General

  • Target

    C908B6BA4C4B07019B13A64EF1A29B1D468E73244CAC0.exe

  • Size

    7.2MB

  • Sample

    221015-qws8aafffj

  • MD5

    4339e8acd7434e3871eaf9b1d5f79918

  • SHA1

    db8cc347e36952f61901d70cf95c2a90f908beea

  • SHA256

    c908b6ba4c4b07019b13a64ef1a29b1d468e73244cac07b7efd929fb75103f1b

  • SHA512

    6f028131a778a300b38b9632f4fe5c3a8b3d9f64e459ddd4aa8ad3e1421b2d1cc7a28fcefaab8474b46980236825e4020e2a222356c968e792bd32a12b7cb475

  • SSDEEP

    196608:SkVy88mjucJbd91gb9hXJPmSC5ltjWyrVqJzN:lVsmjTb9IPmS0lxrV

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/984839998429876294/1007422794927181986/kms.vbs

Targets

    • Target

      C908B6BA4C4B07019B13A64EF1A29B1D468E73244CAC0.exe

    • Size

      7.2MB

    • MD5

      4339e8acd7434e3871eaf9b1d5f79918

    • SHA1

      db8cc347e36952f61901d70cf95c2a90f908beea

    • SHA256

      c908b6ba4c4b07019b13a64ef1a29b1d468e73244cac07b7efd929fb75103f1b

    • SHA512

      6f028131a778a300b38b9632f4fe5c3a8b3d9f64e459ddd4aa8ad3e1421b2d1cc7a28fcefaab8474b46980236825e4020e2a222356c968e792bd32a12b7cb475

    • SSDEEP

      196608:SkVy88mjucJbd91gb9hXJPmSC5ltjWyrVqJzN:lVsmjTb9IPmS0lxrV

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks