67f781981d889e136103e9f37af86a13e69d8acc73bb080a365e9f7d08d881d0 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

pagos TT (Ref 0180066743).img
Size

1.2MB
Sample

221226-gbwm8sff7v
MD5

4eafc7d321be7b953169a92f67495d83
SHA1

e6ac029ebfd44d60cd1e29ee89717c1ed4da5ff2
SHA256

67f781981d889e136103e9f37af86a13e69d8acc73bb080a365e9f7d08d881d0
SHA512

dc1a5e6b6764726229ca68ef6c0b1fa2227601cafd30de8105cbb94d0cc3910e7021a7cb777ef3feda82d3149560c55880a535cdb30c9f133c2a5bdcc58eaec5
SSDEEP

192:qO72hQEZDPK6mm2r88VznG7CmV4H/1MLi8m5Sgc7RS9l3dTnt5n9avG7zKK92rG4:N+SLVznG7Cm8SgE2l

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://4.204.233.44/DLL/NoStartUp.ppam

Targets

- Target
  
  PAGOS_TT.VBS
- Size
  
  431KB
- MD5
  
  c52ed5109267688edaa351fd0f025f54
- SHA1
  
  804260ea40ee144de6564562734cd5cd49b97897
- SHA256
  
  ff6083a7518515494983fb6e6ac2fb8298e953dbb867a37cf00c850c8d27b6c7
- SHA512
  
  c95fc68d4a918de2c32024c306611a9bd6fb0400ecea22fb54c5734ad5a63b28844d3f63e6be5076bdd6ad858b91bc31752f8d9b483b6ddc11b48c96ad092001
- SSDEEP
  
  192:DznG7CmV4H/1MLi8m5Sgc7RS9l3dTnt5n9avG7zKK92rGZN/B5Zh5Y/1EsGGmsHP:DznG7Cm8SgE2l6
Score

10^/10
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2