Overview

overview

9

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

9

Sharing

Copy URL Twitter E-mail

General

  • Target

    https://cdn.discordapp.com/attachments/850854604554895461/1257625982874161212/Mad.bat?ex=66c85377&is=66c701f7&hm=8b935d92dc99d56e89c2e4e888511b0bee4e94c3e141dc504375e4ae2885a83d&

  • Sample

    240822-tkxm4sycql

Score
9/10
defense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationransomware

Malware Config

Targets

    • Target

      https://cdn.discordapp.com/attachments/850854604554895461/1257625982874161212/Mad.bat?ex=66c85377&is=66c701f7&hm=8b935d92dc99d56e89c2e4e888511b0bee4e94c3e141dc504375e4ae2885a83d&

    Score
    9/10
    defense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Modifies Security services

      Modifies the startup behavior of a security service.

      defense_evasion

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

      lateral_movement

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Lateral Movement

Remote Services

1
T1021

SMB/Windows Admin Shares

1
T1021.002

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks