General
-
Target
clippy.png
-
Size
12KB
-
Sample
240502-vgnfpsda2y
-
MD5
b3d02d1a6c98e7f958f54bebd1494f20
-
SHA1
ebb12e928eb675204a0975842f057904cba91fa3
-
SHA256
94108bed7f7a12a203282b5cfd8e1c85127f5888a434d2b8bf2c558ffda032c7
-
SHA512
0ac44d8dffefcb0a670543a18c84ad357228f871fa5be3180994e5f148a5b56be01cd536befe617028ef6237bf093c44135ca1d15f3d1b243d7026cc9c648b88
-
SSDEEP
384:U3qq/5SNbChFzYg2jqM2skhaSbgaItj49r:Yj/oRChJYgM/hSbgaIt8
Static task
static1
Behavioral task
behavioral1
Sample
clippy.png
Resource
win10v2004-20240419-en
Malware Config
Targets
-
-
Target
clippy.png
-
Size
12KB
-
MD5
b3d02d1a6c98e7f958f54bebd1494f20
-
SHA1
ebb12e928eb675204a0975842f057904cba91fa3
-
SHA256
94108bed7f7a12a203282b5cfd8e1c85127f5888a434d2b8bf2c558ffda032c7
-
SHA512
0ac44d8dffefcb0a670543a18c84ad357228f871fa5be3180994e5f148a5b56be01cd536befe617028ef6237bf093c44135ca1d15f3d1b243d7026cc9c648b88
-
SSDEEP
384:U3qq/5SNbChFzYg2jqM2skhaSbgaItj49r:Yj/oRChJYgM/hSbgaIt8
-
Adds autorun key to be loaded by Explorer.exe on startup
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies AppInit DLL entries
-
Modifies Installed Components in the registry
-
Modifies RDP port number used by Windows
-
Registers new Print Monitor
-
Sets DLL path for service in the registry
-
Sets file execution options in registry
-
Sets service image path in registry
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Allows Network login with blank passwords
Allows local user accounts with blank passwords to access device from the network.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies WinLogon
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
12Registry Run Keys / Startup Folder
10Winlogon Helper DLL
2Browser Extensions
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
12Registry Run Keys / Startup Folder
10Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify Tools
3Modify Registry
26Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1