General

  • Target

    script.vbs

  • Size

    3KB

  • Sample

    240815-1n9kea1dll

  • MD5

    a0ef188a2faaef335d2265ea48c117fe

  • SHA1

    7a285bed61409e29b4a0563adc5d8863cf150b33

  • SHA256

    20138edb83cd75498cee9cd693504d2134ccd7002c466c5ee84dec16ec23a337

  • SHA512

    ff0ba26e65fe730ea57e1405fb9c87b67833bbdb2dd71b74e2c6f5d719460174d31e275c11e6d21102370505761bde337b1b3c7c64106539422539a7168739a4

Malware Config

Targets

    • Target

      script.vbs

    • Size

      3KB

    • MD5

      a0ef188a2faaef335d2265ea48c117fe

    • SHA1

      7a285bed61409e29b4a0563adc5d8863cf150b33

    • SHA256

      20138edb83cd75498cee9cd693504d2134ccd7002c466c5ee84dec16ec23a337

    • SHA512

      ff0ba26e65fe730ea57e1405fb9c87b67833bbdb2dd71b74e2c6f5d719460174d31e275c11e6d21102370505761bde337b1b3c7c64106539422539a7168739a4

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Modifies file permissions

    • Modifies system executable filetype association

MITRE ATT&CK Enterprise v15

Tasks