General
-
Target
https://cdn.discordapp.com/attachments/898568244867248158/1275147670406692916/EXM_Free_Tweaking_Utility_V5.bat?ex=66c626cf&is=66c4d54f&hm=eff5492c3e8b688f3a2fd0750cf15d58c1aa7eb393be5226ba21ccea3099e7b8&
-
Sample
240820-zdcx1ssbpg
Malware Config
Targets
-
-
Target
https://cdn.discordapp.com/attachments/898568244867248158/1275147670406692916/EXM_Free_Tweaking_Utility_V5.bat?ex=66c626cf&is=66c4d54f&hm=eff5492c3e8b688f3a2fd0750cf15d58c1aa7eb393be5226ba21ccea3099e7b8&
Score10/10-
Disables service(s)
-
Modifies security service
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Modifies boot configuration data using bcdedit
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: Image File Execution Options Injection
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Remote Services: SMB/Windows Admin Shares
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
-
Drops file in System32 directory
-