Overview

overview

10

Static

static

1

WINCL 1.8.0.bat

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WINCL 1.8.0.bat

  • Size

    1.3MB

  • Sample

    241129-y1x12atqd1

  • MD5

    3de7393999fb7fa0931e95a0ecc28064

  • SHA1

    a26172904b514a1d0b96f671af9cf57c0433a69f

  • SHA256

    a5a0b353ba2e76e46e3566329f212aaf71c7acc7d0dd4c2689dad5d543effa13

  • SHA512

    e6ea002fde658e4e4efc4986b19745374af5555c623f2674030e46a279f5d6fd26a7660e208899a0a41acdc99925771ea972ef54939d4c6bc716612b7f4d3f13

  • SSDEEP

    12288:RBCF22juRhMkbZubgbab/b+BV0L6clOXs1w:RXMkk82zwb

Score
10/10
defense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationransomwaretrojan

Malware Config

Targets

    • Target

      WINCL 1.8.0.bat

    • Size

      1.3MB

    • MD5

      3de7393999fb7fa0931e95a0ecc28064

    • SHA1

      a26172904b514a1d0b96f671af9cf57c0433a69f

    • SHA256

      a5a0b353ba2e76e46e3566329f212aaf71c7acc7d0dd4c2689dad5d543effa13

    • SHA512

      e6ea002fde658e4e4efc4986b19745374af5555c623f2674030e46a279f5d6fd26a7660e208899a0a41acdc99925771ea972ef54939d4c6bc716612b7f4d3f13

    • SSDEEP

      12288:RBCF22juRhMkbZubgbab/b+BV0L6clOXs1w:RXMkk82zwb

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationransomwaretrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to get system information.

      execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

      lateral_movement
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Ignore Process Interrupts

1
T1564.011

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

1
T1112

Credential Access

Discovery

Network Share Discovery

1
T1135

Peripheral Device Discovery

2
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Lateral Movement

Remote Services

1
T1021

SMB/Windows Admin Shares

1
T1021.002

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks