Overview

overview

8

Static

static

1

rmeinstaller.exe

windows7-x64

8

rmeinstaller.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rmeinstaller.exe

  • Size

    37.7MB

  • Sample

    240620-rkzrcs1hqa

  • MD5

    2e039403318fb3ab7267c2721ed3173e

  • SHA1

    48de59ad767c0aa1c4d7fc2a3f6f0f341e725964

  • SHA256

    83d3a2141aba68df2861190d239f7b72ef342605c242489a7a0aa83526af0b1b

  • SHA512

    e941e3ddac7dd52e3383de3320d1d3cce51a55050501b6be8e0a3e205a10c66cec207c5f0687ec401430269119363ca3099f0d8f308227a5e1db19d92d13aa79

  • SSDEEP

    786432:xbrTC80BwMIhIhFDPvWM72rAeGvPjOF98O0X2v4uri5rjgzuQ/NBxyTiJ:hrTC80BwMIhIhFDPvWM72rAeGvPjOF95

Score
8/10
discoveryexploitpersistenceprivilege_escalation

Malware Config

Targets

    • Target

      rmeinstaller.exe

    • Size

      37.7MB

    • MD5

      2e039403318fb3ab7267c2721ed3173e

    • SHA1

      48de59ad767c0aa1c4d7fc2a3f6f0f341e725964

    • SHA256

      83d3a2141aba68df2861190d239f7b72ef342605c242489a7a0aa83526af0b1b

    • SHA512

      e941e3ddac7dd52e3383de3320d1d3cce51a55050501b6be8e0a3e205a10c66cec207c5f0687ec401430269119363ca3099f0d8f308227a5e1db19d92d13aa79

    • SSDEEP

      786432:xbrTC80BwMIhIhFDPvWM72rAeGvPjOF98O0X2v4uri5rjgzuQ/NBxyTiJ:hrTC80BwMIhIhFDPvWM72rAeGvPjOF95

    Score
    8/10
    discoveryexploitpersistenceprivilege_escalation

    • Possible privilege escalation attempt

      exploit

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks