37705c3cda6ed05001d551d5bd262fbf3163d11338e0c2179ba1db231a7e07f6 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Adil Windows - Copy.bat
Size

12KB
Sample

241205-h5b2cszpaq
MD5

2a7086b99fea895c2f2ed23abe77c93c
SHA1

54c39b64f373be5a397e67c10bb17259b6aa7595
SHA256

37705c3cda6ed05001d551d5bd262fbf3163d11338e0c2179ba1db231a7e07f6
SHA512

ebd731316d435edad6ec6b5cde0b5b44166e74e518dc1efc586c733f58a96da4561eb8daa7785107e6c4343c9a44b5db230b0bacf7797afed806e28c15db0c14
SSDEEP

192:AAAcaDMED9DPGeO7D8HqRvfgvpoVN3cP7b8T0zN:zAfoMGeO7D8YjVN3BIN

Score

10^/10

defense_evasion discovery evasion execution lateral_movement persistence privilege_escalation ransomware trojan

Malware Config

Targets

- Target
  
  Adil Windows - Copy.bat
- Size
  
  12KB
- MD5
  
  2a7086b99fea895c2f2ed23abe77c93c
- SHA1
  
  54c39b64f373be5a397e67c10bb17259b6aa7595
- SHA256
  
  37705c3cda6ed05001d551d5bd262fbf3163d11338e0c2179ba1db231a7e07f6
- SHA512
  
  ebd731316d435edad6ec6b5cde0b5b44166e74e518dc1efc586c733f58a96da4561eb8daa7785107e6c4343c9a44b5db230b0bacf7797afed806e28c15db0c14
- SSDEEP
  
  192:AAAcaDMED9DPGeO7D8HqRvfgvpoVN3cP7b8T0zN:zAfoMGeO7D8YjVN3BIN
Score

10^/10

defense_evasion discovery evasion execution lateral_movement persistence privilege_escalation ransomware trojan
- Disables service(s)
  evasion execution
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion execution
- Allows Network login with blank passwords
  Allows local user accounts with blank passwords to access device from the network.
- Hijack Execution Flow: Executable Installer File Permissions Weakness
  Possible Turn off User Account Control's privilege elevation for standard users.
  defense_evasion persistence privilege_escalation
- Password Policy Discovery
  Attempt to access detailed information about the password policy used within an enterprise network.
  discovery
- Remote Services: SMB/Windows Admin Shares
  Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
  lateral_movement
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Hijack Execution Flow

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Hijack Execution Flow

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Hijack Execution Flow

Executable Installer File Permissions Weakness

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Password Policy Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

SMB/Windows Admin Shares

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Service Stop

Tasks

static1

behavioral1

defense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationransomwaretrojan