General
-
Target
https://drive.google.com/file/d/1JEyJqUbETAl_TA4ESa8y69PfADZjNP6g/view?usp=sharing
-
Sample
240828-ywna2avgrk
Malware Config
Targets
-
-
Target
https://drive.google.com/file/d/1JEyJqUbETAl_TA4ESa8y69PfADZjNP6g/view?usp=sharing
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Network Share Discovery
Attempt to gather information on host network.
-
Detected potential entity reuse from brand microsoft.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
1