General
-
Target
https://duckduckgo.com/
-
Sample
250204-z3j3matqhl
Malware Config
Targets
-
-
Target
https://duckduckgo.com/
Score10/10-
Modifies security service
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Detected potential entity reuse from brand GOOGLE.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
6Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1