General
-
Target
pepe.jpg
-
Size
9KB
-
Sample
250102-mpzvps1lal
-
MD5
75494425adf92da992dc799a556f65ea
-
SHA1
03a82524d97f766d2cd7305e45566e560197a512
-
SHA256
463a64d183f90599991de74c1b48330ad796fcd7aa733ac1a9be131eaa80618c
-
SHA512
20ddaec720ba304b644a010bfb3676fe13f64d9e7099e333051e5db43e2563d983fab29565e5f7902b017217ff450f5ce9ad68f2fa155ec780bbdd2914a117f7
-
SSDEEP
192:PT5eLK+PqoNaK7HrML4vT4ZkGorW+1ewk108rCqbWOqQlW:PlCBbw2xrWkb8rCqKqW
Malware Config
Targets
-
-
Target
pepe.jpg
-
Size
9KB
-
MD5
75494425adf92da992dc799a556f65ea
-
SHA1
03a82524d97f766d2cd7305e45566e560197a512
-
SHA256
463a64d183f90599991de74c1b48330ad796fcd7aa733ac1a9be131eaa80618c
-
SHA512
20ddaec720ba304b644a010bfb3676fe13f64d9e7099e333051e5db43e2563d983fab29565e5f7902b017217ff450f5ce9ad68f2fa155ec780bbdd2914a117f7
-
SSDEEP
192:PT5eLK+PqoNaK7HrML4vT4ZkGorW+1ewk108rCqbWOqQlW:PlCBbw2xrWkb8rCqKqW
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies firewall policy service
-
Modifies security service
-
UAC bypass
-
Windows security bypass
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Modify Registry: Disable Windows Driver Blocklist
Disable Windows Driver Blocklist via Registry.
-
Boot or Logon Autostart Execution: LSASS Driver
Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.
-
Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Modifies termsrv.dll
Commonly used to allow simultaneous RDP sessions.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2LSASS Driver
1Print Processors
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2LSASS Driver
1Print Processors
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1File Deletion
1Modify Registry
6Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
2System Information Discovery
4