General

  • Target

    RTC_Launcher.exe

  • Size

    642KB

  • Sample

    250328-sb2p2axwdz

  • MD5

    aa4a09b39e2f72a5de8a474893930b0b

  • SHA1

    2dd5a014d3a1bc46e5caa0f64fdf6367e2d1fd75

  • SHA256

    8f7a2e285633068b4aaac96a8c0335c6e015cbe1f297b9a67b71c20505b743c4

  • SHA512

    97488b8cddb73d34daa9775cfe617ccd045ad009ca5b069c967c5efef8f6a6c1b86f5521d6b5eb49c232d69fe75c6d5a7e62bd915f316326a5941e5d3ca85b45

  • SSDEEP

    12288:ENoZIcBkqjVnl36ud0zR/6CtQ9PUHIG8DZ:2oZzkqjVnlqud+/2P+A

Malware Config

Targets

    • Target

      RTC_Launcher.exe

    • Size

      642KB

    • MD5

      aa4a09b39e2f72a5de8a474893930b0b

    • SHA1

      2dd5a014d3a1bc46e5caa0f64fdf6367e2d1fd75

    • SHA256

      8f7a2e285633068b4aaac96a8c0335c6e015cbe1f297b9a67b71c20505b743c4

    • SHA512

      97488b8cddb73d34daa9775cfe617ccd045ad009ca5b069c967c5efef8f6a6c1b86f5521d6b5eb49c232d69fe75c6d5a7e62bd915f316326a5941e5d3ca85b45

    • SSDEEP

      12288:ENoZIcBkqjVnl36ud0zR/6CtQ9PUHIG8DZ:2oZzkqjVnlqud+/2P+A

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks