Overview

overview

10

Static

static

1

Adil Windows.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Adil Windows.bat

  • Size

    11KB

  • Sample

    241205-jbaf4svjew

  • MD5

    bc1e97ccdf44d2a52480ef8f56daf32f

  • SHA1

    4e7c69b2faec4a0b6e6e19329c0befa2cba99878

  • SHA256

    69e0375efc3a5c96106dc5eaea7cf9c5ba1c451c3297304d709b4057abe6b862

  • SHA512

    56d86c1399823f236f373cad1e7733fe52be0e96bd0c766a3e68e40720db00c0d1c67a7a86251e2d89b40d17fb11603185da80a94c8a1df645c144bf7979f94c

  • SSDEEP

    192:A9Ac2bMED959MeO7D8HqwlfgvMo2NfcP7b8T0j:UA1QkMeO7D81U2NfBu

Score
10/10
defense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationransomwaretrojan

Malware Config

Targets

    • Target

      Adil Windows.bat

    • Size

      11KB

    • MD5

      bc1e97ccdf44d2a52480ef8f56daf32f

    • SHA1

      4e7c69b2faec4a0b6e6e19329c0befa2cba99878

    • SHA256

      69e0375efc3a5c96106dc5eaea7cf9c5ba1c451c3297304d709b4057abe6b862

    • SHA512

      56d86c1399823f236f373cad1e7733fe52be0e96bd0c766a3e68e40720db00c0d1c67a7a86251e2d89b40d17fb11603185da80a94c8a1df645c144bf7979f94c

    • SSDEEP

      192:A9Ac2bMED959MeO7D8HqwlfgvMo2NfcP7b8T0j:UA1QkMeO7D81U2NfBu

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationransomwaretrojan

    • Disables service(s)

      evasionexecution

    • UAC bypass

      evasiontrojan

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasionexecution

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

      defense_evasionpersistenceprivilege_escalation

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

      discovery

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

      lateral_movement
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Password Policy Discovery

1
T1201

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Remote Services

2
T1021

Remote Desktop Protocol

1
T1021.001

SMB/Windows Admin Shares

1
T1021.002

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Service Stop

2
T1489

Tasks