General
-
Target
EFI_[unknowncheats.me]_.zip
-
Size
22B
-
Sample
240718-ah91wawelp
-
MD5
76cdb2bad9582d23c1f6f4d868218d6c
-
SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
-
SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
-
SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
Static task
static1
Behavioral task
behavioral1
Sample
EFI_[unknowncheats.me]_.zip
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
EFI_[unknowncheats.me]_.zip
-
Size
22B
-
MD5
76cdb2bad9582d23c1f6f4d868218d6c
-
SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
-
SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
-
SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Modifies WinLogon for persistence
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Hide Artifacts: Hidden Users
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5