General
-
Target
3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402.exe
-
Size
12.0MB
-
Sample
250124-e3gx2s1lal
-
MD5
c5c8d4f5d9f26bac32d43854af721fb3
-
SHA1
e4119a28baa102a28ff9b681f6bbb0275c9627c7
-
SHA256
3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402
-
SHA512
09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828
-
SSDEEP
196608:/CKcbhJ7Th2zINlZGI4KXt8ioZR4KVl8e/BGZfsKu97K1RdF4N/55H+oHVdxv:6f/xG+ifj4KVBZGZfKMP4X5eGXxv
Malware Config
Targets
-
-
Target
3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402.exe
-
Size
12.0MB
-
MD5
c5c8d4f5d9f26bac32d43854af721fb3
-
SHA1
e4119a28baa102a28ff9b681f6bbb0275c9627c7
-
SHA256
3e32145dca0843c6d5258129821afaaeb653ddef7982912fe85ad4b326807402
-
SHA512
09f39bccb210f96788193d597463c75d3213afd21ed93ac8c843f150d7cb8630f941f54cd8737cc88177dadeb479e8181b40a7f5219e40c948ff18d1955b4828
-
SSDEEP
196608:/CKcbhJ7Th2zINlZGI4KXt8ioZR4KVl8e/BGZfsKu97K1RdF4N/55H+oHVdxv:6f/xG+ifj4KVBZGZfKMP4X5eGXxv
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies visiblity of hidden/system files in Explorer
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Rms family
-
Windows security bypass
-
XMRig Miner payload
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s)
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Indicator Removal: Clear Persistence
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Password Policy Discovery
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
1Clear Persistence
1Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1