28a28ea694decd19f7c4b69e4a8319222e304c16d9b2e8275c6a217ede1e3066 | Triage

Sharing

General

Target

TheBestSolarafixer.bat
Size

133B
Sample

240625-3vbyts1eng
MD5

9b12b6d3946df1e0dc933af1a554f71f
SHA1

120aa2a6cfd106482ab65b2791fef2a7106ebb70
SHA256

28a28ea694decd19f7c4b69e4a8319222e304c16d9b2e8275c6a217ede1e3066
SHA512

6c812f5b9ca1a2cba133b69c42162b55bb16f91a7e3ad7cc16ac73123e51aa8cc1f786ad939d5f2c88cab704f5102973d469310febe5714ed45395a67f50a3c1

Score

8^/10

discovery persistence

Malware Config

Targets

- Target
  
  TheBestSolarafixer.bat
- Size
  
  133B
- MD5
  
  9b12b6d3946df1e0dc933af1a554f71f
- SHA1
  
  120aa2a6cfd106482ab65b2791fef2a7106ebb70
- SHA256
  
  28a28ea694decd19f7c4b69e4a8319222e304c16d9b2e8275c6a217ede1e3066
- SHA512
  
  6c812f5b9ca1a2cba133b69c42162b55bb16f91a7e3ad7cc16ac73123e51aa8cc1f786ad939d5f2c88cab704f5102973d469310febe5714ed45395a67f50a3c1
Score

8^/10

discovery persistence
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
- Boot or Logon Autostart Execution: Print Processors
  Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
  persistence
- Modifies file permissions
  discovery
- Drops file in System32 directory
- Modifies termsrv.dll
  Commonly used to allow simultaneous RDP sessions.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Print Processors

Privilege Escalation

Boot or Logon Autostart Execution

Print Processors

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2