jasamper2000
Grasshopper
Thanks po
hahahaTA0004
Process Injection
T1055
System process connects to network (likely due to code injection)
Modifies the context of a thread in another process (thread injection)
Injects code into the Windows Explorer (explorer.exe)
Dynamic Analysis Sandbox Detections
The sandbox Zenbox flags this file as: MALWARE ADWARE TROJAN EVADER
MITRE ATT&CK Tactics and Techniques
Execution
TA0002
Windows Management Instrumentation
T1047
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries process information (via WMI, Win32_Process)
Shared Modules
T1129
Parse PE header
Service Execution
T1569.002
Uses sc.exe to modify the status of services
Persistence
TA0003
Windows Service
T1543.003
Creates driver files
Uses sc.exe to modify the status of services
LSASS Driver
T1547.008
Spawns drivers
Privilege Escalation
TA0004
Process Injection
T1055
System process connects to network (likely due to code injection)
Modifies the context of a thread in another process (thread injection)
Injects code into the Windows Explorer (explorer.exe)
Windows Service
T1543.003
Creates driver files
Uses sc.exe to modify the status of services
LSASS Driver
T1547.008
Spawns drivers
Defense Evasion
TA0005
Masquerading
T1036
Creates files in the system32 config directory
Drops PE files to the windows directory (C:\\Windows)
Creates files inside the user directory
Creates files inside the system directory
Process Injection
T1055
System process connects to network (likely due to code injection)
Modifies the context of a thread in another process (thread injection)
Injects code into the Windows Explorer (explorer.exe)
File Deletion
T1070.004
Deletes files inside the Windows folder
File and Directory Permissions Modification
T1222
Modifies the hosts file
Virtualization/Sandbox Evasion
T1497
Query firmware table information (likely to detect VMs)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains medium sleeps (>= 30s)
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Disable or Modify Tools
T1562.001
Adds a directory exclusion to Windows Defender
Discovery
TA0007
Application Window Discovery
T1010
Sample monitors Window changes (e.g. starting applications), analyze the sample with the simulation cookbook
Remote System Discovery
T1018
Reads the hosts file
Process Discovery
T1057
Queries a list of all running processes
System Information Discovery
T1082
Queries the cryptographic machine GUID
Reads software policies
Queries process information (via WMI, Win32_Process)
Queries the volume information (name, serial number etc) of a device
Virtualization/Sandbox Evasion
T1497
Query firmware table information (likely to detect VMs)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains medium sleeps (>= 30s)
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Security Software Discovery
T1518.001
Query firmware table information (likely to detect VMs)
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Command and Control
TA0011
Application Layer Protocol
T1071
Performs DNS lookups
Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic.
Non-Application Layer Protocol
T1095
Performs DNS lookups
Non-Standard Port
T1571
Detected TCP or UDP traffic on non-standard ports
Ganun ba hahapwede na ako mangseduce neto, charr. thank youu lodss keep sharing