General
-
Target
https://filecr.com/windows/kms-matrix/?id=740765880000
-
Sample
230822-3llfxahf7v
Score
10/10
Malware Config
Targets
-
-
Target
https://filecr.com/windows/kms-matrix/?id=740765880000
Score10/10-
Modifies WinLogon for persistence
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Modify Registry
2