Overview

overview

10

Static

static

1

slut_keep_admin.bat

windows7-x64

8

slut_keep_admin.bat

windows10-2004-x64

10

Resubmissions

19-11-2024 20:58

241119-zr8a3sxmbp 10

19-11-2024 20:54

241119-zp5r6stalq 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    slut_keep_admin.bat

  • Size

    1KB

  • Sample

    241119-zr8a3sxmbp

  • MD5

    9152962b6cef0d476f4e89127d8f0255

  • SHA1

    b3b0b2686f0b27eff516ca35443feff8ff5f8026

  • SHA256

    70fbc646366a3184c596ed7cba7055f1405350d164d104fcf4c2eec71c9d6434

  • SHA512

    b609ecc36ea6e417b45099092d1511da78af19855252cbf5050d30abd6d2ee3def57518c5c8676e25e0786cfd22c7bd5dcd98a4da725db2fa102256ad4f3d80e

Score
10/10
adwaredefense_evasiondiscoveryevasionexecutionpersistencephishingprivilege_escalationransomwarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://download.oracle.com/java/17/archive/jdk-17.0.12_windows-x64_bin.exe

Targets

    • Target

      slut_keep_admin.bat

    • Size

      1KB

    • MD5

      9152962b6cef0d476f4e89127d8f0255

    • SHA1

      b3b0b2686f0b27eff516ca35443feff8ff5f8026

    • SHA256

      70fbc646366a3184c596ed7cba7055f1405350d164d104fcf4c2eec71c9d6434

    • SHA512

      b609ecc36ea6e417b45099092d1511da78af19855252cbf5050d30abd6d2ee3def57518c5c8676e25e0786cfd22c7bd5dcd98a4da725db2fa102256ad4f3d80e

    Score
    10/10
    executionadwaredefense_evasiondiscoveryevasionpersistencephishingprivilege_escalationransomwarestealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Downloads MZ/PE file

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

      defense_evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • A potential corporate email address has been identified in the URL: Mypchasbeenclaimedby@swtakeover2doyoualsowanttobeclaimedhttpstwitter.comswtakeover2

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Account Manipulation

1
T1098

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Account Manipulation

1
T1098

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

File and Directory Permissions Modification

1
T1222

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Indicator Removal

1
T1070

Network Share Connection Removal

1
T1070.005

Modify Registry

3
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

6
T1012

System Information Discovery

6
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks