Overview

overview

10

Static

static

1

win.reg

windows7-x64

10

win.reg

windows10-2004-x64

10

Analysis

  • max time kernel
    1611s
  • max time network
    1615s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    win.reg

  • Size

    192.3MB

  • MD5

    85dfbda474020974f824e9a94967fa22

  • SHA1

    babcd8cd4014995f3ac81784fe22539029324ada

  • SHA256

    59fb16a77892da4cc1cfd34c36dd1edde53f8e33b1e7033ec078571dcf49165a

  • SHA512

    793cb697af5c2245d179048c21c3b0c037796ba9dc037b8ee184939c077ebf06dc2390136f24c254b81c3bc6a91bfb93431400dec14be53691e13bc3daad3099

  • SSDEEP

    49152:6TnkdSwskX+pXxuH4MuLyZGfUUlVEqcHSkHl:JdSwskX+pXxuH4MuLyZGfUUY

Score
10/10
adwaredefense_evasiondiscoveryevasionlateral_movementpersistenceprivilege_escalationstealertrojan

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
    persistence
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Defender notification settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies firewall policy service 3 TTPs 64 IoCs
    evasion
  • Modifies security service 2 TTPs 64 IoCs
    evasion
  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Boot or Logon Autostart Execution: Port Monitors 1 TTPs 19 IoCs

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 50 IoCs
    persistence
  • Manipulates Digital Signatures 1 TTPs 64 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Modifies RDP port number used by Windows 1 TTPs
  • Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

    Disable Windows Driver Blocklist via Registry.

    defense_evasion
  • Server Software Component: Terminal Services DLL 1 TTPs 64 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 64 IoCs
    persistence
  • Uses Session Manager for persistence 2 TTPs 1 IoCs

    Creates Session Manager registry key to run executable early in system boot.

    persistence
  • Allows Network login with blank passwords 1 TTPs 1 IoCs

    Allows local user accounts with blank passwords to access device from the network.

  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 3 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Impair Defenses: Safe Mode Boot 1 TTPs 29 IoCs
    defense_evasion
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Modifies Security services 2 TTPs 5 IoCs

    Modifies the startup behavior of a security service.

    defense_evasion
  • Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs

    Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

    lateral_movement
  • Boot or Logon Autostart Execution: Authentication Package 1 TTPs 2 IoCs

    Suspicious Windows Authentication Registry Modification.

    persistenceprivilege_escalation
  • Boot or Logon Autostart Execution: Time Providers 1 TTPs 33 IoCs

    The Windows Time service (W32Time) enables time synchronization across and within domains.

    persistence
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 11 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\regedit.exe
    regedit.exe "C:\Users\Admin\AppData\Local\Temp\win.reg"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Modifies WinLogon for persistence
    • Modifies Windows Defender notification settings
    • Modifies firewall policy service
    • Modifies security service
    • UAC bypass
    • Windows security bypass
    • Boot or Logon Autostart Execution: Active Setup
    • Boot or Logon Autostart Execution: Port Monitors
    • Event Triggered Execution: Image File Execution Options Injection
    • Manipulates Digital Signatures
    • Modify Registry: Disable Windows Driver Blocklist
    • Server Software Component: Terminal Services DLL
    • Sets service image path in registry
    • Uses Session Manager for persistence
    • Allows Network login with blank passwords
    • Boot or Logon Autostart Execution: Print Processors
    • Checks BIOS information in registry
    • Impair Defenses: Safe Mode Boot
    • Modifies system executable filetype association
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Modifies Security services
    • Remote Services: SMB/Windows Admin Shares
    • Boot or Logon Autostart Execution: Authentication Package
    • Boot or Logon Autostart Execution: Time Providers
    • Event Triggered Execution: Netsh Helper DLL
    • System Location Discovery: System Language Discovery
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies Internet Explorer Protected Mode
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Runs .reg file with regedit
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

9
T1547

Active Setup

1
T1547.014

Authentication Package

1
T1547.002

Port Monitors

1
T1547.010

Print Processors

1
T1547.012

Registry Run Keys / Startup Folder

3
T1547.001

Time Providers

1
T1547.003

Winlogon Helper DLL

1
T1547.004

Browser Extensions

1
T1176

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

5
T1546

AppInit DLLs

1
T1546.010

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

9
T1547

Active Setup

1
T1547.014

Authentication Package

1
T1547.002

Port Monitors

1
T1547.010

Print Processors

1
T1547.012

Registry Run Keys / Startup Folder

3
T1547.001

Time Providers

1
T1547.003

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

5
T1546

AppInit DLLs

1
T1546.010

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

8
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

4
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

18
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Services

3
T1021

Remote Desktop Protocol

2
T1021.001

SMB/Windows Admin Shares

1
T1021.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2404-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2404-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download