General

  • Target

    s32del.bat

  • Size

    606B

  • Sample

    240818-yzxzmsvfml

  • MD5

    ccd3db2fa5f6a049694180b25412cb45

  • SHA1

    80b77841add6f515db012c9b88259e7e6fe6e3f6

  • SHA256

    e8558fe2ccae8aea962d0bbbdc26289b27b4b5899e93dc4b01347d9f206eb5d8

  • SHA512

    eb5f0f28e3641ddc784c85a6e8d978efa89693513473d4c6b6f2366a266f2fb5ef750efdb698c44b744c6b99cbc59af0c98957dbcf94b56b6f02dc62ec4545de

Malware Config

Targets

    • Target

      s32del.bat

    • Size

      606B

    • MD5

      ccd3db2fa5f6a049694180b25412cb45

    • SHA1

      80b77841add6f515db012c9b88259e7e6fe6e3f6

    • SHA256

      e8558fe2ccae8aea962d0bbbdc26289b27b4b5899e93dc4b01347d9f206eb5d8

    • SHA512

      eb5f0f28e3641ddc784c85a6e8d978efa89693513473d4c6b6f2366a266f2fb5ef750efdb698c44b744c6b99cbc59af0c98957dbcf94b56b6f02dc62ec4545de

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Possible privilege escalation attempt

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Modifies file permissions

    • Drops file in System32 directory

    • Modifies termsrv.dll

      Commonly used to allow simultaneous RDP sessions.

MITRE ATT&CK Enterprise v15

Tasks