Overview

overview

10

Static

static

7

Setup-pass...up.exe

windows7-x64

10

Setup-pass...up.exe

windows10-2004-x64

10

Setup-pass...up.exe

windows11-21h2-x64

10

Setup-pass...a0.exe

windows7-x64

3

Setup-pass...a0.exe

windows10-2004-x64

3

Setup-pass...a0.exe

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup-pass-2024.zip

  • Size

    220.1MB

  • Sample

    240723-rvjswsvdnq

  • MD5

    5fa2632ec126d237415fe6598403bc9d

  • SHA1

    99d99798c54f61b434465540670700b19ecf5149

  • SHA256

    011de6d9199c4a64d90ef4145750f7f03a9fd7a9df9689a0a2076403893ed94c

  • SHA512

    afc0534223b9e091deb4df89457336e9e4c3167370253b718fc47020519d3403b6272b3c68f2365345c1144a7d1044331624a8491841778b94b471b91085c7ab

  • SSDEEP

    6291456:AtpmBQZgKhVsT38T19Ml6SmxXpco3IB6pMfvVqmm:+pmBOgQiTu2Arx513IB6MvVqmm

Score
10/10
rmsdefense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationratthemidatrojan

Malware Config

Targets

    • Target

      Setup-pass-2024/Setup.exe

    • Size

      4.2MB

    • MD5

      320e2e055e06df0aca09643116b3ef89

    • SHA1

      cfc8e9f6140a9b04f8a3b240bbace0ec845a3196

    • SHA256

      838f122a6e751fb3ffd45c48ea86374b0938ac70ffb6e05b1715f2de1f9bb04e

    • SHA512

      5b40dcee0f08dd52cf9339197af1e19cbd99e576c8ece9eabefe4caf2fbfb11d95541035c1940c0017d1a020bfe9b14d5889d39610ee205809ab4b3982af34ae

    • SSDEEP

      98304:t4mwM0MziYrBZUt8qxSiUIHrCPmYs3wP46U9Fu2DpECdko5M7gfYF:Wq0Wb0P6ILFW6uIEAE7g4

    Score
    10/10
    rmsdefense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationratthemidatrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies Windows Defender notification settings

      evasiontrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2behavioral3

    • Target

      Setup-pass-2024/data0.bin

    • Size

      215.4MB

    • MD5

      38bdb3bd2750ca072241925a597ce576

    • SHA1

      06045b51bc40ca8379ad17528b07b361818f9d92

    • SHA256

      23e498c4034d6c072dfc451550972a99b2c7f313f8e2aba2d1cd0804e6e76b6f

    • SHA512

      31ed4aa225f28ca1ad037438556607b07c3aac42df4b8c74293d9989e27daa84f58a78299ab9583a92842183770b2461bdfb9c49e1a040d1a3621bd154f3e522

    • SSDEEP

      6291456:yJb4T8zKsfV47DGFnjMf28iHLn6CHizQbWhTp4:ib4TsK6i3yQeTH7jHizQITp4

    Score
    3/10
    discovery
    behavioral4behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Hide Artifacts

1
T1564

Hidden Users

1
T1564.002

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks