Overview

overview

10

Static

static

7

Setup-pass...up.exe

windows7-x64

10

Setup-pass...up.exe

windows10-2004-x64

10

Setup-pass...up.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup-pass-2024.zip

  • Size

    220.1MB

  • Sample

    240614-wan94azgne

  • MD5

    4492dd761c82f68cd73b6251526cfa2f

  • SHA1

    369ec52dbaa9bb23239a72da30e05dcba44ec1ee

  • SHA256

    0f03e2c3dd7ee9b656858db0aa799d3488dcce581d3f0ca03ee76b198f900432

  • SHA512

    dff81194294aeb055e9deae39a0da4d21baba9b8eb9fd8a206980c206a5f56931795b2afc603711f2cfb092332136b92b62d4b6d1f1765f1540c99678cbf3d9a

  • SSDEEP

    6291456:AtpmBQZgKhVsT38T19Ml6SmxXpco3IB6pMfvVqmM:+pmBOgQiTu2Arx513IB6MvVqmM

Score
10/10
rmsdiscoveryevasionexecutionpersistenceratthemidatrojan

Malware Config

Targets

    • Target

      Setup-pass-2024/Setup.exe

    • Size

      4.2MB

    • MD5

      320e2e055e06df0aca09643116b3ef89

    • SHA1

      cfc8e9f6140a9b04f8a3b240bbace0ec845a3196

    • SHA256

      838f122a6e751fb3ffd45c48ea86374b0938ac70ffb6e05b1715f2de1f9bb04e

    • SHA512

      5b40dcee0f08dd52cf9339197af1e19cbd99e576c8ece9eabefe4caf2fbfb11d95541035c1940c0017d1a020bfe9b14d5889d39610ee205809ab4b3982af34ae

    • SSDEEP

      98304:t4mwM0MziYrBZUt8qxSiUIHrCPmYs3wP46U9Fu2DpECdko5M7gfYF:Wq0Wb0P6ILFW6uIEAE7g4

    Score
    10/10
    rmsdiscoveryevasionexecutionpersistenceratthemidatrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies Windows Defender notification settings

      evasiontrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Sets DLL path for service in the registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

5
T1112

Impair Defenses

4
T1562

Disable or Modify Tools

2
T1562.001

Disable or Modify System Firewall

1
T1562.004

Virtualization/Sandbox Evasion

1
T1497

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks