General
-
Target
WinBlocker.bat
-
Size
2KB
-
Sample
240805-lrerwaserl
-
MD5
5bedb5a6e2c853ec83cf3799ff0b31b6
-
SHA1
10e16def6fc0947ae1457ce58a9ed16389aff192
-
SHA256
63e9346405f7c0804495d58d3afc5d4a9584b222a807626e6068223f9f29ee8d
-
SHA512
61f3ae9896ab6862edd12eb9a2e92d2b1f6de021c0ba2a57002ce613e885afab68b8c384e1457a37135e839175f734216df368e9ad86655a777fe1db110074d4
Malware Config
Targets
-
-
Target
WinBlocker.bat
-
Size
2KB
-
MD5
5bedb5a6e2c853ec83cf3799ff0b31b6
-
SHA1
10e16def6fc0947ae1457ce58a9ed16389aff192
-
SHA256
63e9346405f7c0804495d58d3afc5d4a9584b222a807626e6068223f9f29ee8d
-
SHA512
61f3ae9896ab6862edd12eb9a2e92d2b1f6de021c0ba2a57002ce613e885afab68b8c384e1457a37135e839175f734216df368e9ad86655a777fe1db110074d4
Score10/10-
UAC bypass
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Modifies termsrv.dll
Commonly used to allow simultaneous RDP sessions.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Print Processors
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Print Processors
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2