General
-
Target
Win32.KeyPass.zip
-
Size
1.3MB
-
Sample
241030-ehgrjsvldt
-
MD5
f831ffa7faa4da66482aa252536e1b0f
-
SHA1
aa305bd6962ebf06e26462d25140691585f85341
-
SHA256
8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f
-
SHA512
3bf39aeb6c52de76aa864fb7d810cb4adbd2c7e0a2b91e8b6865967843044d628ca66a4531c720e5cd75dfb82a371e467f823819c0d9d559bd371efeec1d962a
-
SSDEEP
24576:k5yq9y9qttzFVPyDcYwohuvh0GsGkjHkevwLfK4uiIP/nMPbcdKK:cH3FVP8hphuF2Hk1LfK4InMLK
Static task
static1
Behavioral task
behavioral1
Sample
Win32.KeyPass.zip
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Win32.KeyPass.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Win32.KeyPass.zip
Resource
macos-20240711.1-en
Behavioral task
behavioral4
Sample
Win32.KeyPass.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
Win32.KeyPass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
Win32.KeyPass.exe
Resource
macos-20240711.1-en
Malware Config
Extracted
C:\MSOCache\!!!DECRYPTION__KEYPASS__INFO!!!.txt
Targets
-
-
Target
Win32.KeyPass.zip
-
Size
1.3MB
-
MD5
f831ffa7faa4da66482aa252536e1b0f
-
SHA1
aa305bd6962ebf06e26462d25140691585f85341
-
SHA256
8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f
-
SHA512
3bf39aeb6c52de76aa864fb7d810cb4adbd2c7e0a2b91e8b6865967843044d628ca66a4531c720e5cd75dfb82a371e467f823819c0d9d559bd371efeec1d962a
-
SSDEEP
24576:k5yq9y9qttzFVPyDcYwohuvh0GsGkjHkevwLfK4uiIP/nMPbcdKK:cH3FVP8hphuF2Hk1LfK4InMLK
-
Revengerat family
-
Rms family
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
RevengeRat Executable
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Path Permission
Adversaries may modify directory permissions/attributes to evade access control lists (ACLs) and access protected files.
-
Modifies file permissions
-
Uses the VBS compiler for execution
-
Gatekeeper Bypass
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apples security model to ensure only trusted applications are executed on a host.
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Password Policy Discovery
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
-
-
-
Target
Win32.KeyPass.bin
-
Size
2.8MB
-
MD5
6999c944d1c98b2739d015448c99a291
-
SHA1
d9beb50b51c30c02326ea761b5f1ab158c73b12c
-
SHA256
35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282
-
SHA512
ab883364a8907636c00a4d263670cd495d0e6c521283d40c68d47398163c6ee6647cfbbc2142005121735d9edf0b414ddac6ea468f30db87018c831eaa327276
-
SSDEEP
49152:0u1ImfQE5L1PtWHeHoQAOs1dKvHHg/o2S1pj798JGKCO8C/eZRwCr:dzV5JPtWHeHoIs1dGHHx2S1998JGKCOC
-
Renames multiple (9818) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
2Linux and Mac File and Directory Permissions Modification
1Hide Artifacts
3Hidden Files and Directories
2Resource Forking
1Impair Defenses
2Disable or Modify System Firewall
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
1Subvert Trust Controls
1Gatekeeper Bypass
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1File and Directory Discovery
1Password Policy Discovery
1Permission Groups Discovery
1Local Groups
1Query Registry
3System Information Discovery
4System Location Discovery
1System Language Discovery
1