General
-
Target
Terabyte.Tweaker.bat
-
Size
55KB
-
Sample
250330-yyn1cayks2
-
MD5
1fdf3a31b6d0c672ac2b7a51e1549c38
-
SHA1
11d9d427605aafd3f8d409f9930d7bf4215189c7
-
SHA256
1a1ae207c19b5b14be702e3ff4a4b1f13d229c6823cbcf43eff9a0f600a6e48b
-
SHA512
2d7c71f5e66a6f5f7eff9ef65352ccb9482a8d811609ad1d058b5328994e911f60974d52e97d82b2685873e32ff1b7747961df9206f5c4b9ff667551d092624a
-
SSDEEP
768:nzIrYWk6E0pri91EBw0wW2WoG4ouKSoMgX0714lGAyWkctQVTJMkmS+WyuAm2Wyk:z+ioBtYBN
Malware Config
Targets
-
-
Target
Terabyte.Tweaker.bat
-
Size
55KB
-
MD5
1fdf3a31b6d0c672ac2b7a51e1549c38
-
SHA1
11d9d427605aafd3f8d409f9930d7bf4215189c7
-
SHA256
1a1ae207c19b5b14be702e3ff4a4b1f13d229c6823cbcf43eff9a0f600a6e48b
-
SHA512
2d7c71f5e66a6f5f7eff9ef65352ccb9482a8d811609ad1d058b5328994e911f60974d52e97d82b2685873e32ff1b7747961df9206f5c4b9ff667551d092624a
-
SSDEEP
768:nzIrYWk6E0pri91EBw0wW2WoG4ouKSoMgX0714lGAyWkctQVTJMkmS+WyuAm2Wyk:z+ioBtYBN
Score10/10-
Modifies security service
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Disables taskbar notifications via registry modification
-
Event Triggered Execution: Image File Execution Options Injection
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Power Settings
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Discovery
Peripheral Device Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Time Discovery
1