General
-
Target
https://cdn.discordapp.com/attachments/898568244867248158/1275147670406692916/EXM_Free_Tweaking_Utility_V5.bat?ex=66c4d54f&is=66c383cf&hm=01bc0318cbcc168c931ce63bf0e9560df28dc2f9e31a983c7a5c7c149d274ef6&
-
Sample
240819-wc6xxs1fpq
Malware Config
Targets
-
-
Target
https://cdn.discordapp.com/attachments/898568244867248158/1275147670406692916/EXM_Free_Tweaking_Utility_V5.bat?ex=66c4d54f&is=66c383cf&hm=01bc0318cbcc168c931ce63bf0e9560df28dc2f9e31a983c7a5c7c149d274ef6&
Score10/10-
Disables service(s)
-
Modifies security service
-
Modifies boot configuration data using bcdedit
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: Image File Execution Options Injection
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Remote Services: SMB/Windows Admin Shares
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
2Disable or Modify Tools
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
8Subvert Trust Controls
1Install Root Certificate
1