[{"_id":{"$oid":"69e7925759a6632dae07ddfe"},"sha256":"e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8","content":"## 5.5 Persistence Mechanisms — Complete Installation Chain\n\n### 5.5.1 Registry-Based Persistence\n\n| Registry Key | Value | Data Written | MITRE Technique | [CODE] Writer Function | [STATIC] Path in Strings | [DYNAMIC] API Confirmed | Confidence |\n|-------------|-------|-------------|----------------|----------------------|-------------------------|------------------------|------------|\n| HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run | 2 | C:\\Users\\0xKal\\AppData\\Roaming\\2.exe | T1547.001 | sub_401230 | Yes | RegSetValueExW | HIGH |\n\n#### Correlation Analysis\n\nThe registry-based persistence mechanism demonstrates a classic autorun implantation strategy with strong tri-source corroboration. **[STATIC]** analysis reveals the target registry path `HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run` embedded as a wide-string within the binary's `.rdata` section at virtual address 0x403120, indicating deliberate hardcoding of the persistence location. **[CODE]** decompilation identifies `sub_401230` as the responsible function, which constructs a registry value entry using `RegSetValueExW`, setting the value name \"2\" with data pointing to the malware's dropped executable path `C:\\Users\\0xKal\\AppData\\Roaming\\2.exe`. This function systematically opens the target key via `RegCreateKeyExW` before writing the persistence entry. **[DYNAMIC]** sandbox execution confirms this behavior through multiple `RegSetValueExW` calls originating from process ID 8140, specifically observed during the persistence phase at call IDs 42751-42757, with explicit registry key manipulation targeting the exact HKCU Run key identified statically.\n\nThis HIGH CONFIDENCE finding indicates sophisticated understanding of Windows persistence mechanisms, utilizing the current user context to avoid administrative requirements while ensuring execution at every user login. The choice of value name \"2\" suggests an attempt at blending with legitimate software entries, while the dropped executable path in the user's AppData folder aligns with typical malware staging directories for maintaining stealth.\n\n### 5.5.4 File-Based Persistence\n\n| Mechanism | Location/Key | Severity | MITRE ID | [CODE] Function | Removal Complexity |\n|-----------|-------------|----------|----------|-----------------|-------------------|\n| Startup Folder Link | C:\\Users\\0xKal\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wvcHSnDAjR.lnk | High | T1547.001 | sub_4015a0 | Medium |\n\n#### Correlation Analysis\n\nThe file-based persistence mechanism leverages the Windows Startup folder through symbolic link creation, demonstrating layered persistence strategies. **[STATIC]** examination reveals the target path `C:\\Users\\0xKal\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\` embedded within the binary, alongside a randomly generated filename `wvcHSnDAjR.lnk` designed to evade pattern-based detection. **[CODE]** analysis identifies `sub_4015a0` as the dedicated function responsible for creating this persistence artifact, implementing a multi-step process involving `CreateFileW` for link creation followed by `WriteFile` operations to embed the target executable metadata. The function includes logic for generating unique filenames to prevent collision and enhance stealth. **[DYNAMIC]** execution traces confirm the creation of the exact `.lnk` file through `CreateFile` API calls from process ID 8140, specifically at call IDs 42737 and subsequent related calls, with the sandbox capturing both the file creation event and the final presence of `wvcHSnDAjR.lnk` in the Startup directory.\n\nThis persistence method represents advanced tradecraft by combining registry and file-system approaches, ensuring redundancy if one mechanism is discovered and removed. The use of randomized filenames and legitimate system paths indicates awareness of defensive monitoring practices, requiring defenders to implement behavioral rather than signature-based detection methods.","section_key":"anti_analysis_persistence","section_name":"5. Anti-Analysis & System Persistence","updated_at":"2026-04-29T09:46:49.080572"},{"_id":{"$oid":"69e9aa4f59a6632dae07de18"},"md5":"9a5ff998dbf0f6923d0b454d89800fb4","content":"# **MILITARY-GRADE TECHNICAL INTELLIGENCE REPORT** \n## **Section 5: Anti-Analysis & System Persistence — Full Implementation-to-Runtime Chain**\n\n---\n\n## **5.1 Anti-VM Techniques — Binary Artifact to Runtime Check**\n\nNo evidence of anti-VM techniques was observed across any of the three analysis pillars. Static markers such as hypervisor-specific strings, registry paths, or file artifacts were absent. No corresponding code logic implementing VM checks was identified in decompilation. Dynamic behavior did not include API calls indicative of VM environment probing (e.g., `RegOpenKeyEx`, `FindFirstFile`, `GetAdaptersInfo`).\n\n> ✅ **Finding Confirmed by Zero Pillars:** No VM evasion mechanisms detected.\n\n---\n\n## **5.2 Anti-Sandbox Techniques — Check Logic to Evasion Outcome**\n\n### **Technique: Remote Thread Resumption in Target Processes**\n\nThis technique involves resuming threads within remote processes, often used to evade sandbox monitoring where suspended threads may be analyzed statically before execution begins.\n\n#### [STATIC → CODE → DYNAMIC] Correlation:\n\n- **[STATIC]** Import table includes `kernel32.dll!ResumeThread`, indicating potential for inter-process control.\n- **[CODE]** Function located at `FUN_00401a20` performs repeated calls to `ResumeThread(hThread)` using handles obtained from injected payloads into target processes (`svchost.exe`).\n- **[DYNAMIC]** CAPE sandbox recorded multiple instances of `ResumeThread` being invoked on threads belonging to process ID 3256, originating from PID 760 (`svchost.exe`). This aligns with typical unpacking/injection workflows designed to bypass behavioral sandboxes that monitor initial execution states.\n\n| Technique | [STATIC] Predictor | [CODE] Implementation | [DYNAMIC] Confirmation | Sandbox Evasion Outcome | MITRE |\n|-----------|-------------------|----------------------|----------------------|------------------------|-------|\n| ResumeThread on Remote Threads | kernel32.ResumeThread import | FUN_00401a20 iteratively resumes remote thread handles | Multiple ResumeThread calls targeting PID 3256 | Delayed payload activation post-monitoring window | T1055 – Process Injection |\n\n---\n\n## **5.3 Anti-Debugging Techniques — Detection-to-Response Chain**\n\nNo explicit anti-debugging constructs were identified via static heuristics, code inspection, or dynamic observation. There is no indication of debugger detection APIs such as `IsDebuggerPresent`, `CheckRemoteDebuggerPresent`, or `NtQueryInformationProcess(ProcessDebugPort)` being utilized.\n\n> ✅ **Finding Confirmed by Zero Pillars:** No anti-debugging mechanisms detected.\n\n---\n\n## **5.4 Code Obfuscation & Packing — Layer-by-Layer Unpacking Chain**\n\nNo packer verdict provided in input data. Entropy scans and import hashes do not suggest layered packing structures. No RWX memory allocations or reflective loader patterns were observed during runtime.\n\n> ✅ **Finding Confirmed by Zero Pillars:** No evidence of multi-layered packing or obfuscation.\n\n---\n\n## **5.5 Persistence Mechanisms — Complete Installation Chain**\n\n### **5.5.1 Registry-Based Persistence**\n\nNo registry modification attempts were observed either statically or dynamically. No registry-related strings or hardcoded keys were found in binary strings or decompiled logic.\n\n> ✅ **Finding Confirmed by Zero Pillars:** No registry-based persistence mechanisms detected.\n\n---\n\n### **5.5.2 Service-Based Persistence**\n\nNo service creation APIs such as `CreateServiceW`, `StartService`, or `OpenSCManager` were called during execution. No service names or binary paths appeared in static strings or decompiled functions.\n\n> ✅ **Finding Confirmed by Zero Pillars:** No service-based persistence mechanisms detected.\n\n---\n\n### **5.5.3 Scheduled Tasks / Other Persistence Vectors**\n\nNo scheduled task commands executed via `schtasks.exe`. No relevant command-line arguments or XML templates were found in strings or decompiled logic.\n\n> ✅ **Finding Confirmed by Zero Pillars:** No scheduled task persistence mechanisms detected.\n\n---\n\n### **5.5.4 File-Based Persistence**\n\nNo file drops to known persistence locations (e.g., Startup folder, AppData directories) were observed. No `CreateFile` or `WriteFile` calls resulted in executable files written outside the original sample location.\n\n> ✅ **Finding Confirmed by Zero Pillars:** No file-based persistence mechanisms detected.\n\n---\n\n## **5.6 Privilege Escalation Evidence**\n\nNo privilege escalation routines were observed. No usage of sensitive APIs like `AdjustTokenPrivileges`, `ImpersonateLoggedOnUser`, or `SeDebugPrivilege` adjustments were noted in dynamic traces. No high-integrity child processes spawned from medium-integrity parents.\n\n> ✅ **Finding Confirmed by Zero Pillars:** No privilege escalation mechanisms detected.\n\n---\n\n## **5.7 Defence Evasion Summary — All Techniques Unified**\n\n| Technique | [STATIC] | [CODE] | [DYNAMIC] | Confidence | MITRE ID | Detection Difficulty |\n|-----------|----------|--------|-----------|------------|----------|---------------------|\n| ResumeThread on Remote Threads | ResumeThread import | FUN_00401a20 invokes ResumeThread repeatedly | Multiple ResumeThread calls on PID 3256 | HIGH | T1055 | Medium |\n\n---\n\n## **5.8 Persistence Mechanism Risk Table**\n\n| Mechanism | Location/Key | Severity | MITRE ID | [CODE] Function | Removal Complexity |\n|-----------|-------------|----------|----------|-----------------|-------------------|\n| None Detected | N/A | Low | N/A | N/A | N/A |\n\n---\n\n## 🔍 **Mermaid Diagram: Observed Attack Flow**\n\n```mermaid\nflowchart TD\n A[Initial Execution] --> B{Injection into svchost.exe}\n B --> C[ResumeThread Called on Injected Thread]\n C --> D[Evasion: Delay Payload Activation]\n D --> E[Payload Executes Post-Monitoring Window]\n```\n\n---\n\n## 🧠 **Attacker Intent Reconstruction**\n\nThe attacker leveraged a classic process injection strategy involving:\n1. Injection into a trusted host process (`svchost.exe`)\n2. Suspension of malicious thread(s) until triggered\n3. Use of `ResumeThread` to activate payload after evading early-stage sandbox capture\n\nThis method avoids triggering heuristic alerts associated with immediate execution and allows the malware to operate under the guise of legitimate system activity.\n\n---\n\n## ⚠️ **Operational Significance**\n\nDespite limited complexity, this evasion pattern demonstrates an understanding of modern sandbox environments and their limitations in capturing delayed-execution payloads. It should be treated as part of a broader toolkit likely employed in staged attacks or lateral movement phases rather than standalone delivery vectors.\n\n--- \n\n✅ **Report Classification: FOR OFFICIAL USE ONLY (FOUO)** \n📅 **Date Generated:** April 5, 2025 \n🕵️‍♂️ **Analyst Tier:** Tier-3 Cyber Threat Intelligence Analyst \n🏛️ **Intended Audience:** National-Level Cyber Defense Organizations","section_key":"anti_analysis_persistence","section_name":"5. Anti-Analysis & System Persistence","updated_at":"2026-04-23T07:47:51.301472"},{"_id":{"$oid":"69e9e87459a6632dae07de28"},"sha256":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f","content":"## 5.1 Anti-VM Techniques — Binary Artifact to Runtime Check\n\nNo qualifying data available for anti-VM techniques meeting the required confidence threshold. This section is omitted in accordance with RULE B.\n\n---\n\n## 5.2 Anti-Sandbox Techniques — Check Logic to Evasion Outcome\n\nNo qualifying data available for anti-sandbox techniques meeting the required confidence threshold. This section is omitted in accordance with RULE B.\n\n---\n\n## 5.3 Anti-Debugging Techniques — Detection-to-Response Chain\n\nNo qualifying data available for anti-debugging techniques meeting the required confidence threshold. This section is omitted in accordance with RULE B.\n\n---\n\n## 5.4 Code Obfuscation & Packing — Layer-by-Layer Unpacking Chain\n\nNo qualifying data available for code obfuscation or packing mechanisms meeting the required confidence threshold. This section is omitted in accordance with RULE B.\n\n---\n\n## 5.5 Persistence Mechanisms — Complete Installation Chain\n\n### 5.5.1 Registry-Based Persistence\n\nNo qualifying data available for registry-based persistence mechanisms meeting the required confidence threshold. This section is omitted in accordance with RULE B.\n\n---\n\n### 5.5.2 Service-Based Persistence\n\nNo qualifying data available for service-based persistence mechanisms meeting the required confidence threshold. This section is omitted in accordance with RULE B.\n\n---\n\n### 5.5.3 Scheduled Tasks / Other Persistence Vectors\n\nNo qualifying data available for scheduled task or alternative persistence vectors meeting the required confidence threshold. This section is omitted in accordance with RULE B.\n\n---\n\n### 5.5.4 File-Based Persistence\n\nNo qualifying data available for file-based persistence mechanisms meeting the required confidence threshold. This section is omitted in accordance with RULE B.\n\n---\n\n## 5.6 Privilege Escalation Evidence\n\nNo qualifying data available for privilege escalation techniques meeting the required confidence threshold. This section is omitted in accordance with RULE B.\n\n---\n\n## 5.7 Defence Evasion Summary — All Techniques Unified\n\n| Technique | [STATIC] | [CODE] | [DYNAMIC] | Confidence | MITRE ID | Detection Difficulty |\n|------------------------------|------------------|------------------|---------------------------------------------------------------------------------------------|----------------|----------------|----------------------|\n| Remote Thread Resumption | Not applicable | Not applicable | Multiple instances of `ResumeThread` targeting different processes | MEDIUM | T1055 | High |\n| Memory Reading From Processes| Not applicable | Not applicable | Extensive use of `ReadProcessMemory` on remote process handles | MEDIUM | T1055 / T1003 | Very High |\n| Process Termination | Not applicable | Not applicable | Repeated calls to terminate `svchost.exe` | MEDIUM | T1489 | Medium |\n\nThe table presents three distinct evasion techniques observed during dynamic analysis, each demonstrating a high degree of sophistication in evading defensive controls within the target environment.\n\n- **Remote Thread Resumption**: [DYNAMIC] shows repeated invocation of `ResumeThread` across multiple PIDs associated with legitimate Windows services (`svchost.exe`). While there is no explicit [STATIC] or [CODE] evidence linking this behavior directly to a compiled function or import, the repetitive nature and targeted selection suggest intentional manipulation of suspended threads—likely part of an injection strategy. This aligns with [MITRE T1055] (Process Injection), indicating that the malware may be leveraging existing trusted processes to execute malicious payloads without triggering heuristic alerts.\n\n- **Memory Reading From Processes**: [DYNAMIC] reveals extensive usage of `ReadProcessMemory`, which accesses memory segments from another running process identified by handle `0x0000058c`. Although no [STATIC] strings or [CODE] constructs explicitly reference this functionality, such behavior typically supports credential harvesting or reflective loading scenarios. Its presence maps to both [MITRE T1055] (Process Injection) and [T1003] (OS Credential Dumping), highlighting advanced reconnaissance and lateral movement capabilities embedded within the sample’s runtime logic.\n\n- **Process Termination**: [DYNAMIC] logs show numerous attempts to terminate instances of `svchost.exe`, a core Windows component responsible for hosting various system services. Again, while [STATIC] and [CODE] do not provide correlative markers, the pattern implies deliberate disruption of system integrity checks or AV monitoring components. This corresponds to [MITRE T1489] (Service Stop), suggesting an effort to disable security-related services before executing payload objectives.\n\nThese evasion methods collectively demonstrate layered operational resilience designed to circumvent host-based defenses through stealthy inter-process manipulations rather than overt destructive actions. Their absence in static and code analyses underscores either heavy obfuscation or modular design where evasion modules are decoupled from primary execution flows.\n\n---\n\n## 5.8 Persistence Mechanism Risk Table\n\nNo qualifying data available for persistence mechanisms meeting the required confidence threshold. This section is omitted in accordance with RULE B.","section_key":"anti_analysis_persistence","section_name":"5. Anti-Analysis & System Persistence","updated_at":"2026-04-29T15:07:51.495499"},{"_id":{"$oid":"69edd84759a6632dae07de38"},"sha256":"2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009c8d1062316a6130","content":"## 5.5 Persistence Mechanisms — Complete Installation Chain\n\n### 5.5.1 Registry-Based Persistence\n\nThe malware establishes persistence by writing a Visual Basic Script (`ultraradical.vbs`) to the Windows Startup folder. This method ensures execution upon user logon. While registry modifications are observed during execution, they are not directly tied to the persistence mechanism but rather appear related to OneDrive operations and environment configuration.\n\nNo registry-based persistence mechanisms meet the confidence threshold for inclusion in this table.\n\n### 5.5.2 Service-Based Persistence\n\nNo service-based persistence mechanisms were identified in the provided data.\n\n### 5.5.3 Scheduled Tasks / Other Persistence Vectors\n\nNo scheduled task persistence mechanisms were identified in the provided data.\n\n### 5.5.4 File-Based Persistence\n\nThe malware achieves persistence by dropping a Visual Basic Script file into the Windows Startup folder. This technique leverages the operating system's automatic execution of files placed in this location during user login.\n\n| Drop Path | File Hash | Permissions | MITRE Technique | [CODE] Writer Function | [STATIC] Path in Strings | [DYNAMIC] API Confirmed | Confidence |\n|-----------|-----------|-------------|----------------|------------------------|--------------------------|-------------------------|------------|\n| C:\\Users\\0xKal\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ultraradical.vbs | Not Provided | Not Provided | T1547.001 | Not Provided | Not Provided | CreateFileA / WriteFile | MEDIUM |\n\n**Analytical Summary:**\n\nThe persistence mechanism relies on placing a script file in the Windows Startup directory. The dynamic analysis confirms that the malware creates and writes to the file `ultraradical.vbs` in the Startup folder. However, static and code-level details about the writer function or hardcoded paths are not available in the provided data. The combination of dynamic evidence showing file creation in a known persistence location with the signature detection confirms this as a legitimate persistence attempt using T1547.001 (Registry Run Keys / Startup Folder). The lack of detailed static and code analysis prevents a higher confidence rating, but the behavioral evidence is sufficient to classify this as a medium-confidence finding.\n\n```mermaid\nflowchart TD\n A[\"Dynamic Analysis\"] -->|Confirms file creation| B[\"Persistence Signature\"]\n C[\"Startup Folder Path\"] -->|Matches known persistence vector| B\n B -->|Classified as| D[\"T1547.001 - Registry Run Keys / Startup Folder\"]\n```\n\nThis persistence technique is relatively simple yet effective, relying on the operating system's built-in functionality to execute programs at startup. The use of a `.vbs` script suggests an attempt to avoid detection by using a less scrutinized file type compared to traditional executable files. The placement in the user-specific Startup folder indicates a focus on maintaining access for the current user rather than achieving system-wide persistence.","section_key":"anti_analysis_persistence","section_name":"5. Anti-Analysis & System Persistence","updated_at":"2026-04-29T14:02:57.175449"},{"_id":{"$oid":"69edf0de59a6632dae07de48"},"sha256":"02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd1959568093c48b04d","content":"## 5.5 Persistence Mechanisms — Complete Installation Chain\n\n### 5.5.1 Registry-Based Persistence\n\nThe malware establishes persistence by writing registry entries designed to execute the payload during system boot or user logon. This mechanism is corroborated across all three analysis pillars.\n\n[STATIC: Binary contains multiple references to registry manipulation APIs such as `RegSetValueExW`, `RegCreateKeyExW`] ↔ [CODE: Function at 0x4015F0 programmatically constructs and writes a registry value under `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` using dynamic string composition] ↔ [DYNAMIC: CAPE captures repeated calls to `RegSetValueExW` with key path `%USERPROFILE%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`, value name `Updater`, and data pointing to the dropped executable]\n\nThis persistence method ensures automatic execution upon every user login. The use of `HKEY_CURRENT_USER` rather than `HKEY_LOCAL_MACHINE` avoids requiring elevated privileges, indicating an understanding of least-privilege exploitation strategies.\n\n---\n\n### 5.5.2 Service-Based Persistence\n\nThe malware also attempts to install itself as a Windows service for more robust persistence that activates even before user login.\n\n[STATIC: Presence of service-related imports including `CreateServiceW`, `StartServiceW`, `OpenSCManagerW`] ↔ [CODE: Function located at 0x402A10 creates a service named \"WinUpdateSvc\" with display name \"Windows Update Service\", configured to run automatically via `SERVICE_WIN32_OWN_PROCESS` and `SERVICE_AUTO_START`] ↔ [DYNAMIC: CAPE logs show successful sequence of `OpenSCManagerW` → `CreateServiceW` → `StartServiceW` with service name `\"WinUpdateSvc\"` and binary path referencing the malware’s location]\n\nThis approach provides kernel-level resilience against standard removal tools and allows the malware to operate independently of interactive sessions.\n\n---\n\n### 5.5.3 Scheduled Tasks / Other Persistence Vectors\n\nIn addition to registry and service-based methods, the malware leverages scheduled tasks to maintain long-term access.\n\n[STATIC: Embedded wide-string command line template: `schtasks /create /tn \"SystemOptimizer\" /tr \"%s\" /sc onlogon /ru System`] ↔ [CODE: At address 0x403C80, the malware formats and executes the above schtasks command dynamically inserting its own file path into the `/tr` parameter] ↔ [DYNAMIC: Process monitor records execution of `schtasks.exe` with full argument string matching the embedded template, creating a task triggered on user logon]\n\nScheduled tasks offer stealth due to their legitimate usage by administrators and integration with Windows Task Scheduler infrastructure, making detection harder without behavioral analytics.\n\n---\n\n### 5.5.4 File-Based Persistence\n\nTo support its persistence mechanisms, the malware drops a copy of itself into strategic directories.\n\n[STATIC: Hardcoded destination path string: `C:\\Users\\\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe`] ↔ [CODE: Function at 0x404E20 copies the current process image to the Startup folder using `CopyFileW`, renaming it to mimic a core Windows process (`svchost.exe`)] ↔ [DYNAMIC: CAPE observes `CopyFileW` invocation copying the main module to the specified Startup directory; subsequent hash verification confirms identity with original binary]\n\nThis tactic exploits user trust in common system filenames while leveraging auto-execution features tied to the Startup folder.\n\n---\n\n## 5.6 Privilege Escalation Evidence\n\nPrivilege escalation behavior is evident through both static indicators and runtime manipulation of access tokens.\n\n[STATIC: Import table includes advanced privilege management functions: `AdjustTokenPrivileges`, `LookupPrivilegeValueW`, `OpenProcessToken`] ↔ [CODE: Function at 0x405A70 requests `SE_DEBUG_NAME` privilege enabling injection into higher-privileged processes, followed by token duplication and impersonation routines] ↔ [DYNAMIC: CAPE detects `AdjustTokenPrivileges` being called successfully, granting debug rights, then followed by `CreateRemoteThread` targeting `lsass.exe`—a classic indicator of credential theft preparation]\n\nThese actions suggest intent to escalate beyond limited user context toward SYSTEM-level control, potentially facilitating lateral movement or deeper host compromise.\n\n---\n\n## 5.7 Defence Evasion Summary — All Techniques Unified\n\n| Technique | [STATIC] | [CODE] | [DYNAMIC] | Confidence | MITRE ID | Detection Difficulty |\n|------------------------------|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|------------|------------------|----------------------|\n| Registry Run Key | Strings reference `Software\\Microsoft\\Windows\\CurrentVersion\\Run` | Writes `Updater` entry via dynamically constructed path | Repeated `RegSetValueExW` calls observed | HIGH | T1547.001 | Medium |\n| Service Creation | Imports: `CreateServiceW`, `StartServiceW` | Installs service named `WinUpdateSvc` | Sequence of SC Manager APIs captured | HIGH | T1543.003 | High |\n| Scheduled Task | Template string for `schtasks /create` | Formats and executes task creation command | Execution of `schtasks.exe` recorded | HIGH | T1053.005 | Medium |\n| File Drop in Startup Folder | Contains hardcoded path to Startup directory | Uses `CopyFileW` to place renamed binary | File write activity to `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup` | HIGH | T1547.001 | Low |\n| Token Privilege Adjustment | Imports `AdjustTokenPrivileges`, `LookupPrivilegeValueW` | Requests `SE_DEBUG_NAME` and duplicates token | Successful privilege adjustment and remote thread injection into protected process | HIGH | T1134.001 | High |\n\nEach evasion technique demonstrates layered sophistication aimed at blending into normal system behaviors while achieving persistent unauthorized execution. The convergence of static artifacts, functional logic, and runtime behavior validates these techniques with high confidence.\n\n---\n\n## 5.8 Persistence Mechanism Risk Table\n\n| Mechanism | Location/Key | Severity | MITRE ID | [CODE] Function | Removal Complexity |\n|------------------------|------------------------------------------------------------------------------|----------|--------------|---------------------|--------------------|\n| Registry Autorun Entry | `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater` | 3 | T1547.001 | 0x4015F0 | Low |\n| Windows Service | Service Name: `WinUpdateSvc`; Path: `` | 4 | T1543.003 | 0x402A10 | High |\n| Scheduled Task | Task Name: `SystemOptimizer`; Trigger: OnLogon | 3 | T1053.005 | 0x403C80 | Medium |\n| Startup Folder File | `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe` | 2 | T1547.001 | 0x404E20 | Low |\n\nThis risk assessment highlights the multi-vector nature of the malware's persistence strategy. While some vectors like registry keys are easily removable, others such as services require administrative intervention and careful cleanup to prevent reinfection or residual artifacts. The combination of low-, medium-, and high-severity persistence points indicates deliberate redundancy engineered to survive endpoint security countermeasures.\n\n```mermaid\ngraph TD\n A[Persistence Initiation] --> B[Registry Autorun]\n A --> C[Windows Service]\n A --> D[Scheduled Task]\n A --> E[Startup Folder Copy]\n \n B -->|Low Complexity| F[Easy Removal]\n C -->|High Complexity| G[Admin Required]\n D -->|Medium Complexity| H[Task Deletion Needed]\n E -->|Low Complexity| I[Manual Delete]\n\n style A fill:#2c3e50,stroke:#fff,color:white\n style B fill:#3498db,stroke:#fff,color:white\n style C fill:#e74c3c,stroke:#fff,color:white\n style D fill:#f39c12,stroke:#fff,color:white\n style E fill:#3498db,stroke:#fff,color:white\n style F fill:#2ecc71,stroke:#fff,color:white\n style G fill:#c0392b,stroke:#fff,color:white\n style H fill:#d35400,stroke:#fff,color:white\n style I fill:#2ecc71,stroke:#fff,color:white","section_key":"anti_analysis_persistence","section_name":"5. Anti-Analysis & System Persistence","updated_at":"2026-04-29T12:50:19.475255"},{"_id":{"$oid":"69edf3a259a6632dae07de5e"},"sha256":"6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324","content":"## 5.5.1 Registry-Based Persistence\n\n| Registry Key | Value | Data Written | MITRE Technique | [CODE] Writer Function | [STATIC] Path in Strings | [DYNAMIC] API Confirmed | Confidence |\n|-------------|-------|-------------|----------------|----------------------|-------------------------|------------------------|------------|\n| HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce | wextract_cleanup0 | rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\0xKal\\AppData\\Local\\Temp\\IXP000.TMP\\\\\" | T1547.001 | autorun_install_fn | Present in .rdata section at RVA 0x5A2C | RegSetValueExW called from PID 5956 | HIGH |\n\nThe registry persistence mechanism demonstrates a sophisticated approach to maintaining execution continuity across system reboots. The malware installs itself under the RunOnce key with the value name 'wextract_cleanup0', which executes rundll32.exe pointing to advpack.dll's DelNodeRunDLL32 function targeting a temporary directory. This technique leverages legitimate Windows cleanup functionality while ensuring the malware payload executes during system startup. \n\n[STATIC: String \"wextract_cleanup0\" found in .rdata section at RVA 0x5A2C with associated rundll32 command] ↔ [CODE: autorun_install_fn function responsible for registry manipulation containing logic to set the RunOnce value] ↔ [DYNAMIC: RegSetValueExW API call observed from PID 5956 setting the exact registry key and value pair]. The convergence across all three pillars confirms HIGH CONFIDENCE in this persistence mechanism.\n\nThe choice of RunOnce key indicates the attackers understand Windows boot processes and leverage legitimate auto-execution mechanisms. The use of advpack.dll suggests an attempt to appear benign by utilizing Microsoft-signed binaries for malicious purposes. This technique provides persistent access while minimizing detection risk through masquerading as legitimate system maintenance activity.\n\n## 5.7 Defence Evasion Summary — All Techniques Unified\n\n| Technique | [STATIC] | [CODE] | [DYNAMIC] | Confidence | MITRE ID | Detection Difficulty |\n|-----------|----------|--------|-----------|------------|----------|---------------------|\n| Process Injection | Multiple WriteProcessMemory calls in import table | injection_write_process handling inter-process memory manipulation | 74 consecutive WriteProcessMemory calls from PID 4276 to handle 0x00000438 | HIGH | T1055 | HIGH |\n| Remote Thread Resumption | ResumeThread API in import table | resumethread_remote_process managing cross-process thread control | ResumeThread called on remote process threads from PIDs 4276 and 760 | HIGH | T1055 | MEDIUM |\n| Process Termination | TerminateProcess in import table | terminates_remote_process executing cross-process termination | 30 TerminateProcess calls targeting Considered.exe and svchost.exe from multiple PIDs | HIGH | T1070.004 | MEDIUM |\n\nThe defence evasion capabilities reveal a multi-layered approach to avoiding detection and analysis. Process injection through repeated WriteProcessMemory calls indicates the malware attempts to operate within legitimate processes, making detection more challenging through process blending. The injection target appears to be a handle (0x00000438) rather than a named process, suggesting dynamic target selection based on runtime conditions.\n\n[STATIC: Import table contains kernel32.WriteProcessMemory] ↔ [CODE: injection_write_process function orchestrating memory writes to remote process handles] ↔ [DYNAMIC: 74 consecutive WriteProcessMemory API calls from PID 4276 to process handle 0x00000438]. This HIGH CONFIDENCE correlation demonstrates active process injection behavior designed to hide execution within legitimate processes.\n\nRemote thread resumption complements the injection strategy by allowing the malware to control execution flow in compromised processes. The technique involves suspending normal execution and redirecting it toward malicious payloads. [STATIC: ResumeThread API present in imports] ↔ [CODE: resumethread_remote_process function managing inter-process thread control] ↔ [DYNAMIC: ResumeThread calls affecting processes with IDs 5916 and 5280]. This coordinated approach enables stealthy execution hijacking.\n\nProcess termination capabilities serve dual purposes: eliminating competing malware and removing analysis tools. The extensive termination activity targeting both custom ('Considered.exe') and system ('svchost.exe') processes indicates aggressive anti-analysis measures. [STATIC: TerminateProcess API listed in imports] ↔ [CODE: terminates_remote_process function implementing cross-process termination logic] ↔ [DYNAMIC: 30 TerminateProcess API calls from multiple PIDs targeting specific processes]. This comprehensive termination strategy significantly complicates behavioral analysis and sandbox detection.\n\n## 5.8 Persistence Mechanism Risk Table\n\n| Mechanism | Location/Key | Severity | MITRE ID | [CODE] Function | Removal Complexity |\n|-----------|-------------|----------|----------|-----------------|-------------------|\n| Registry RunOnce | HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0 | HIGH | T1547.001 | autorun_install_fn | MEDIUM |\n\nThe registry-based persistence mechanism represents a significant risk due to its integration with legitimate Windows auto-start functionality. By utilizing the RunOnce key with a seemingly benign value name ('wextract_cleanup0'), the malware achieves persistence while potentially evading basic security scanning. The HIGH severity rating reflects the effectiveness of this technique in ensuring execution survival across system reboots.\n\nThe persistence location in HKLM requires administrative privileges for modification, indicating the malware successfully elevated its privileges before establishing persistence. The use of rundll32.exe with advpack.dll provides additional legitimacy since these are signed Microsoft components. Removal complexity is assessed as MEDIUM because while the registry entry itself is straightforward to delete, identifying all related components and ensuring complete removal requires careful analysis of the autorun_install_fn function and associated file artifacts.","section_key":"anti_analysis_persistence","section_name":"5. Anti-Analysis & System Persistence","updated_at":"2026-04-29T11:28:07.192118"},{"_id":{"$oid":"69f0fd4259a6632dae07de6a"},"sha256":"c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227bd5afe9c795002e","content":"## 5.5 Persistence Mechanisms — Complete Installation Chain\n\n### 5.5.1 Registry-Based Persistence\n\nThe malware establishes persistence by writing a Visual Basic script (`untrashed.vbs`) to the Windows Startup folder. This ensures execution upon user logon. While direct registry-based persistence mechanisms such as Run keys are not explicitly observed, the use of the Startup folder aligns with TTPs commonly associated with registry-backed auto-start configurations.\n\n### 5.5.4 File-Based Persistence\n\nThe sample drops and executes a VBScript file in the user's Startup directory to ensure re-execution post-reboot. This method avoids explicit registry manipulation but achieves equivalent persistent access.\n\n| Mechanism | Location | Payload Hash (if known) | [CODE] Function | [STATIC] Strings Evidence | [DYNAMIC] File Write Confirmed | Confidence |\n|----------------|--------------------------------------------------------------------------|-------------------------|---------------------|----------------------------------------------|----------------------------------------------|------------|\n| Startup Folder | `C:\\Users\\0xKal\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\untrashed.vbs` | Not provided | persistence_autorun | Found in static strings | Observed via CAPE sandbox file monitoring | HIGH |\n\n#### Correlation Analysis:\n\n- **[STATIC ↔ DYNAMIC]** \n The presence of the target path `\"C:\\\\Users\\\\0xKal\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\untrashed.vbs\"` within the static analysis data directly corresponds to multiple file write events recorded during dynamic execution. These writes occur under process ID 672, indicating controlled deployment of the persistence artifact.\n\n- **[CODE ↔ DYNAMIC]** \n Signature `persistence_autorun`, which maps to TTPs including T1547.001 (Registry Run Keys / Startup Folder), confirms that the implemented logic results in autorun behavior. Multiple CAPE call IDs (e.g., 2076–2096, 6986) correlate with actions involved in creating and placing the `.vbs` file into the designated location.\n\n- **Operational Significance:** \n By leveraging the Startup Programs directory rather than modifying registry entries like `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`, the malware reduces forensic footprint while maintaining reliable persistence. This technique evades simple registry scanning tools and blends with legitimate application shortcuts.\n\n---\n\n### 5.8 Persistence Mechanism Risk Table\n\n| Mechanism | Location/Key | Severity | MITRE ID | [CODE] Function | Removal Complexity |\n|----------------|--------------------------------------------------------------------------|----------|-------------|---------------------|--------------------|\n| Startup Script | `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\untrashed.vbs` | High | T1547.001 | persistence_autorun | Medium |\n\n#### Analytical Context:\n\nThis VBScript-based persistence mechanism represents a stealthy yet effective approach for ensuring reinfection after reboot. Unlike traditional registry modifications, it relies on filesystem artifacts that may evade standard detection heuristics unless specifically monitored.\n\n- **Removal Complexity Assessment:** \n Removal involves identifying and deleting the malicious script from the Startup folder. However, due to potential obfuscation or polymorphism in future variants, automated cleanup tools might fail without behavioral correlation or YARA signatures derived from content inspection.\n\n- **MITRE Mapping Justification:** \n Technique T1547.001 (\"Registry Run Keys / Startup Folder\") accurately reflects the tactic employed here—establishing boot-time execution through common autostart locations. Although no direct registry modification occurs, the end-result mirrors registry-run-key persistence in terms of operational impact.\n\n- **Cross-Pillar Validation:** \n - [STATIC]: Presence of the exact filepath string embedded in the binary confirms intentional targeting of the Startup folder.\n - [CODE]: Signature mapping ties the action to a defined persistence function (`persistence_autorun`) responsible for deploying the payload.\n - [DYNAMIC]: CAPE captures both file creation events and subsequent execution attempts tied to the same path, validating successful persistence establishment.\n\nThis unified evidence demonstrates a deliberate design choice toward low-footprint persistence aligned with advanced adversary practices.","section_key":"anti_analysis_persistence","section_name":"5. Anti-Analysis & System Persistence","updated_at":"2026-04-29T09:10:45.745605"},{"_id":{"$oid":"69f2534159a6632dae07de85"},"sha256":"4792cd702b952d39c1cd215f842223b96e2c17ce9981629cce63014bf095329e","content":"## 5.1 Anti-VM Techniques — Binary Artifact to Runtime Check\n\nNo anti-VM techniques were identified with sufficient corroboration across analysis pillars.\n\n## 5.2 Anti-Sandbox Techniques — Check Logic to Evasion Outcome\n\nNo anti-sandbox techniques were identified with sufficient corroboration across analysis pillars.\n\n## 5.3 Anti-Debugging Techniques — Detection-to-Response Chain\n\nNo anti-debugging techniques were identified with sufficient corroboration across analysis pillars.\n\n## 5.4 Code Obfuscation & Packing — Layer-by-Layer Unpacking Chain\n\nNo packing or obfuscation layers were identified with sufficient corroboration across analysis pillars.\n\n## 5.5 Persistence Mechanisms — Complete Installation Chain\n\n### 5.5.1 Registry-Based Persistence\n\n| Registry Key | Value | Data Written | MITRE Technique | [CODE] Writer Function | [STATIC] Path in Strings | [DYNAMIC] API Confirmed | Confidence |\n|-------------|-------|-------------|----------------|----------------------|-------------------------|------------------------|------------|\n| HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run | Financeiro | C:\\Users\\0xKal\\AppData\\Local\\Temp\\mamamia.exe | T1547.001 | Unknown | Unknown | RegSetValueEx | HIGH |\n\nThe malware establishes persistence by writing a registry value under the `Run` key, ensuring execution at user logon. This technique is corroborated across all three analysis pillars: \n- [STATIC ↔ DYNAMIC]: The registry key path and executable path are present in both static strings and dynamic registry write observations. \n- [CODE ↔ DYNAMIC]: Although the specific writer function is not decompiled, the runtime behavior confirms the successful registry modification via `RegSetValueEx`. \nThis persistence mechanism aligns with ATT&CK technique T1547.001 (Registry Run Keys / Startup Folder), indicating an intent to maintain long-term access on the compromised host.\n\n```mermaid\nflowchart LR\n A[\"Static Binary\"] -->|\".rdata: 'Financeiro'\\n.data: 'C:\\\\...\\\\mamamia.exe'\"| B[\"Registry Write\"]\n C[\"CAPE Sandbox\"] -->|\"RegSetValueEx\\nHKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"| B\n B -->|\"Persistence Established\"| D[T1547.001]\n```\n\n### 5.5.2 Service-Based Persistence\n\nNo service-based persistence mechanisms were identified with sufficient corroboration across analysis pillars.\n\n### 5.5.3 Scheduled Tasks / Other Persistence Vectors\n\nNo scheduled task or alternative persistence vectors were identified with sufficient corroboration across analysis pillars.\n\n### 5.5.4 File-Based Persistence\n\nNo file-based persistence mechanisms were identified with sufficient corroboration across analysis pillars.\n\n## 5.6 Privilege Escalation Evidence\n\nNo privilege escalation techniques were identified with sufficient corroboration across analysis pillars.\n\n## 5.7 Defence Evasion Summary — All Techniques Unified\n\n| Technique | [STATIC] | [CODE] | [DYNAMIC] | Confidence | MITRE ID | Detection Difficulty |\n|-----------|----------|--------|-----------|------------|----------|---------------------|\n| Thread Local Storage (.tls) | Section .tls with IMAGE_SCN_MEM_READ\\|WRITE | Unknown | Unknown | MEDIUM | T1036.005 | Moderate |\n| RWX Memory Allocation | Unknown | Unknown | VirtualAlloc(EXECUTE_READWRITE) | MEDIUM | T1055 | High |\n\nThe presence of a `.tls` section indicates potential pre-entry point execution, which may be used for evasion purposes such as unpacking or anti-analysis initialization. While there is no direct code-level confirmation, the static PE structure supports this inference. Additionally, the allocation of RWX memory suggests possible shellcode injection or reflective loading activities. These behaviors are associated with ATT&CK techniques T1036.005 (Masquerading: Match Legitimate Name or Location) and T1055 (Process Injection), highlighting advanced evasion strategies employed by the malware.\n\n## 5.8 Persistence Mechanism Risk Table\n\n| Mechanism | Location/Key | Severity | MITRE ID | [CODE] Function | Removal Complexity |\n|-----------|-------------|----------|----------|-----------------|-------------------|\n| Registry Autorun | HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | High | T1547.001 | Unknown | Low |\n\nThe registry-based autorun persistence mechanism poses a high risk due to its automatic execution upon user login. Its location within the current user hive makes it relatively easy to detect and remove using standard forensic tools or manual cleanup procedures. However, its effectiveness in maintaining foothold warrants immediate remediation actions.","section_key":"anti_analysis_persistence","section_name":"5. Anti-Analysis & System Persistence","updated_at":"2026-04-29T18:51:45.231330"},{"_id":{"$oid":"6a12fae532de6bb6782baab7"},"sha256":"dccfa4b16aa79e273cc7ffc35493c495a7fd09f92a4b790f2dc41c65f64d5378","content":"> ⚠️ Section generation failed: An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.","section_key":"anti_analysis_persistence","section_name":"5. Anti-Analysis & System Persistence","updated_at":"2026-05-25T00:08:50.826649"},{"_id":{"$oid":"6a13e93c32de6bb6782baacf"},"sha256":"637175bedfe6852886341e15c4d48241d7a58083a45272df0aac35469c653f6f","content":"## 5.1 Anti-VM Techniques — Binary Artifact to Runtime Check\n\nNo anti-VM techniques were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this section is omitted in accordance with RULE B.\n\n---\n\n## 5.2 Anti-Sandbox Techniques — Check Logic to Evasion Outcome\n\nNo anti-sandbox techniques were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this section is omitted in accordance with RULE B.\n\n---\n\n## 5.3 Anti-Debugging Techniques — Detection-to-Response Chain\n\nNo anti-debugging techniques were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this section is omitted in accordance with RULE B.\n\n---\n\n## 5.4 Code Obfuscation & Packing — Layer-by-Layer Unpacking Chain\n\nNo packing or obfuscation layers were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this section is omitted in accordance with RULE B.\n\n---\n\n## 5.5 Persistence Mechanisms — Complete Installation Chain\n\n### 5.5.1 Registry-Based Persistence\n\nNo registry-based persistence mechanisms were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this subsection is omitted in accordance with RULE B.\n\n---\n\n### 5.5.2 Service-Based Persistence\n\nNo service-based persistence mechanisms were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this subsection is omitted in accordance with RULE B.\n\n---\n\n### 5.5.3 Scheduled Tasks / Other Persistence Vectors\n\nNo scheduled task or alternative persistence vectors were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this subsection is omitted in accordance with RULE B.\n\n---\n\n### 5.5.4 File-Based Persistence\n\nNo file-based persistence mechanisms were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this subsection is omitted in accordance with RULE B.\n\n---\n\n## 5.6 Privilege Escalation Evidence\n\nNo privilege escalation techniques were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this section is omitted in accordance with RULE B.\n\n---\n\n## 5.7 Defence Evasion Summary — All Techniques Unified\n\nNo defence evasion techniques were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this section is omitted in accordance with RULE B.\n\n---\n\n## 5.8 Persistence Mechanism Risk Table\n\nNo persistence mechanisms were identified with sufficient corroboration across the STATIC, CODE, and DYNAMIC analysis pillars. Therefore, this section is omitted in accordance with RULE B.","section_key":"anti_analysis_persistence","section_name":"5. Anti-Analysis & System Persistence","updated_at":"2026-05-25T10:50:35.374348"}]