Beyond good ol’ Run key, Part 68

December 8, 2017 in Anti-*, Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

Modification of Software\Classes\CLSID branches is a well-known trick used by malware for ages. It is important to recognize though that there are many variants of the trick – the keys are used by different applications and libraries, and for really different purposes – there is no end to possibilities they offer to malware authors.

Here’s a probably less-known CLSID branch that could be used to execute malware anytime you press WIN+E to open a new Windows Explorer window.

Example for calculator (tested on win10):

HKCU\Software\Classes\CLSID\
{52205fd8-5dfb-447d-801a-d0b52f2e83e1}\
shell\opennewwindow\command
"DelegateExecute"=""
@="c:\\windows\\system32\\calc.exe"

Update

There is a side-effect to this setting; launching explorer.exe – whether via WIN+E or directly via clicking explorer.exe inside Windows Explorer, or running it via WIN+R will always end up with calc.exe being executed. The malware would need to handle these situation with an appropriate action.

Share this :)

Comments are closed.