Overview

overview

10

Static

static

1

win.reg

windows7-x64

10

win.reg

windows10-2004-x64

10

Analysis

  • max time kernel
    203s
  • max time network
    316s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    win.reg

  • Size

    192.3MB

  • MD5

    85dfbda474020974f824e9a94967fa22

  • SHA1

    babcd8cd4014995f3ac81784fe22539029324ada

  • SHA256

    59fb16a77892da4cc1cfd34c36dd1edde53f8e33b1e7033ec078571dcf49165a

  • SHA512

    793cb697af5c2245d179048c21c3b0c037796ba9dc037b8ee184939c077ebf06dc2390136f24c254b81c3bc6a91bfb93431400dec14be53691e13bc3daad3099

  • SSDEEP

    49152:6TnkdSwskX+pXxuH4MuLyZGfUUlVEqcHSkHl:JdSwskX+pXxuH4MuLyZGfUUY

Score
10/10
adwaredefense_evasionevasionpersistenceprivilege_escalationstealertrojan

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
    persistence
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    evasiontrojan
  • UAC bypass 3 TTPs 8 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 10 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Manipulates Digital Signatures 1 TTPs 64 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs .reg file with regedit 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\regedit.exe
    regedit.exe "C:\Users\Admin\AppData\Local\Temp\win.reg"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Modifies WinLogon for persistence
    • Modifies Windows Defender notification settings
    • UAC bypass
    • Windows security bypass
    • Boot or Logon Autostart Execution: Active Setup
    • Event Triggered Execution: Image File Execution Options Injection
    • Manipulates Digital Signatures
    • Checks BIOS information in registry
    • Modifies system executable filetype association
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • Installs/modifies Browser Helper Object
    • Event Triggered Execution: Netsh Helper DLL
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies Internet Explorer Protected Mode
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Runs .reg file with regedit
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2364
  • C:\Windows\system32\notepad.exe
    "C:\Windows\system32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\win.reg"
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2264
  • C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\win.reg"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Modifies Windows Defender notification settings
    • UAC bypass
    • Windows security bypass
    • Boot or Logon Autostart Execution: Active Setup
    • Event Triggered Execution: Image File Execution Options Injection
    • Manipulates Digital Signatures
    • Checks BIOS information in registry
    • Modifies system executable filetype association
    • Hijack Execution Flow: Executable Installer File Permissions Weakness
    • Installs/modifies Browser Helper Object
    • Event Triggered Execution: Netsh Helper DLL
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies Internet Explorer Protected Mode
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Runs .reg file with regedit
    PID:1648
  • C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\win.reg"
    1⤵
    • Runs .reg file with regedit
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Browser Extensions

1
T1176

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

5
T1546

AppInit DLLs

1
T1546.010

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

5
T1546

AppInit DLLs

1
T1546.010

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

4
T1562

Disable or Modify Tools

4
T1562.001

Modify Registry

12
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1648-2-0x0000000000410000-0x0000000000411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1648-3-0x0000000000410000-0x0000000000411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-0-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download