General
-
Target
WinBlocker.bat
-
Size
2KB
-
Sample
240806-c4v5ysxbjk
-
MD5
1b5a43b427cbec4b2d98381bd745f252
-
SHA1
e35fa4eb5b4d03de11e34b648ccd0eb3bf64aca9
-
SHA256
16a9fd99658aec5a790b84002e2bd1388d82f0b0ac8d951fc65195ca4f3305af
-
SHA512
3689f9000a0ce44ba4a1503f59e3b94706ff9f73cc6baeb0f1105971c1c3fdc39373d091c8187ad681af8e4954bd0bca602ced76f080faa1c2f4082219c085a5
Malware Config
Targets
-
-
Target
WinBlocker.bat
-
Size
2KB
-
MD5
1b5a43b427cbec4b2d98381bd745f252
-
SHA1
e35fa4eb5b4d03de11e34b648ccd0eb3bf64aca9
-
SHA256
16a9fd99658aec5a790b84002e2bd1388d82f0b0ac8d951fc65195ca4f3305af
-
SHA512
3689f9000a0ce44ba4a1503f59e3b94706ff9f73cc6baeb0f1105971c1c3fdc39373d091c8187ad681af8e4954bd0bca602ced76f080faa1c2f4082219c085a5
Score10/10-
UAC bypass
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Modifies termsrv.dll
Commonly used to allow simultaneous RDP sessions.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Print Processors
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Print Processors
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2