Overview

overview

8

Static

static

1

ADZP 20 Complex.cmd

windows7-x64

8

ADZP 20 Complex.cmd

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ADZP 20 Complex.cmd

  • Size

    22KB

  • Sample

    240707-3ewnas1fqm

  • MD5

    3388c1be1e2505fb672d7285d77e3ebb

  • SHA1

    bf44a40c34390e99d2cf62625a42348465b48df6

  • SHA256

    38d50c545102dfa59a5faf795d9fdcbb0a07573453963834ae8b98a76689cffe

  • SHA512

    166e1e232b0559f5b89aa99385ae80590197b1b0f2c2a028065d371ec5f3a06fab8e58d5a65ac15cb64fdadcd37df5f21569c3c73d475624a8e0f1ba7085127a

  • SSDEEP

    384:2iJdAbrM21q0j0L1qEzdQ8PigfwTxX823JWo3yzKpMg:5bAUAW17JQrgodX/BMg

Score
8/10
defense_evasiondiscoveryevasionexecutionexploitpersistenceprivilege_escalationupx

Malware Config

Targets

    • Target

      ADZP 20 Complex.cmd

    • Size

      22KB

    • MD5

      3388c1be1e2505fb672d7285d77e3ebb

    • SHA1

      bf44a40c34390e99d2cf62625a42348465b48df6

    • SHA256

      38d50c545102dfa59a5faf795d9fdcbb0a07573453963834ae8b98a76689cffe

    • SHA512

      166e1e232b0559f5b89aa99385ae80590197b1b0f2c2a028065d371ec5f3a06fab8e58d5a65ac15cb64fdadcd37df5f21569c3c73d475624a8e0f1ba7085127a

    • SSDEEP

      384:2iJdAbrM21q0j0L1qEzdQ8PigfwTxX823JWo3yzKpMg:5bAUAW17JQrgodX/BMg

    Score
    8/10
    defense_evasiondiscoveryevasionexecutionexploitpersistenceprivilege_escalationupx

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Modifies boot configuration data using bcdedit

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks