Overview

overview

10

Static

static

7

90f414ca8e...b4.exe

windows7-x64

10

90f414ca8e...b4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4.exe

  • Size

    9.4MB

  • Sample

    240827-dafzlsyfnc

  • MD5

    6fde344165a369c3586a68317279247c

  • SHA1

    e39b5038f44757a7049c4ebabbd6f62deb280796

  • SHA256

    90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4

  • SHA512

    880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a

  • SSDEEP

    196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG

Score
10/10
rmsdiscoveryevasionlateral_movementpersistenceprivilege_escalationratthemidatrojan

Malware Config

Targets

    • Target

      90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4.exe

    • Size

      9.4MB

    • MD5

      6fde344165a369c3586a68317279247c

    • SHA1

      e39b5038f44757a7049c4ebabbd6f62deb280796

    • SHA256

      90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4

    • SHA512

      880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a

    • SSDEEP

      196608:uQmw1JCIvqD9gd1lqFxsPE41SfWj+gzjt5s9di7aH6CcvG:uQr9qFxOE41+Wj5zjLs9U7aaRvG

    Score
    10/10
    rmsdiscoveryevasionlateral_movementpersistenceprivilege_escalationratthemidatrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Modifies Windows Firewall

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks