Overview

overview

10

Static

static

1

Adil Windows.bat

windows10-2004-x64

10

Resubmissions

05-12-2024 19:46

241205-yhfc9svrbl 10

05-12-2024 19:03

241205-xqftbstmhr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Adil Windows.bat

  • Size

    12KB

  • Sample

    241205-xqftbstmhr

  • MD5

    cb107d44ed312ae167260b86b9d1901d

  • SHA1

    47406774f65842ff020290fe34c0175789e2f5d0

  • SHA256

    ae5c64a88ceb35a4cd3748ed27392845405934108bcefff1c965599ba1294f30

  • SHA512

    981f373ec1ff38b4bba875ef8bb5caa5875082c8c6e8f36f8a4593599500195536b522853d686499f6b3908b7845e283b695f9ac370201ffdf319a5ec1a563fd

  • SSDEEP

    192:A9AcZ8zMED95ExPaxmmpeO7D8HqYT1+gvwoKNfcP7b8T0j:UA684zwreO7D89T1rKNfBu

Score
10/10
defense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationransomwaretrojan

Malware Config

Targets

    • Target

      Adil Windows.bat

    • Size

      12KB

    • MD5

      cb107d44ed312ae167260b86b9d1901d

    • SHA1

      47406774f65842ff020290fe34c0175789e2f5d0

    • SHA256

      ae5c64a88ceb35a4cd3748ed27392845405934108bcefff1c965599ba1294f30

    • SHA512

      981f373ec1ff38b4bba875ef8bb5caa5875082c8c6e8f36f8a4593599500195536b522853d686499f6b3908b7845e283b695f9ac370201ffdf319a5ec1a563fd

    • SSDEEP

      192:A9AcZ8zMED95ExPaxmmpeO7D8HqYT1+gvwoKNfcP7b8T0j:UA684zwreO7D89T1rKNfBu

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionlateral_movementpersistenceprivilege_escalationransomwaretrojan

    • Disables service(s)

      evasionexecution

    • UAC bypass

      evasiontrojan

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasionexecution

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Hijack Execution Flow: Executable Installer File Permissions Weakness

      Possible Turn off User Account Control's privilege elevation for standard users.

      defense_evasionpersistenceprivilege_escalation

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

      discovery

    • Remote Services: SMB/Windows Admin Shares

      Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

      lateral_movement
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Password Policy Discovery

1
T1201

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Remote Services

2
T1021

Remote Desktop Protocol

1
T1021.001

SMB/Windows Admin Shares

1
T1021.002

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Service Stop

2
T1489

Tasks