Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 11:42

General

  • Target

    RosConsole/RosConsole.exe

  • Size

    10.6MB

  • MD5

    901bfaec42f6e7695f5ee1b31f5072ae

  • SHA1

    77ada23327779b81f4e64e2645aab9728bb8504e

  • SHA256

    79ae5c644a198c68c0d4514ddbdbb840a6638a133b60f73456e598c58f1c6798

  • SHA512

    b812b903d9b0baae7dd6b8f38e1348e86c30cdc28f55a2f3750d0f5c07cbe3904afbba8b6d5637be0b4ca202fbd52b9df48d8464a56fa924858af48627691a18

  • SSDEEP

    196608:+qyqwuLlA1HeT39IigJ1ncKOVVthIUo0W8/Lo79u5Y3LQd7JZtQcNPOP:Opr1+TtIi00VNRW8E5u6sRP6N

Malware Config

Signatures

  • Enumerates VirtualBox DLL files 2 TTPs 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 64 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs