Overview

overview

10

Static

static

1

sas.bat

windows7-x64

10

sas.bat

windows10-1703-x64

10

sas.bat

windows10-2004-x64

10

sas.bat

windows11-21h2-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    sas.bat

  • Size

    49KB

  • Sample

    241005-br7gsaxdjp

  • MD5

    1ef62d322c2d218a93ec6c38ce4e609a

  • SHA1

    7c7fa81ca21efc7f0869ae814d359fd1aba6408e

  • SHA256

    c965477108ff902b5c5ca176b3747f2258401616e6aeb92d576e47b6d41f415b

  • SHA512

    b321c1422349d6d900af22bbbff70afeec2f6237396969129326bbc62654984789621270e21fd156cd82bcc2093636c43c6cd146f4825386c6b5458215ce2597

  • SSDEEP

    768:2E29js/DMExuHiJFamOBdBJtcAzsVd9YKfvPvwcmgJLFfLM8Zn9clSv8xk+nDvZb:2E29js/DMExuHiJFa7BrcAj0XIjPx

Score
10/10
evasionpersistenceprivilege_escalationransomwaretrojan

Malware Config

Targets

    • Target

      sas.bat

    • Size

      49KB

    • MD5

      1ef62d322c2d218a93ec6c38ce4e609a

    • SHA1

      7c7fa81ca21efc7f0869ae814d359fd1aba6408e

    • SHA256

      c965477108ff902b5c5ca176b3747f2258401616e6aeb92d576e47b6d41f415b

    • SHA512

      b321c1422349d6d900af22bbbff70afeec2f6237396969129326bbc62654984789621270e21fd156cd82bcc2093636c43c6cd146f4825386c6b5458215ce2597

    • SSDEEP

      768:2E29js/DMExuHiJFamOBdBJtcAzsVd9YKfvPvwcmgJLFfLM8Zn9clSv8xk+nDvZb:2E29js/DMExuHiJFa7BrcAj0XIjPx

    Score
    10/10
    evasionpersistenceprivilege_escalationransomwaretrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies Windows Firewall

      evasion

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks