General
-
Target
http://
-
Sample
240523-mwpy3sdf3x
Malware Config
Targets
-
-
Target
http://
Score10/10-
Adds autorun key to be loaded by Explorer.exe on startup
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Modifies visiblity of hidden/system files in Explorer
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Installed Components in the registry
-
Registers new Print Monitor
-
Sets file execution options in registry
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
5Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
5Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Modify Registry
13Hide Artifacts
1Hidden Files and Directories
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1