General
-
Target
Setup-pass-2024.zip
-
Size
220.1MB
-
Sample
240710-ybcc2awekl
-
MD5
857e36585253bffdd72cb4ac1051d1be
-
SHA1
ad92ce6f9bc7fe89d9f1aab04e08c0add7d639e2
-
SHA256
9da3f73e08beca7fee3cdf6585cd6e48c532ab3a264b6d88a1ad1860e113084e
-
SHA512
acc8281ba6990853b9699d03f8305d75b44d17300dd7105e970458593d2a3c8efe8d6e57d9de822f55b23a72aade6abed08764235fdb1da5bda45d4cb6ceea52
-
SSDEEP
6291456:AtpmBQZgKhVsT38T19Ml6SmxXpco3IB6pMfvVqmo:+pmBOgQiTu2Arx513IB6MvVqmo
Malware Config
Targets
-
-
Target
Setup-pass-2024/Setup.exe
-
Size
4.2MB
-
MD5
320e2e055e06df0aca09643116b3ef89
-
SHA1
cfc8e9f6140a9b04f8a3b240bbace0ec845a3196
-
SHA256
838f122a6e751fb3ffd45c48ea86374b0938ac70ffb6e05b1715f2de1f9bb04e
-
SHA512
5b40dcee0f08dd52cf9339197af1e19cbd99e576c8ece9eabefe4caf2fbfb11d95541035c1940c0017d1a020bfe9b14d5889d39610ee205809ab4b3982af34ae
-
SSDEEP
98304:t4mwM0MziYrBZUt8qxSiUIHrCPmYs3wP46U9Fu2DpECdko5M7gfYF:Wq0Wb0P6ILFW6uIEAE7g4
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender notification settings
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Users
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
1