General
-
Target
rmm-whiterookcyber-hexicor-workstation.zip
-
Size
1KB
-
Sample
240924-bllm5asajm
-
MD5
59bcd2fb3763d5ef4435388ef11c5d33
-
SHA1
937d68f14e5d31f90641bf46533052cb34000fd9
-
SHA256
1d8248219cabdcd1a8333109dd734e0a99acdc9614464a04f5c07a70a6c3d1b2
-
SHA512
0daa24f7ea6e835964a7ef81c0c1c447187a10b45b147dfab2b143cdf2fb752c5fea895d0d62270632df17baf090074aa657c704fdc5fc8654ade64b49a3f460
Static task
static1
Behavioral task
behavioral1
Sample
rmm-whiterookcyber-hexicor-workstation.ps1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
rmm-whiterookcyber-hexicor-workstation.ps1
Resource
win10v2004-20240802-en
Malware Config
Extracted
https://agents.tacticalrmm.com/api/v2/agents/?version=2.8.0&arch=amd64&token=bf707b3c-4252-4a77-8073-3f7b12589422&plat=windows&api=api.trmm.screwlooseit.com.au
Extracted
meshagent
2
TacticalRMM
http://mesh.trmm.screwlooseit.com.au:443/agent.ashx
-
mesh_id
0x85FB9F905C525B468D5ECF7ACD8D71551BDAC5541F3C5BF805CACAD4EA856C5137320D5A60A4C26BE8665E24CF35F395
-
server_id
433049C9A3214D7670D82306969EA38C1B34CA0CF0AE3C16194665BCDBB838705CCF8FDD48B68623920AC9585D137C28
-
wss
wss://mesh.trmm.screwlooseit.com.au:443/agent.ashx
Targets
-
-
Target
rmm-whiterookcyber-hexicor-workstation.ps1
-
Size
2KB
-
MD5
035bc3a476c6fe3a307059df1d877604
-
SHA1
2e7db353e1674bd81416a355d743b2ee2f12e1e5
-
SHA256
71f7b34ad56f0fdfd440be7a1e530662c5991191c2b7a8c9d9fd851c839c6feb
-
SHA512
f596760227d0f93612eda9c5b3d2bd409b7442b3c089412b174d15e6f16489d36a40157145d9415962a184013c76936cc194eb72ddb77f3cccecd7576ee56aa7
-
Detects MeshAgent payload
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1