Resubmissions

General

  • Target

    WINDESTROYER.A.exe

  • Size

    151KB

  • Sample

    240603-wprc1afe75

  • MD5

    a0fcb3f9e573ccb6a995bc9991e892d2

  • SHA1

    cf66277d5817b76623d36a6a444faf1489f58e98

  • SHA256

    f42706eac695555ffa4c52cf244869d6bc7ebc9c4d2a2875534e0d7acfc99092

  • SHA512

    6d1d93e53cdf322c402779f5ef10affb3d8bcdd154c77cd83331cf227542c62ec58633f9c2bdc0732cc0dc762b65432dab65ca868283b9df382bf63ef9edad20

  • SSDEEP

    3072:73p3cG+mgYaU8EE7EEPEEXEEwEEEEEE+EEEEEEnEEEEEEDEEEEEEBEEEEEEJEEEa:mg7aU

Malware Config

Targets

    • Target

      WINDESTROYER.A.exe

    • Size

      151KB

    • MD5

      a0fcb3f9e573ccb6a995bc9991e892d2

    • SHA1

      cf66277d5817b76623d36a6a444faf1489f58e98

    • SHA256

      f42706eac695555ffa4c52cf244869d6bc7ebc9c4d2a2875534e0d7acfc99092

    • SHA512

      6d1d93e53cdf322c402779f5ef10affb3d8bcdd154c77cd83331cf227542c62ec58633f9c2bdc0732cc0dc762b65432dab65ca868283b9df382bf63ef9edad20

    • SSDEEP

      3072:73p3cG+mgYaU8EE7EEPEEXEEwEEEEEE+EEEEEEnEEEEEEDEEEEEEBEEEEEEJEEEa:mg7aU

    • UAC bypass

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Discovery

System Information Discovery

5
T1082

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

Tasks