Overview

overview

8

Static

static

1

script.vbs

windows7-x64

8

script.vbs

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    script.vbs

  • Size

    954B

  • Sample

    240630-qhvtys1grr

  • MD5

    ba8126ebff4ef9d65a0c1a4a2cd472ae

  • SHA1

    df5853cfa0dee40c97066fb26a1d3fe998db0d17

  • SHA256

    3281e12696162f5fad62ef950cf21c709a364ebc272de6b7e1aeb5a5c365380e

  • SHA512

    b07440e7f3584fff2430cc9b56d75859810b4e9546a6d3047822a1cef1b6ee8ab8a9fa917b2300c95fb0ab65a2b24998577be5b8a3ea9114b36ab631dc2a5aed

Score
8/10
evasionpersistence

Malware Config

Targets

    • Target

      script.vbs

    • Size

      954B

    • MD5

      ba8126ebff4ef9d65a0c1a4a2cd472ae

    • SHA1

      df5853cfa0dee40c97066fb26a1d3fe998db0d17

    • SHA256

      3281e12696162f5fad62ef950cf21c709a364ebc272de6b7e1aeb5a5c365380e

    • SHA512

      b07440e7f3584fff2430cc9b56d75859810b4e9546a6d3047822a1cef1b6ee8ab8a9fa917b2300c95fb0ab65a2b24998577be5b8a3ea9114b36ab631dc2a5aed

    Score
    8/10
    evasionpersistence

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

      persistence

    • Drops file in System32 directory

    • Modifies termsrv.dll

      Commonly used to allow simultaneous RDP sessions.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks