Malware Deep Dive | Huntress
ATT&CK techniques detected
T1055.001Dynamic-link Library Injection
83%
"and imports. although the file properties provided no additional insight, the strings / imports suggested this dll was some sort of loader : - allocates memory - loads a library - resolves a function ’ s address - declares victory? a call graph shows the dll doesn ’ t do very muc…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1574.001DLL
64%
"malware deep dive | huntress when we come across a persistent foothold, it ’ s often just the tip of the iceberg. the huntress soc team flagged a user run key value with the name “ xmnusbqh4865, ” which in and of itself was suspicious. the command executed was equally suspect : r…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
39%
"communication code to hide ). we pulled windbg out of the toolbox to see if we could find what was at ebx when it ’ s called. we loaded the file, searched for the opcode ffd3 ( call ebx ), and set the breakpoint at that address. now it was time to execute! as soon as the breakpoi…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1574.001DLL
35%
"and imports. although the file properties provided no additional insight, the strings / imports suggested this dll was some sort of loader : - allocates memory - loads a library - resolves a function ’ s address - declares victory? a call graph shows the dll doesn ’ t do very muc…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
In this blog, read along as we investigate a malicious foothold and decode the payload step by step.