hxxps://learn[.]microsoft[.]com/en-us/windows/win32/inputdev/virtual-key-codes | Triage

Resubmissions

04/04/2025, 17:05

250404-vlttaa1tfw 10

04/04/2025, 16:24

250404-twm8tazzby 8

04/04/2025, 15:54

250404-tb9lbazwbz 10

04/04/2025, 15:25

250404-st48wazscs 10

04/04/2025, 14:56

250404-sa6btsyygs 10

04/04/2025, 11:52

250404-n1qxlsyks8 8

03/04/2025, 16:10

250403-tmqmksywgv 8

03/04/2025, 15:43

250403-s6etra1my8 10

03/04/2025, 14:14

250403-rkgwjsznw7 8

04/04/2025, 17:35

250404-v6d9bstnw3

Sharing

General

Target

https://learn.microsoft.com/en-us/windows/win32/inputdev/virtual-key-codes
Sample

250403-tmqmksywgv

Score

8^/10

defense_evasion discovery execution motw persistence phishing privilege_escalation pyinstaller trojan

Malware Config

Targets

- Target
  
  https://learn.microsoft.com/en-us/windows/win32/inputdev/virtual-key-codes
Score

8^/10

defense_evasion discovery execution motw persistence phishing privilege_escalation pyinstaller trojan
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  defense_evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Disables RegEdit via registry modification
  defense_evasion
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  defense_evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Image File Execution Options Injection

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Image File Execution Options Injection

Scheduled Task/Job

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

Hide Artifacts

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

Install Root Certificate

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

urlscan1

behavioral1

defense_evasiondiscoveryexecutionmotwpersistencephishingprivilege_escalationpyinstallertrojan