General
-
Target
https://cdn.discordapp.com/attachments/1238808121997135882/1238808310379970570/0_Delay.bat?ex=6651c525&is=665073a5&hm=c243941707ce1fa10df50ea6fb1f9a8862e3603a58c6998beb8a939a694581f0&
-
Sample
240524-r6nk8aaa23
Malware Config
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1238808121997135882/1238808310379970570/0_Delay.bat?ex=6651c525&is=665073a5&hm=c243941707ce1fa10df50ea6fb1f9a8862e3603a58c6998beb8a939a694581f0&
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Modifies visibility of file extensions in Explorer
-
Turns off Windows Defender SpyNet reporting
-
UAC bypass
-
Modifies boot configuration data using bcdedit
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Modifies Installed Components in the registry
-
Sets file execution options in registry
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9