Overview

overview

10

Static

static

7

update.exe

windows7-x64

10

update.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    update.exe

  • Size

    60.2MB

  • Sample

    250130-kczm3awlav

  • MD5

    b77955061c0f46de8059c20128ebb156

  • SHA1

    bd9ba700caec09387bfcf97bd9cc0a2e846836ca

  • SHA256

    ca94c8bbbb10febb8187f8c709affaa91911f646cf0ac99e857bf45b3a709091

  • SHA512

    83f07b66be1138e5f3f1c1f2504d3222bcc1bb1c1626a98e2346408cde7c771a64a998fa38c23ac66097f0b610f70c6309ea914e0c9c95ecff588a385aeb69aa

  • SSDEEP

    1572864:DdjkMwgaV4gRNzu1zCcFA4o/UDDvX94UKfytNxZhDa:FJGuMzuHnXDKfeN5Da

Score
10/10
rmsdefense_evasiondiscoveryexecutionlateral_movementpersistenceprivilege_escalationratthemidatrojanupx

Malware Config

Targets

    • Target

      update.exe

    • Size

      60.2MB

    • MD5

      b77955061c0f46de8059c20128ebb156

    • SHA1

      bd9ba700caec09387bfcf97bd9cc0a2e846836ca

    • SHA256

      ca94c8bbbb10febb8187f8c709affaa91911f646cf0ac99e857bf45b3a709091

    • SHA512

      83f07b66be1138e5f3f1c1f2504d3222bcc1bb1c1626a98e2346408cde7c771a64a998fa38c23ac66097f0b610f70c6309ea914e0c9c95ecff588a385aeb69aa

    • SSDEEP

      1572864:DdjkMwgaV4gRNzu1zCcFA4o/UDDvX94UKfytNxZhDa:FJGuMzuHnXDKfeN5Da

    Score
    10/10
    rmsdefense_evasiondiscoveryexecutionlateral_movementpersistenceprivilege_escalationratthemidatrojanupx

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies visiblity of hidden/system files in Explorer

      defense_evasion

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Rms family

      rms

    • UAC bypass

      defense_evasiontrojan

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      defense_evasion

    • Drops file in Drivers directory

    • Modifies RDP port number used by Windows

    • Modifies Windows Firewall

      defense_evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Stops running service(s)

      defense_evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

File and Directory Permissions Modification

1
T1222

Hide Artifacts

2
T1564

Hidden Files and Directories

1
T1564.001

Hidden Users

1
T1564.002

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

7
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Time Discovery

1
T1124

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks