3fa5856d8953d4693ed6caf9cb26d3e9b99d5a672b490e91e226ae06c766ac54 | Triage

Sharing

General

Target

crypted.vbs
Size

1.1MB
Sample

240603-hj7k5sfc2s
MD5

b2f1fecda8bf0c6127eba0a1c753bab4
SHA1

a42be5a38938b46014c07a0f2e33ff98cc130ac5
SHA256

3fa5856d8953d4693ed6caf9cb26d3e9b99d5a672b490e91e226ae06c766ac54
SHA512

fd38551f3ad476cc9eb76ec35c99fb2f6199297d0dfd5c1ebe670e081d4a615f50d1ef4a1a1341857dab573aa92a65d5ed506442e6ca4acf0838c6c376630a48
SSDEEP

12288:431cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRjI:4Yz64+2SjI

Score

8^/10

persistence

Malware Config

Targets

- Target
  
  crypted.vbs
- Size
  
  1.1MB
- MD5
  
  b2f1fecda8bf0c6127eba0a1c753bab4
- SHA1
  
  a42be5a38938b46014c07a0f2e33ff98cc130ac5
- SHA256
  
  3fa5856d8953d4693ed6caf9cb26d3e9b99d5a672b490e91e226ae06c766ac54
- SHA512
  
  fd38551f3ad476cc9eb76ec35c99fb2f6199297d0dfd5c1ebe670e081d4a615f50d1ef4a1a1341857dab573aa92a65d5ed506442e6ca4acf0838c6c376630a48
- SSDEEP
  
  12288:431cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRjI:4Yz64+2SjI
Score

8^/10

persistence
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2