Overview

overview

10

Static

static

3

クラック.zip

windows7-x64

10

クラック.zip

windows10-2004-x64

Resubmissions

09-09-2024 23:39

240909-3nkmdswdqm 10

09-09-2024 23:31

240909-3hx1jaxfqb 10

09-09-2024 23:11

240909-26blrsvfjk 10

09-09-2024 22:25

240909-2b33jatcjn 10

09-09-2024 22:07

240909-11pe1avbqd 10

09-09-2024 21:53

240909-1rxd9asbrr 10

09-09-2024 21:44

240909-1ltfeatend 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    クラック.zip

  • Size

    13.4MB

  • Sample

    240909-2b33jatcjn

  • MD5

    6c5fc1a3ba386a83c87700f54d62a96f

  • SHA1

    a05f08de3e4f218ad2567a2695d0ca500fb48ecf

  • SHA256

    67c12eda1cc8358e06ef29eabf1542bf68db9da45df65c52d0ac03246bf75e03

  • SHA512

    0a2573e40287c35c5a05c9b84fd5fd41bacc16c1bb565ee823ff6a42610c151f460a4be6d7009f0a70b648234aa998af27769ae667f4649c223c39c07449a098

  • SSDEEP

    393216:T0Wxsts7B2+qq0a1n5Gy0vdymghya/2yswYpmTg:wGg1+0a1nYvvJghD/2yMM8

Score
10/10
asyncratdcratgandcrablokibotnjratremcosstormkittyxloaderaugust crypter toolz grace stubdefaulthackedkosomk 555pukedvictimeidobackdoorbootkitcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerloaderpersistenceprivilege_escalationransomwareratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

great-it.gl.at.ply.gg:11149

Mutex

4d5861675348411506f0e029827092c2

Attributes
  • reg_key

    4d5861675348411506f0e029827092c2

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

njrat

Version

im523

Botnet

puked

C2

147.185.221.20:47570

Mutex

20006afb0ec33f2e48c8c1f17d4d3382

Attributes
  • reg_key

    20006afb0ec33f2e48c8c1f17d4d3382

  • splitter

    |'|'|

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

192.168.1.42:5552

Mutex

bf7b1fe7a7644171a9985ea45221c25c

Attributes
  • reg_key

    bf7b1fe7a7644171a9985ea45221c25c

  • splitter

    |'|'|

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

C2

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    -YFLE4M

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Path

C:\MSOCache\LHWHR-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .LHWHR The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/2a31ecf25de949ad | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMGLujodAXDJYjNWp5EtRIjZt9TTndSynfYOAhXY9Ow3uwiPjVevCn1EHzve8bsKfbW2u2YLFoieOZg7WZCqgQ2l1YiHctrgfVJkjmPkyjulN7+yf6EJPctB5bwC6UUsnAER/NfKLYWtuveXqQu985tWSomK4N/1p/R7DPSaWEwAMSfTTXLMDfj2qz8ReemM/gysxlkM/LvtQ2zzkhnjIhcrUb0D82HDO213xelGWvYuQhnupE8p+FEKBh5L20nUc279uZzWDeT8FWjOT9hV0yl//qulGKHHB+a2gzpOU6FDKYK5V9WKMK7VbnanL8bYAfBJsh80JCvOqfTquNex/3EMo4Jc3fjm/NpiLpylYjLPDmmzWk9XMn6V0ERjWJuYEXgsMCnnSFEJ54MPTVqB4L9OigoYC0mbv9/ABZjYyP7GnDM70BQFEMRMC2WLrPUyppQc3YBbiKtGSjnYN8UIpcVpr09QffRWbj8owltDsdfkheF7Ua5vU7tYWzEp+lr9bvXXiSxxRWdJedFbGnjWBEUlgEXLypQX7d6pY9mrDufsnGqEfSHet7GgUt8qZS2nr4PU+FAhTfIpEdJILhXfuDgx4aFAZfJGR052nUlOr5Vll09ZD3Q0L7CAet6IEbGiBtTUFgmpwd2wNjvqc/zQwx9jHcZWFTOS1y0RxWl7IcY8Wg0id3dFcb0FYvHWhWtr+AgdracoZEEif/8hYqP2cq/3gGbTO8R36cJ0aAGK9IpcKBsH03SegOk+8u5dalIBfKfjVA1wF2SQcoDfeXt9UcLglIi2Z8ZzHJegHuLQzeO/mHha1oFA4DVLDymlQbPx5KbqYl0HkXBSiMwDYBn0Js7stzo0DwfvoapO/M5dKxvEz6x0GJezfx27X0rz7iexntnp5wcaA3wSyAdyHHsv31JIS90IESAX8qt3e8zAgTEMLYzijlk6URn9ojEsgEPPzbTqpfHpsTomrvhoi58MuVFnnwLyFkabd1uFRYJzlgI1NSQ8nT6dahs4QYF7ROzhcBxoay6TnuJSMa1X2Gf29KEr/wqXbc7b0X1NeH7HMuCzf3bIkJRcXmjN79E5OBa4XBiMUY74631Y6tYlbx00oZHXncF+Vl0y5xyu4fjHMnnkdvJEnmoiRG8A7zN/cg5s7CElepga18ZbM6kSwmv8G7tuPvRz8zgJ/V8Ci4OubI+OjmrvEnwkvztLzAqPnQrmzRSAXNUHVlr9dhHzQyzNG+ZoZvawMznj657Ksmkg6KrIVPxi7iVvrtavnP49z9cvG9tiq9IjYkzwVAXTpn4K3M3ionBKzhvZFcwJuKEXvDqoVLgA17lFUJttG4I6ZYQwIkZdL6/1obR8wrwpdpjgOmvaUxyVVl6x84SMlOA2QuRxdlWlA+ADKdpi4n+XKlSISq0XPYtYw0OcgN0XudvDzz/QC8UIFRLQhN9bpQFg20BNEXwbH0QDG6AaxaMmoFs8mljZqAL0Qa4ITv9GUgsgDCfiduKJWSZNZWoAE3R4u8C+OaJUY94qLgrzKnx18dy8nxDNzHbhs4HTvUj4B06Z29bIW4nye1aexHj9IvAojqkOVn+ZBnwEmzc65doV+aelHr+S/ya7spUM6nMD5xaS4aYcAR39X2YxxoSxW0tL8+jU+jNkSSPywddKnyl5pvXak/3W2UjshSra7LxpRPznxURBfYCk7A1w5lK0EF76C1m0EoBbb4Vo6yDNEXNpjiDDeD2lZsPehixLP5DWg3AIeZzod8vG6PXwvvtDAZsi3uivFe4QNbWyoDZ8mooe5T/Q/r2DLeOtIbQYJFkBqykQQDH4ZDfDC0+QmuT1xIm/iKRD0DmaYxee/xBqaM3waDY3SB0xnFkNhnD28pWlfPowtXZxtOU2xzDLssP/IQxy6rX8gXZlcWbrX5hYome66deQBI6c53pVnILPPAiC7I6o8VVjFirklVe46OtyOZ83lEYKCUVHtfQkmA+Be+g1gs8AVdo01cuIa5jaIXOP6yiz0sIwOTZLSCvZm/2AX/xzumwM5RbXdf1GSnDnhK+d+2qeOOKvuRVHOK0VoTIPjLEOVmDXrimcgVM3n65Of1ys/YHFRpwxgWIuLJSfT4SntXj7p4IyJSbz3PADUtAeWbRsfzUVPQfcgJQnGn8SukB16oujnguYHsOttDfzRqEI/tjToYSvVw4lpnmozXJMKGrdMXbVyUYTtpibMRYgA2+Ch7EoHvIkEsrENjAB8I49GZG5Cv5xvEM= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZcTp9RvHYL7nBWr7fTTGCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4bEjkUvB4eLx/zU2R+skGt5YOFrWBi7tqRHfEYgb9ScE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg7wZi/pARFP3vzLMeas1wAZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHwHowOP7+LRYsPy4knV/fu67PJzMP9LnZDh5szqewLRaRtAf+EbjLWu+IPXpBeLdQo9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/2a31ecf25de949ad

Extracted

Family

lokibot

C2

http://45.133.1.20/oluwa/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\UKIDHABQWW-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .UKIDHABQWW The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/12c902993ed474c5 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGKpK1UdyyNbi0S3JBQiF2PTfE5MF3N9xCk8FbrBsse7RkNEhR1564hk71jh/7f9XeZvMHGBc3Z308W4OkSiSIiCAFctUzI4MdAumrbLcaC1zChseGG3zY6+OdXCoHKj+vUJX+CElxwaTu5oSeJ6k9dubkCepg5BR1q+haEKJjPHdlFZEMHpxqey/S6aXvjRttUqpU7uxPdoRTxsp9t2PYD2Ibpkm/KRsCSeZkZ2iIhhkyQ7vsS7IWTYPIT68rjDCjjkohGFO9MQrRJAjlgEaVEYEK/jUDYHZ7TlVNS7chrhbDUfcsYF49EhyvEtsOwY5DjGF8IzY0gUY2imbMv5uQGR1c465Qgt51eICnuMh73YV6JZg4b1VofVVQgmg28B0g5wCc2fv9A1wn/0a1uNdn7Ug3a6th/nDv2eu+d23G773g1+c9OOU7fxAk04Le0f/+Eaxutsiq49So3/i4CfviUviwOXGCDhbyhEWHBUbeWMK7jwJwfC5YkOd3sdRubzAeqNdy09lRHniGqyXSQpSOLo6Xfskmz7Xx3yc4tcadg2NqzX5Raf2yTM6AcX0uR799n4xiO7xEuJJ/OZ2jIeT2PajcEQ016naJaMzA//bH9SQfFuhDzb15N8ybCUu7SKl5ugbhxxbAzDcaMkODItIVViFL/CW8iCGv2BlT4V9nCxenViC3nOQ+B+HAXv/7WgCRnj6xqYIyA5ovGCVxE+yX6GH7ABWM+3WGm3L0Eh52a3poH0+fcPA+Zwv9C1DDeVrDgDL9KPB0aFP68YCAb4jKpT4ym2jl9ke1V3E532jArR0LN5pUTekspd04Js6H8potXD1jmxXfOSfYo6RM5zfz+PuPi/3bHQkihl7P5louwN3v4pk2WhZ/y9vJ6cJRBq+pRX7LKEfks7dcIawpTPmyEgufdVcWD4cDWwX6RxE8Hzgo+Z+jjeOUumuAC0jJ3bcxOuMJjU2oMdaMyWNVlktcXRjplnr1hKf1cl4wSL0s4/i8akZPmRmPZ3bYSlw+Vd/EqdeczU3KR+7LMpu6DRXwpnZn/BgCKbCLP4sMN7mKx9thgaabjW1Ks3OrAFoJaIKeZ93uSruG9xlP44NkkUi+PK39X+u1hxNExRJCLR/m6MKCOKiOKT8EG2upds0inz8eqDe4CMOta8LpijNJZhFBuSvSguTqaCEAmqn2p3N6WbE4JwyEXrrqlgFXC5nnWb5KJMxTt6bYOXYc00HLNJDIkLzkScuzDCKZVmQPBl8xA+fZ2lYekyVoyGTX+7FZVnfNly2nuycNnDia3Xn0gwJM9ugfV8thpZn/G7Zdx+pNMXGzGpT9XSnHHcgGeposZzmibOI+QixZciw544cnO+5ho9BewgpnnkrAtw7MsMPCH+jQlbQYdORP+O23oxptwDUDT7pf0d5K2e1XLVa+1QYJtb2St34AOyC14sARoyqVw9q0aWZmxGCk4czLGH8r3QVAgpzvT6+b9+cJEctpaZm2HlxKn+KnLtJJWTAHZHGj6U5bllAkDDPtlNefGC6OEYNwZ/Iwp+oPb+G1m6jo9zsXds5Er9rj/VpmAZDAogoBc6yPIdIZhQw8S3o1R5b/2lYbeS/ruFummvlF7cym5CUvJFO59TuheGE+dcA3nZMXvGb709jBgLm6znX/dE76UTfDcwS48yqRQuVyuUKyvM89Mn9DgSgphqPgRQpyZ6zh3RtY5wLwYnP6Cqxa7PiEKEx8lBie7Cg1zfVDOUANx2gi9gEPdBEquSBlOnRt399SRBt7TWOp62b7M/3zqwpQ062mIExeprAAbWQSk+LGXoyLCP52UeC9h+1yHHnAuvXFE9kiSKREJPNA+PPNlPZ4GLMb70q3sAPFZacUK7UUR+C3MlrFunSHsWOEfjQqPUTOz9T7jQupfNfLLl4d3SThz5Hl3HDvWQsEJtes8Cg9XACsTctNblU0wqmvuDDL9MvO4cDAbKURwQDshNrpHvtViOeHrABnvGt+GQXMXIFuNYh8zpgHFyfMd4ntXw5IOl53W9eQ5hlKpXJ5caWif7rU5ZEW8TSm37ukALR0sb8PKYmlzoR7FVIDUr49DmNo0JLzqcVfRgC+3vRVJ3GXoYPbghlU36LZ3gcRDpHwLH6LlLVrJQP/HHaF7h8qQouW2pq8UaJGFw9BB9mDc2+4rZuJLpoLUAyOTaVMJS8rxXEelh3Z8GOnUzWuEFEu0uftjfh6qympnhDhvXFFvT2UpH9Uq03ThOkjc= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZNTpJRq3YG7n5WtrfMTGWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4eKm/zU2GOsmGtlYZVqKBiTt+BGCEd0bpicW4oq4Pqb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDhFK3vTLMeaq1wEZN3QfRlOKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC3qZBEuHtJEioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/12c902993ed474c5

Extracted

Family

xloader

Version

2.6

Campaign

eido

Decoy

revellbb.com

tempranillowine.net

viralstrategies.info

blacktxu.com

flfththirdbank.com

vaoex.com

theselfdirectedinvestor.com

vinadelmar.travel

othersidejimmythemonkey.com

jaguar-landrovercenter-graz.com

supremeosterreich.com

chatsubs.com

free99.design

serviciosmvs.com

bongmecams.xyz

malikwoodson.com

onlinegamebox.club

694624.com

yeezyzapatos.club

istanbul-hairtransplant.com

Extracted

Family

njrat

Version

0.7d

Botnet

kosomk 555

C2

dovelabobzgnan.ddns.net:5552

Mutex

a8c0d4cf5cfc2cc1149b5e071c2ab5df

Attributes
  • reg_key

    a8c0d4cf5cfc2cc1149b5e071c2ab5df

  • splitter

    |'|'|

Targets

    • Target

      クラック.zip

    • Size

      13.4MB

    • MD5

      6c5fc1a3ba386a83c87700f54d62a96f

    • SHA1

      a05f08de3e4f218ad2567a2695d0ca500fb48ecf

    • SHA256

      67c12eda1cc8358e06ef29eabf1542bf68db9da45df65c52d0ac03246bf75e03

    • SHA512

      0a2573e40287c35c5a05c9b84fd5fd41bacc16c1bb565ee823ff6a42610c151f460a4be6d7009f0a70b648234aa998af27769ae667f4649c223c39c07449a098

    • SSDEEP

      393216:T0Wxsts7B2+qq0a1n5Gy0vdymghya/2yswYpmTg:wGg1+0a1nYvvJghD/2yMM8

    Score
    10/10
    asyncratdcratgandcrablokibotnjratremcosstormkittyaugust crypter toolz grace stubdefaulthackedpukedvictimbackdoorbootkitcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceprivilege_escalationransomwareratspywarestealertrojanupxvmprotectxloaderkosomk 555eidoloader

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

      ransomwarebackdoorgandcrab

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (339) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Xloader payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • System Binary Proxy Execution: Verclsid

      Adversaries may abuse Verclsid to proxy execution of malicious code.

      defense_evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Scripting

1
T1064

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Safe Mode Boot

1
T1562.009

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

5
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scripting

1
T1064

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

System Binary Proxy Execution

1
T1218

Verclsid

1
T1218.012

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Tasks