Overview

overview

9

Static

static

1

Startup-script.bat

windows10-ltsc 2021-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Startup-script.bat

  • Size

    98KB

  • Sample

    241130-ypr1mstkfv

  • MD5

    8eb4e23e8bfed1be98837c83b8bd01d6

  • SHA1

    a406d12d11002bd87314f6a9edc84bb30c532db7

  • SHA256

    a9f9df39909cc07f30ed4e60b0c6024e95c05d4d062c48d15459cf98d52d80c3

  • SHA512

    31d2e0390afe06e9668ff9ce2f517b1b656414b9655d4777c1700ded5b954810a969988c9c2c2409b304f1a588a4820471be224bf084edeaa95cb0f8c6a7648b

  • SSDEEP

    768:OPWVQjLJcQMmrdtXuMuxgFBSHDTFs+umRs4fPmwN1o76ba4COljXx5xYa0MF9PVL:uQMuxqSjX/v

Score
9/10
discoveryevasionexecutionlateral_movementpersistenceprivilege_escalation

Malware Config

Targets

    • Target

      Startup-script.bat

    • Size

      98KB

    • MD5

      8eb4e23e8bfed1be98837c83b8bd01d6

    • SHA1

      a406d12d11002bd87314f6a9edc84bb30c532db7

    • SHA256

      a9f9df39909cc07f30ed4e60b0c6024e95c05d4d062c48d15459cf98d52d80c3

    • SHA512

      31d2e0390afe06e9668ff9ce2f517b1b656414b9655d4777c1700ded5b954810a969988c9c2c2409b304f1a588a4820471be224bf084edeaa95cb0f8c6a7648b

    • SSDEEP

      768:OPWVQjLJcQMmrdtXuMuxgFBSHDTFs+umRs4fPmwN1o76ba4COljXx5xYa0MF9PVL:uQMuxqSjX/v

    Score
    9/10
    discoveryevasionexecutionlateral_movementpersistenceprivilege_escalation

    • Modifies boot configuration data using bcdedit

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Modifies Windows Firewall

      evasion

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

      lateral_movement
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Remote Services

1
T1021

SMB/Windows Admin Shares

1
T1021.002

Collection

Command and Control

Exfiltration

Impact

Tasks