The basis of contemporary defense schemes lies in the strategic maneuvers, methods, and practices (TTPs). Unlike indicators of compromise (IOCs), TTPs exhibit greater consistency, rendering them a dependable means to pinpoint specific cyber risks. Here is a compilation of some of the predominantly utilized strategies, as outlined in ANY.RUN’s Q3 2024 analysis on malware patterns, inclusive of actual instances in real-world scenarios.
Disabling Windows Event Logging (T1562.002)
Interfering with Windows Event Logging assists malevolent actors in obstructing the system from registering critical details concerning their nefarious undertakings.
Devoid of event logs, pivotal information like login trials, file amendments, and system updates are left unlogged, thereby presenting security solutions and analysts with partial or absent data.
Windows Event Logging can be tampered with in various manners, including altering registry entries or employing commands like “net stop eventlog”. Modifying group policies is another widespread practice.
Owing to the fact that numerous detection mechanisms hinge on log scrutiny to pinpoint dubious activities, malware can execute unnoticed for extended durations.
Illustration: XWorm Cripples Remote Access Service Logs
For a secure environment to identify, watch, and analyze diverse forms of malevolent TTPs, the application of ANY.RUN’s Interactive Sandbox is advantageous. This utility furnishes intricately configurable Windows and Linux virtual machines, enabling users not only to detonate malware and visualize its operation in real-time but also to engage with it akin to a standard computing system.
Owing to its monitoring of all system and network operations, ANY.RUN simplifies and expedites the identification of malevolent activities such as the shutdown of Windows Event Logging.
 |
| Results of XWorm’s activation shown in the ANY.RUN sandbox session |
Why not peruse through this assessment session where XWorm, a prevalent remote access trojan (RAT), exploits T1562.002.
 |
| Description of the malicious process and its registry manipulation in the sandbox |
Specifically, it edits the registry to deactivate trace loggings for RASAPI32, which oversee remote access connections on the system.
 |
| Modification of several registry names to disable logs by the malware |
By setting the ENABLEAUTOFILETRACING and other registry titles linked to RASAPI32 to 0, the attacker ensures that no logs are generated, making it arduous for security tools such as antimalware software to detect the occurrence.
Leverage ANY.RUN for complimentary malware and phishing evaluations
PowerShell Misuse (T1059.001)
PowerShell stands as a scripting language and command-line interface embedded within Windows. Malicious agents frequently exploit it to execute a range of malevolent activities, including altering system configurations, exfiltrating data, and establishing persistent reach to compromised systems.
When leveraging PowerShell’s extensive capabilities, threat actors can resort to obfuscation strategies, like ciphering commands or sophisticated scripting means, to evade detection mechanisms.
Illustration: BlanGrabber Employs PowerShell to Evade Detection
Reflect on this scrutiny of a BlankGrabber prototype, a malwarekin employed in pilfering delicate information from compromised systems. Post the operation, the malevolent software initiates various processes, which include PowerShell, to alter the system configurations in order to evade detection.
 |
| View of all tasks executed by BlankGrabber through PowerShell in the sandbox |
ANY.RUN promptly recognizes the entirety of the malware’s actions, presenting a comprehensive breakdown. BlankGrabber, among other activities, leverages PowerShell to deactivate the Intrusion Prevention System (IPS), OAV Protection, and Real-time Monitoring services within the Windows OS. The sandbox additionally illustrates the contents of the command line, showcasing the specific commands utilized by the malware.
Utilization of Windows Command Shell (T1059.003)
Aggressors commonly exploit the Windows Command Shell (cmd.exe), another adaptable tool utilized for legitimate administrative functions such as file management and script execution. Its extensive use renders it an appealing option for concealing malevolent actions.
Through the command shell, attackers can run a multitude of harmful commands, from fetching payloads from remote servers to executing malware. The shell can also be employed to run PowerShell scripts, enabling further malicious deeds.
Since cmd.exe is a reliable and widely utilized utility, malicious commands can easily blend in with lawful operations, heightening the challenge for security systems to spot and deter threats in real-time. Attackers may also employ obfuscation methods within their commands to further elude detection.
Illustration: Lumma Deploys CMD for Payload Execution
Review the analysis of Lumma, a commonly employed data extractor operational since 2022.
 |
| Association of a score of 100 to the cmd.exe process by the sandbox, indicating malicious behavior |
ANY.RUN provides an extensive insight into the operations conducted by the malware through cmd. These actions include initializing an application with an irregular extension and modifying the executable content, revealing attackers’ misuse of the process.
Experience rapid malware scrutiny with ANY.RUN
Alteration of Registry Run Keys (T1547.001)
To ensure automatic execution of the malicious software whenever a system boots up, attackers append entries to specific registry keys designed to initiate programs during startup.
Malicious files can also be positioned in the Startup Folder, a designated directory that Windows scans and runs programs upon user login.
By utilizing Registry Run Keys and the Startup Folder, aggressors can sustain enduring persistence, permitting them to sustain their malevolent operations like data theft, lateral movement across a network, or further exploitation of the system.
Illustration: Remcos Secures Persistence through RUN Key
Here is an instance of this technique executed by Remcos. In this instance, the altered registry key corresponds to HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN.
 |
| Association of relevant TTPs to diverse malevolent actions by the sandbox |
By appending an entry to the RUN key in the registry, the Remcos backdoor guarantees automatic initiation upon every fresh login, ensuring persistence on the infected system.
Temporal Evasion (T1497.003)
Temporal evasion is a tactic employed by malware to dodge detection by security solutions reliant on sandboxing. Many sandboxes limit monitoring durations, often just a few minutes. By postponing the execution of malicious code, malware can avert detection within this time frame.
Another primary objective of this TTP is to present the malware as benign during initial scrutiny, decreasing the chances of arousing suspicion. Delaying execution can make it challenging for behavioral analysis tools to correlate the preliminary benign conduct with subsequent malevolent activities.
Malware frequently hinges on multiple components or files to carry out its infection process. Delays aid in synchronizing the execution of distinct sections of the malware. For instance, if the malware necessitates downloading additional components from a remote server, a delay can ensure the full download and readiness of these components before executing the primary payload.
Certain malevolent activities may rely on the successful completion of other tasks. Introducingdelays can assist in managing these interdependencies, ensuring the proper sequence of each step in the propagation process.
Illustration: DCRAT Postpones Execution During Breach
The Dark Crystal RAT is among numerous malicious software lineages that depend on time-driven evasion tactics to stay inconspicuous on the compromised system.
 |
| ANY.RUN provides an in-built MITRE ATT&CK Matrix for monitoring TTPs detected during investigation |
Within the subsequent sandbox session, we can witness how DCRAT stays dormant for a mere 2000 milliseconds, equivalent to 2 seconds, before resuming its execution. This likely aims to guarantee that all essential files for the subsequent phase of the propagation process are prepared for execution.
 |
| The ANY.RUN sandbox exhibits specifics of every malicious procedure |
Another time-triggered evasion ploy of DCRAT identified by ANY.RUN involves the utilization of the legitimate application w32tm.exe to postpone the execution sequence.
Examine Malware using ANY.RUN Sandbox
ANY.RUN provides a cloud-centric sandbox for scrutinizing malware and phishing hazards, delivering swift and accurate outcomes to enhance your assessments. Leveraging its advanced functionalities, you can interact freely with uploaded files, URLs, and the system, enabling a comprehensive exploration of the threat.
- Commence the analysis process by simply uploading a file or URL
- Recognition of threats typically takes less than 60 seconds
- Quickly unravel deep insights into malware actions and generate threat assessments
- Perform typing, initiate link accesses, download attachments, and run programs all within the virtual machine
- Benefit from private analysis mode and collaborative tools for team endeavors
Integrate the ANY.RUN sandbox into your organizational workflow with a 14-day trial to explore the entire suite of its capabilities.
About Author
