Overview

overview

10

Static

static

1

win.reg

windows7-x64

10

win.reg

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    win.reg

  • Size

    192.3MB

  • Sample

    241109-hcb6naynes

  • MD5

    85dfbda474020974f824e9a94967fa22

  • SHA1

    babcd8cd4014995f3ac81784fe22539029324ada

  • SHA256

    59fb16a77892da4cc1cfd34c36dd1edde53f8e33b1e7033ec078571dcf49165a

  • SHA512

    793cb697af5c2245d179048c21c3b0c037796ba9dc037b8ee184939c077ebf06dc2390136f24c254b81c3bc6a91bfb93431400dec14be53691e13bc3daad3099

  • SSDEEP

    49152:6TnkdSwskX+pXxuH4MuLyZGfUUlVEqcHSkHl:JdSwskX+pXxuH4MuLyZGfUUY

Score
10/10
adwaredefense_evasiondiscoveryevasionlateral_movementpersistenceprivilege_escalationstealertrojan

Malware Config

Targets

    • Target

      win.reg

    • Size

      192.3MB

    • MD5

      85dfbda474020974f824e9a94967fa22

    • SHA1

      babcd8cd4014995f3ac81784fe22539029324ada

    • SHA256

      59fb16a77892da4cc1cfd34c36dd1edde53f8e33b1e7033ec078571dcf49165a

    • SHA512

      793cb697af5c2245d179048c21c3b0c037796ba9dc037b8ee184939c077ebf06dc2390136f24c254b81c3bc6a91bfb93431400dec14be53691e13bc3daad3099

    • SSDEEP

      49152:6TnkdSwskX+pXxuH4MuLyZGfUUlVEqcHSkHl:JdSwskX+pXxuH4MuLyZGfUUY

    Score
    10/10
    adwaredefense_evasiondiscoveryevasionlateral_movementpersistenceprivilege_escalationstealertrojan

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender notification settings

      evasiontrojan

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Boot or Logon Autostart Execution: Port Monitors

      Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

      persistence

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies RDP port number used by Windows

    • Modify Registry: Disable Windows Driver Blocklist

      Disable Windows Driver Blocklist via Registry.

      defense_evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Sets service image path in registry

      persistence

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

      persistence

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Modifies system executable filetype association

      persistence

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

      defense_evasionpersistenceprivilege_escalation

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Modifies Security services

      Modifies the startup behavior of a security service.

      defense_evasion

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

      lateral_movement

    • Boot or Logon Autostart Execution: Authentication Package

      Suspicious Windows Authentication Registry Modification.

      persistenceprivilege_escalation
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

9
T1547

Active Setup

1
T1547.014

Authentication Package

1
T1547.002

Port Monitors

1
T1547.010

Print Processors

1
T1547.012

Registry Run Keys / Startup Folder

3
T1547.001

Time Providers

1
T1547.003

Winlogon Helper DLL

1
T1547.004

Browser Extensions

1
T1176

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

5
T1546

AppInit DLLs

1
T1546.010

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

9
T1547

Active Setup

1
T1547.014

Authentication Package

1
T1547.002

Port Monitors

1
T1547.010

Print Processors

1
T1547.012

Registry Run Keys / Startup Folder

3
T1547.001

Time Providers

1
T1547.003

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

5
T1546

AppInit DLLs

1
T1546.010

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

8
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

4
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

18
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Services

3
T1021

Remote Desktop Protocol

2
T1021.001

SMB/Windows Admin Shares

1
T1021.002

Collection

Command and Control

Exfiltration

Impact

Tasks