295ef3832bb6ef89c93c39b62542be9f490b74a082c2b06955aa3351c3005002 | Triage

Sharing

General

Target

13082024_1650_patch_08_24_maroc_telecom.vbs
Size

85KB
Sample

240813-vcp4qsvepc
MD5

256ff7496d004c17a81294e45341a696
SHA1

45af0de886b8fc54cfd8acfd2b386a77bba63887
SHA256

295ef3832bb6ef89c93c39b62542be9f490b74a082c2b06955aa3351c3005002
SHA512

b430b6da57b6937c9468cebee49f655b50fa11e3ed57c0c584d50b0d677119f5db2d893a1bcde422e8087af6a92f7aee03d26e3b14e8a3f4ed3ae9221f4a3ac3
SSDEEP

96:AF9Gmbz9Lz3a74Tbq2HY0UiAvSHLQV0gUiAvSHmnWLF:AF9GS9LzacThY0UiAvSrQV0gUiAvSxF

Score

10^/10

defense_evasion discovery evasion execution persistence trojan

Malware Config

Targets

- Target
  
  13082024_1650_patch_08_24_maroc_telecom.vbs
- Size
  
  85KB
- MD5
  
  256ff7496d004c17a81294e45341a696
- SHA1
  
  45af0de886b8fc54cfd8acfd2b386a77bba63887
- SHA256
  
  295ef3832bb6ef89c93c39b62542be9f490b74a082c2b06955aa3351c3005002
- SHA512
  
  b430b6da57b6937c9468cebee49f655b50fa11e3ed57c0c584d50b0d677119f5db2d893a1bcde422e8087af6a92f7aee03d26e3b14e8a3f4ed3ae9221f4a3ac3
- SSDEEP
  
  96:AF9Gmbz9Lz3a74Tbq2HY0UiAvSHLQV0gUiAvSHmnWLF:AF9GS9LzacThY0UiAvSrQV0gUiAvSxF
Score

10^/10

execution defense_evasion discovery evasion persistence trojan
- UAC bypass
  evasion trojan
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Indicator Removal

Clear Persistence

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

defense_evasiondiscoveryevasionexecutionpersistencetrojan