVsT38T19Ml6SmxXpco3IB6pMfvVqmM:+pmBOgQiTu2Arx513IB6MvVqmM
Malware Config
Targets
-
-
Target
Setup-pass-2024/Setup.exe
-
Size
4.2MB
-
MD5
320e2e055e06df0aca09643116b3ef89
-
SHA1
cfc8e9f6140a9b04f8a3b240bbace0ec845a3196
-
SHA256
838f122a6e751fb3ffd45c48ea86374b0938ac70ffb6e05b1715f2de1f9bb04e
-
SHA512
5b40dcee0f08dd52cf9339197af1e19cbd99e576c8ece9eabefe4caf2fbfb11d95541035c1940c0017d1a020bfe9b14d5889d39610ee205809ab4b3982af34ae
-
SSDEEP
98304:t4mwM0MziYrBZUt8qxSiUIHrCPmYs3wP46U9Fu2DpECdko5M7gfYF:Wq0Wb0P6ILFW6uIEAE7g4
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender notification settings
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Virtualization/Sandbox Evasion
1