General

  • Target

    clippy.png

  • Size

    12KB

  • Sample

    240502-vgnfpsda2y

  • MD5

    b3d02d1a6c98e7f958f54bebd1494f20

  • SHA1

    ebb12e928eb675204a0975842f057904cba91fa3

  • SHA256

    94108bed7f7a12a203282b5cfd8e1c85127f5888a434d2b8bf2c558ffda032c7

  • SHA512

    0ac44d8dffefcb0a670543a18c84ad357228f871fa5be3180994e5f148a5b56be01cd536befe617028ef6237bf093c44135ca1d15f3d1b243d7026cc9c648b88

  • SSDEEP

    384:U3qq/5SNbChFzYg2jqM2skhaSbgaItj49r:Yj/oRChJYgM/hSbgaIt8

Malware Config

Targets

    • Target

      clippy.png

    • Size

      12KB

    • MD5

      b3d02d1a6c98e7f958f54bebd1494f20

    • SHA1

      ebb12e928eb675204a0975842f057904cba91fa3

    • SHA256

      94108bed7f7a12a203282b5cfd8e1c85127f5888a434d2b8bf2c558ffda032c7

    • SHA512

      0ac44d8dffefcb0a670543a18c84ad357228f871fa5be3180994e5f148a5b56be01cd536befe617028ef6237bf093c44135ca1d15f3d1b243d7026cc9c648b88

    • SSDEEP

      384:U3qq/5SNbChFzYg2jqM2skhaSbgaItj49r:Yj/oRChJYgM/hSbgaIt8

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • UAC bypass

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies AppInit DLL entries

    • Modifies Installed Components in the registry

    • Modifies RDP port number used by Windows

    • Registers new Print Monitor

    • Sets DLL path for service in the registry

    • Sets file execution options in registry

    • Sets service image path in registry

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies system executable filetype association

    • Registers COM server for autorun

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks