75ab58952fe25000d00cf454273b803f6e5bdca2fe99c0dd928963fce12a4972

Sharing

Copy URL

Twitter E-mail

General

Target

Disable_Windows_Features_Protection.rar
Size

572KB
Sample

240823-tda6jatdmf
MD5

f67a55479ab343182e204a9aa68ce386
SHA1

162d0e3c2fab4452866bfc060ad746e812d864dd
SHA256

75ab58952fe25000d00cf454273b803f6e5bdca2fe99c0dd928963fce12a4972
SHA512

7ddbe80df08823ff29f56c6a19cfc249351e2006c1ea986cd9d51aa3c033eafdaaca80ac6959541faea93564cff63eb2c100b4bad6f75687ff4cade12b6eb7cc
SSDEEP

12288:PTHVWIMD3Ob6m2H9ryr0R2ib6kAW1aWuAgRmJnHnX0:PT1UD052H9mooibvAW1EwBX0

Score

9^/10

Malware Config

Targets

- Target
  
  DefenderRemover.exe
- Size
  
  649KB
- MD5
  
  0ca124641117a60490958117d60b3ced
- SHA1
  
  73ace6c707d29e2d16e8385ae9c17ba4142d0917
- SHA256
  
  19c09fad30c786cc22fb38d3f97021c0b35aaa9cd288d44970a45b5d1cb86070
- SHA512
  
  7aba1f6aeda56afea3bf7c66ef487a8c01037a085e16343b4cca4c33379dd9d94a75d92db0500130f853f4a516fe302d10c90d56df5387dd45fa7bd9667f74a9
- SSDEEP
  
  12288:P1OgLda0ZjpVgQ6ElFqzU7rOv/O6/NH90u9KIyburq6fAdAYmyA:P1OYdaypVD6ENIO6/LXEYr8dAByA
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  Disable Features.bat
- Size
  
  1KB
- MD5
  
  86205d1e96e6b01bfeefcf96cacc533d
- SHA1
  
  1a8e1ea5d0a5a10c13e5fdfb111019c8af2e0f19
- SHA256
  
  807dc2c0d5185b9062b7da86ac73699fe6402986c4395aabe59a0f08d5571f14
- SHA512
  
  e6dccee09ff476e9ff9bfadab9b7b9c84d747c4ffd2824c1888b2e86b6b4f018be8af377e7b7fb20142b6d9c35a5b51e53c77294f1aac3f4534f79fe97bab108
Score

9^/10

defense_evasion evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Modify Registry: Disable Windows Driver Blocklist
  Disable Windows Driver Blocklist via Registry.
  defense_evasion
- Executes dropped EXE
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  DisableWinDefender.bat
- Size
  
  543B
- MD5
  
  c6897993aeadce831514fa5f0a1ba8ca
- SHA1
  
  c58fc055315bc15aecdeb7517ae5e6e741f83daf
- SHA256
  
  b477b596cf6f74607e96368e1e72f13ac354965bd84b46f6251d1906015ec628
- SHA512
  
  b67ffc249a56fec3e0ec5566db6b0f9d43753a6cf4db92145c35ded2f5802b783c8f63f496a4e1db23a5ee9be3b329f65aa041965360450f2901dc8747c23cf2
Score

6^/10

defense_evasion
- Modifies Security services
  Modifies the startup behavior of a security service.
  defense_evasion
behavioral5 behavioral6
- Target
  
  Enable Features.bat
- Size
  
  1KB
- MD5
  
  38d7e97a07904090685ab54b5faf4412
- SHA1
  
  cdcdebe9c11551c9a546eee428fbf1b51f55d627
- SHA256
  
  464a2382ca79886cb24172c04138ddddb31467595dcca777491597ad49ae03a5
- SHA512
  
  1ac7737b20fd264c79212a8f85fb8718a091f38ed640a3b0d69e6bcae48f1802724c352e7f5c48ea910ad2f6330af2b889d68e2d733e2482779e1c947d4ff1d0
Score

9^/10

defense_evasion evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Modify Registry: Disable Windows Driver Blocklist
  Disable Windows Driver Blocklist via Registry.
  defense_evasion
behavioral7 behavioral8
- Target
  
  TPMBypass.bat
- Size
  
  371B
- MD5
  
  457f8dbf9f5a9760fe65f7367ae42717
- SHA1
  
  44d0389a82d3c719d7cb5a02404a7bb701c6457a
- SHA256
  
  8394ca0b6025fce54abd2f51ee6b22d2e8fe11ddc786d41d20a75543a19dc73e
- SHA512
  
  f40a9ca9a66c6c3e672579db3c9fba90947e8a31d4b0e1d8980f7d609ecba527a9dc4dd393b1648ffba83e54cd3ddd2781124c8b6fcff547ade29a0b7d608f86
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  ntkrnlProtectScan.ps1
- Size
  
  12KB
- MD5
  
  f90f4fa71a200fb73b55e5e56d453558
- SHA1
  
  dd109042c5d4a54a7e8fe3181c7fb537707962fd
- SHA256
  
  51e82df015518b62e55965373801c950e010cb901c12f06a5ae610b05153ef67
- SHA512
  
  34903632365a97dbcbf2a1eb17311aac8bb91f99599a2f7a1daacf7ea156b08a0fadbb4c60e818c06815cc53501ba9be56d1cb4ab94373fcf4d930feedc3eeaa
- SSDEEP
  
  384:2wp6WqaEOatWGakTjowaa6dSLQiaLanbaPZe47z0sa/azgLP/l:ZoWdCtWhkYwt6ALQVmnWPZe47z0X/azK
Score

3^/10

execution
behavioral11 behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Tasks

Sharing

General

Malware Config

Targets

Modifies boot configuration data using bcdedit

Modify Registry: Disable Windows Driver Blocklist

Executes dropped EXE

Loads dropped DLL

Modifies Security services

Modifies boot configuration data using bcdedit

Modify Registry: Disable Windows Driver Blocklist

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12