General

  • Target

    m.png

  • Size

    27KB

  • Sample

    221129-j9hv5seh71

  • MD5

    c68b317152e8958dbaf191a41cee9d91

  • SHA1

    0b41509d3e80d47cb890a784ad5b27c37694afb6

  • SHA256

    b8aa7341d47088c57856c6709de7ffb6ad1b9d922af4c1827562b7a14a621fe4

  • SHA512

    1c52c040032a8d703ecd09727137aa451378bd9867d7bf8fd02daa74de17bf974820e5d869337d6c42348d73aabc9f23a5fa9b5ef052d4b4b0fb7c5c0b7a0b6a

  • SSDEEP

    384:C78+NH0Z6Ts3A1vZMthIYVVOkYszmIbejonFuXVep80AqPFfsivzddLHbzSYLAQA:C71N/mhnV49sqIaEFu0AqP1sETLbzZG

Malware Config

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note
User's Manual ~~~~~~~~~~~~~ RAR 6.02 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file may contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If the switch -ilog is specified in the command line or configuration file, RAR will write informational messages, concerning errors encountered while processing archives, into a log file. Read switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in x and e commands. This directory is created by RAR if it does not exist yet. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing backslash, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes file masks or trailing backslashes, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If used without any switches, 'ch' command just copies the archive data without modification. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. You may use this command together with -inul switch to disable all RAR messages and print only file data. It may be important when you need to send a file to stdout for use in pipes. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing volume as the archive name, for example, 'rar rc backup.part03.rar' Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the archive data.rar. It is allowed to use wildcards in the source and destination names for simple name transformations like changing file

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note
WinRAR - What's new in the latest version Version 6.02 1. ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body. We already prohibited extracting contents of such malformed archives in WinRAR 6.01. We are thankful to Jacob Thompson - Mandiant Advantage Labs for reporting this issue. 2. WinRAR uses https instead of http in the web notifier window, home page and themes links. It also implements additional checks within the web notifier. This is done to prevent a malicious web page from executing existing files on a user's computer. Such attack is only possible if the intruder has managed to spoof or otherwise control user's DNS records. Some other factors are also involved in limiting the practical application of this attack. We would like to express our gratitude to Igor Sak-Sakovskiy for bringing this issue to our attention. 3. Where appropriate, SFX archive displays the additional line with detailed error information provided by operating system. For example, previously such archive would display "Cannot create file" message alone. Now this message is followed by a detailed reason like access denied or file being used by another process. In the past this extended error information was available in WinRAR, but not in SFX archives. 4. Switch -idn hides archived names also in 'v' and 'l' commands. It can be useful if only the archive type or total information is needed. 5. If -ibck -ri<priority> switches are used together, WinRAR process sets the priority specified in -ri switch. Previous versions ignored -ri and set the priority to low in the presence of -ibck switch. 6. When using "File/Change drive" command, WinRAR saves the last folder of previous drive and restores it if that drive is selected again later. 7. Name of unpacking file is now included into WinRAR incorrect password warning for RAR5 archives. It can be helpful when unpacking a non-solid archive containing files encrypted with different passwords. 8. Bugs fixed: a) "Convert archives" command issued erroneous "The specified password is incorrect" message after succesfully converting RAR archive with encrypted file names if new password was set and archive was opened in WinRAR shell; b) if command progress window was resized up and then quickly resized down to original dimensions, window contents could be positioned incorrectly. Version 6.01 1. Ctrl+A keyboard shortcut selects the entire text in WinRAR comment window. 2. If -idn switch is used together with -t or -df in console RAR when archiving, it additionally disables "Deleting <filename>" or "Testing <filename>" messages, normally issued by these switches. Also -idn disables folder creation messages when extracting a file to non-existing folder. 3. WinRAR and ZIP SFX module refuse to extract contents of ZIP SFX archives if ZIP central directory is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into signature body. 4. Bugs fixed: a) "Convert archives" command could incorrectly convert Unicode comments in RAR archives. b) if two archive information windows had been opened from Explorer context menu, the compression ratio bar in the first window could erroneously display a value for second archive. It did not affect the ratio and other text details at the right of window. Only the vertical bar at the left could be updated to a wrong value; c) if "Wait if other WinRAR copies are active" option was enabled in extraction dialog, "Waiting for another WinRAR copy" title was not set in command progress window while waiting; d) when extracting a symbolic link, previous versions did not overwrite existing symbolic links even if user requested it in overwrite prompt. Version 6.00 1. "Ignore" and "Ignore All" options are added to read error prompt. "Ignore" allows to continue processing with already read file part only and "Ignore All" does it for all future read errors. For example, if you archive a file, which portion is locked by another process, and if "Ignore" is selected in read error prompt, only a part of file preceding the unreadable region will be saved into archive. It can help to avoid interrupting lengthy archiving operations, though be aware that files archived with "Ignore" are incomplete. If switch -y is specified, "Ignore" is applied to all files by default. Previously available "Retry" and "Quit" options are still present in read error prompt as well. 2. Exit code 12 is returned in the command line mode in case of read errors. This code is returned for all options in the read error prompt, including a newly introduced "Ignore" option. Previously more common fatal error code 2 was returned for read errors. 3. If several archives are selected, "Extract archives to" option group in "Options" page of extraction dialog can be used to place extracted files to specified destination folder, to separate subfolders in destination folder, to separate subfolders in archive folders and directly to archive folders. It replaces "Extract archives to subfolders" option and available only if multiple archives are selected. 4. New -ad2 switch places extracted files directly to archive's own folder. Unlike -ad1, it does not create a separate subfolder for each unpacked archive. 5. "Additional switches" option in "Options" page of archiving and extraction dialogs allows to specify WinRAR command line switches. It might be useful if there is no option in WinRAR graphical interface matching a switch. Use this feature only if you are familiar with WinRAR command line syntax and clearly understand what specified switches are intended for. 6. Compression parameters in "Benchmark" command are changed to 32 MB dictionary and "Normal" method. They match RAR5 default mode and more suitable to estimate the typical performance of recent WinRAR versions than former 4 MB "Best" intended for RAR4 format. Latest "Benchmark" results cannot be compared with previous versions directly. New parameters set produces different values, likely lower because of eight times larger dictionary size. 7. When unpacking a part of files from solid volume set, WinRAR attempts to skip volumes in the beginning and start extraction from volume closest to specified file and with reset solid statistics. By default WinRAR resets the solid statistics in the beginning of large enough solid volumes where possible. For such volumes extracting a part of files from the middle of volume set can be faster now. It does not affect performance when all archived files are unpacked. 8. Previously WinRAR automatically resorted to extracting from first volume, when user started extraction from non-first volume and first volume was available. Now WinRAR does so only if all volumes between first and specified are also available. 9. Warning is issued when closing WinRAR if one or more archived files had been modified by external apps, but failed to be saved back to archive, because an external app still locks them. Such warning includes the list of modified files and proposes to quit immediately and lose changes or return to WinRAR and close an editor app. Previous versions issued a similar warning while editing a file, but did not remind it again when quitting. 10. "Move to Recycle Bin" option in "Delete archive" options group of extraction dialog places deleted archives to Recycle Bin instead of deleting them permanently. 11. New "Clear history..." command in "Options" menu allows to remove names of recently opened archives in "File" menu and clear drop down lists with previously entered values in dialogs. For example, these values include archive names in archiving dialog and destination paths in extraction dialog. 12. "File time" options in "Advanced" part of extraction dialog are now available for 7z archives. Additionally to modification time, WinRAR can set creation and last access time when unpacking such archives. 13. ""New" submenu items" options group is added to "Settings/Integration/Context menu items..." dialog. You can use these options to remove "WinRAR archive" and "WinRAR ZIP archive" entries in "New" submenu of Windows context menu. New state of these option is applied only after you press "OK" both in "Context menu items" and its parent "Settings" dialog. 14. <Max>, <Min> and <Hide> commands can be inserted before the program name in SFX "Setup" command to run a program in maximized, minimized or hidden window. For example: Setup=<Hide>setup.exe 15. It is possible to specify an additional high resolution logo for SFX module. If such logo is present, SFX module scales and displays it in high DPI Windows mode, providing the better visible quality compared to resizing the standard logo. Use "High resolution SFX logo" in "Advanced SFX options" dialog to define such logo. In command line mode add second -iimg switch to set the high resolution logo. Recommended size of high resolution logo PNG file is 186x604 pixels. 16. If archive currently opened in WinRAR shell was deleted or moved by another program, WinRAR displays "Inaccessible" before archive name in the window title. Also it flashes the window caption and taskbar button. 17. "Total information" option in "Report" dialog is renamed to "Headers and totals". Now it also adds headers of report columns additionally to total information about listed files and archives. 18. If archive processing is started from Windows context menu in multiple monitor system, WinRAR operation progress and dialogs use the monitor with context menu. While basic multiple monitor support was present in previous versions shell extension for mouse driven commands, now it is extended to operations initiated from keyboard and to dropping files to archives. 19. New -imon<number> switch allows to select a monitor to display WinRAR operation progress and dialogs in the command line mode. Use -imon1 for primary and -imon2 for secondary monitor. For example, "WinRAR x -imon2 arcname" will start extraction on secondary monitor. It works only in the command line mode and does not affect interactive WinRAR graphical inteface also as console RAR. 20. Switch -idn hides archived names output in archiving, extraction and some other commands in console RAR. Other messages and total percentage are not affected. You can use this switch to reduce visual clutter and console output overhead when archiving or extracting a lot of small files. Minor visual artifacts, such as percentage indicator overwriting few last characters of error messages, are possible with -idn. 21. Former "-im - show more information" switch is changed to "-idv - display verbose output" for consistency with console RAR -id[c,d,p,q] message control options and avoid a potential name conflict with newer -imon switch. While WinRAR still recognizes both -im and -idv, in the future -im support can be dropped. 22. It is allowed to add an optional %arcname% variable to compression profile name. Such variable will be replaced with actual archive name. It might be convenient when using with "Add to context menu" profile option. For example, you can create ZIP compression profile and set its name to "Add to %arcname%", to display it with actual ZIP archive name in context menu. 23. Ctrl+C and Ctrl+Ins keyboard shortcuts can be used in "Diagnostic messages" window to copy contents to clipboard. 24. More text is allowed in tray icon hint before a lengthy text is truncated. Also such text is now truncated in the middle of string, so both command type and completion percentage are still visible. 25. In case of clean install, if previous version compression profiles are not present, "Files to store without compression" field in newly created predefined compression profiles is set to: *.rar *.zip *.cab *.7z *.ace *.arj *.bz2 *.gz *.lha *.lzh *.taz *.tgz *.xz *.txz You can change this field and save a modified value to compression profile later. Previous versions set this field to blank for clean install. 26. Destination path history in extraction dialog treats paths like 'folder' and 'folder\' as the same path and displays only 'folder' entry. Previously they occupied two entries in the history. 27. "Enable Itanium executable compression" GUI option and -mci command line switch are removed. Optimized compression of Itanium executables is not supported anymore. WinRAR still can decompress already existing archives utilizing Itanium executable compression. 28. Bugs fixed: a) "Lock", "Comment" and "Protect" commands could not be applied to several archives selected in WinRAR file list at once; b) SFX archive process did not terminate after completing extraction in Windows 10 if archive comment included "Setup" and "SetupCode" commands, did not include "TempMode" command and setup program was running for more than 8 minutes; c) compression profiles with quote character in profile name could not be invoked from Explorer context menu. Version 5.91 1. Dialogs are centered inside of WinRAR window similarly to WinRAR 5.80 and not inside of entire screen as in WinRAR 5.90. 2. When editing an archived file with external software, extra measures are taken to reduce the probability of interfering with editor and opening its temporary files while editor still may need them. 3. "Version to extract" field in archive properties opened from Windows Explorer context menu provides the additional information about ZIP compression and encryption algorithms, such as LZMA or AES. This information was already available in WinRAR "Info" command, but missed in archive information accessible from Windows Explorer. 4. "MS DOS" and "Unix" host OS types are recognized and included for LZH archives in "Info" command. Previously the host OS field was always "Unknown" for LZH archive format. 5. Files created by external editor and matching "Settings/Viewer/ Ignore modifications for" masks are never added to archive. Previously WinRAR still added them if some file not matching these masks was also created or modified. 6. Bugs fixed: a) empty file names were displayed inside of some Unix LZH archives; b) WinRAR could not process more than 999 7z volumes in a single set; c) if user cancelled the user account control prompt after changing "Integrate WinRAR into shell" option, a new state of this option
URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

https://technet.microsoft.com/en-us/library/security/ms14-064.aspx

http://rarlab.com/vuln_sfx_html2.htm

Targets

    • Target

      m.png

    • Size

      27KB

    • MD5

      c68b317152e8958dbaf191a41cee9d91

    • SHA1

      0b41509d3e80d47cb890a784ad5b27c37694afb6

    • SHA256

      b8aa7341d47088c57856c6709de7ffb6ad1b9d922af4c1827562b7a14a621fe4

    • SHA512

      1c52c040032a8d703ecd09727137aa451378bd9867d7bf8fd02daa74de17bf974820e5d869337d6c42348d73aabc9f23a5fa9b5ef052d4b4b0fb7c5c0b7a0b6a

    • SSDEEP

      384:C78+NH0Z6Ts3A1vZMthIYVVOkYszmIbejonFuXVep80AqPFfsivzddLHbzSYLAQA:C71N/mhnV49sqIaEFu0AqP1sETLbzZG

    • Modifies system executable filetype association

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Registers COM server for autorun

    • Sets file execution options in registry

    • Sets service image path in registry

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks