e6d0dcb24822d671a1a8c9e62435211abadf9590278270ac9fc97cd8ff5bcac0 | Triage

Sharing

General

Target

Payroll Admin.vbs
Size

1.1MB
Sample

240531-k41z7sdb31
MD5

fdd823fe582e2a3f2649f8b906346c03
SHA1

fbe1fc6dffa55104e784c7bc3b6310cb3f027779
SHA256

e6d0dcb24822d671a1a8c9e62435211abadf9590278270ac9fc97cd8ff5bcac0
SHA512

62283073f27e597fe9b8a5ba6da2c1581b7bf82e250d983891fe7e6e7703d71dd5ccebc1866ce7ada2ab62c447ef3c328523e4532a418ff20380ae0e284e376c
SSDEEP

12288:w31cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRj6w5:wYz64+2Sjv

Score

8^/10

persistence

Malware Config

Targets

- Target
  
  Payroll Admin.vbs
- Size
  
  1.1MB
- MD5
  
  fdd823fe582e2a3f2649f8b906346c03
- SHA1
  
  fbe1fc6dffa55104e784c7bc3b6310cb3f027779
- SHA256
  
  e6d0dcb24822d671a1a8c9e62435211abadf9590278270ac9fc97cd8ff5bcac0
- SHA512
  
  62283073f27e597fe9b8a5ba6da2c1581b7bf82e250d983891fe7e6e7703d71dd5ccebc1866ce7ada2ab62c447ef3c328523e4532a418ff20380ae0e284e376c
- SSDEEP
  
  12288:w31cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRj6w5:wYz64+2Sjv
Score

8^/10

persistence
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2