Analysis
-
max time kernel
98s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28/09/2024, 22:15
General
-
Target
YourWindowsWillDieifyourunthisasadmin.exe
-
Size
709KB
-
MD5
4cf78f076ef4a827ee6ea9b9e91edc00
-
SHA1
34f59c9ab945fdbbd984f5d973e1ff4039c4e8d8
-
SHA256
a06c8e1909640e666ff1053c31c4716dab707630a1bc6f432651edcc8538829d
-
SHA512
dd14cd81731506347448fd3726057740966363e90c89f0830f720171a689fafbc155a9f8ac2d1f69413ada06a80dbf8016d1385640b490d2d9444264c6b01ea7
-
SSDEEP
12288:YU+9H3900EJqrekLEyTYQcDL/TNuUCziP6VFGO5lrEaKYNtcBvAuvlee2NCFbLkU:YU+9XNrenyktDLdYNtcdvQNC9wHAP5ck
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\YourWindowsWillDieifyourunthisasadmin.exe"C:\Users\Admin\AppData\Local\Temp\YourWindowsWillDieifyourunthisasadmin.exe"1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
6Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1