98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Quotation.vbs
Size

157KB
Sample

240329-gtesfabh99
MD5

23a71377b58f082202b467da8c693dc0
SHA1

083cdeb1f92b0073e9db107b39b439239cfebff2
SHA256

98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce
SHA512

1e3ba4a2837c503a05bdfaa74da61d56e60a60e19ca023f90b90eb02a19d01ba8593e0b6329ad92d15f3a8cb4bc173927a64f9bef3d7ee92f3cc6708b157d26c
SSDEEP

3072:OaV5NSZh/awGqU42RvG+q4xgc3RR+vsZbqXRF1kEcVwJbknkxvQqTSTw8aP:XNSn/s42Rvrq4xgc3RR+vYbqXRFtcVw1

Score

8^/10

persistence

Malware Config

Targets

- Target
  
  Quotation.vbs
- Size
  
  157KB
- MD5
  
  23a71377b58f082202b467da8c693dc0
- SHA1
  
  083cdeb1f92b0073e9db107b39b439239cfebff2
- SHA256
  
  98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce
- SHA512
  
  1e3ba4a2837c503a05bdfaa74da61d56e60a60e19ca023f90b90eb02a19d01ba8593e0b6329ad92d15f3a8cb4bc173927a64f9bef3d7ee92f3cc6708b157d26c
- SSDEEP
  
  3072:OaV5NSZh/awGqU42RvG+q4xgc3RR+vsZbqXRF1kEcVwJbknkxvQqTSTw8aP:XNSn/s42Rvrq4xgc3RR+vYbqXRFtcVw1
Score

8^/10

persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2