dd70c11d7952c0986b3e2a962799f921201290f1b92d4c40b2c717daa635c246 | Triage

Sharing

General

Target

WindowsToolbox.bat
Size

156KB
Sample

240921-c3qtva1ejb
MD5

2be2af971d62345dee8241432121dfd4
SHA1

819f7fa0f1f3bececd5b441a988bab5421867b6e
SHA256

dd70c11d7952c0986b3e2a962799f921201290f1b92d4c40b2c717daa635c246
SHA512

2e97d8911daff9c8b4833796dfbc9cc8cb26f20adad0fb2dd89169e300c31f5b9e3396beb18fc74446c5cad81cde1a78359d953cd3a514d5c7b8dac44144df6a
SSDEEP

1536:EcAizX5Sj8KH2Yoj1XzTAssI84Ugfd6uIkrZN9n1sIPtimn1xVR5BeZ6ZW8HaMrb:W2Yoj1XzLwyJpjR

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Targets

- Target
  
  WindowsToolbox.bat
- Size
  
  156KB
- MD5
  
  2be2af971d62345dee8241432121dfd4
- SHA1
  
  819f7fa0f1f3bececd5b441a988bab5421867b6e
- SHA256
  
  dd70c11d7952c0986b3e2a962799f921201290f1b92d4c40b2c717daa635c246
- SHA512
  
  2e97d8911daff9c8b4833796dfbc9cc8cb26f20adad0fb2dd89169e300c31f5b9e3396beb18fc74446c5cad81cde1a78359d953cd3a514d5c7b8dac44144df6a
- SSDEEP
  
  1536:EcAizX5Sj8KH2Yoj1XzTAssI84Ugfd6uIkrZN9n1sIPtimn1xVR5BeZ6ZW8HaMrb:W2Yoj1XzLwyJpjR
Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware
- Disables service(s)
  evasion execution
- Modifies visibility of file extensions in Explorer
  evasion
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Disables use of System Restore points
  evasion
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Stops running service(s)
  evasion execution
- Modifies file permissions
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Windows Management Instrumentation

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Image File Execution Options Injection

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Image File Execution Options Injection

Defense Evasion

Direct Volume Access

File and Directory Permissions Modification

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Inhibit System Recovery

Service Stop

Tasks

static1

behavioral1

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware