hxxps://learn[.]microsoft[.]com/en-us/windows/win32/inputdev/virtual-key-codes | Triage

Resubmissions

06/04/2025, 19:12

250406-xwgykswwds 8

06/04/2025, 18:06

250406-wp71ravwbt 8

06/04/2025, 15:11

250406-skkswatqs2 8

06/04/2025, 14:55

250406-saqlda1vc1 8

06/04/2025, 14:50

250406-r7slkatms9 8

06/04/2025, 13:43

250406-q1b5kaslt7 8

06/04/2025, 13:12

250406-qfh3dayyfy 8

06/04/2025, 12:59

250406-p8hrmsywgx 8

06/04/2025, 12:36

250406-psy4pa1ls2 8

06/04/2025, 12:06

250406-n985jszqv2 8

Sharing

General

Target

https://learn.microsoft.com/en-us/windows/win32/inputdev/virtual-key-codes
Sample

250405-xgakystvgs

Score

10^/10

defense_evasion discovery execution motw persistence phishing privilege_escalation pyinstaller trojan

Malware Config

Targets

- Target
  
  https://learn.microsoft.com/en-us/windows/win32/inputdev/virtual-key-codes
Score

10^/10

defense_evasion discovery execution motw persistence phishing privilege_escalation pyinstaller trojan
- UAC bypass
  defense_evasion trojan
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  defense_evasion
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Disables RegEdit via registry modification
  defense_evasion
- Disables use of System Restore points
  defense_evasion
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  defense_evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Image File Execution Options Injection

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Image File Execution Options Injection

Scheduled Task/Job

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

File and Directory Permissions Modification

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

Install Root Certificate

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

urlscan1

behavioral1

defense_evasiondiscoveryexecutionmotwpersistencephishingprivilege_escalationpyinstallertrojan