General

  • Target

    run.vbs

  • Size

    3KB

  • Sample

    240815-1xt63s1hpm

  • MD5

    79fe68e50f2d014440bb6b7859720877

  • SHA1

    5532a3680caa3327b2cbe04d5c4a0a4036ccffec

  • SHA256

    be3b880f963273b3669f0a46d504965736bfdda77bca8821afc605563a965d1b

  • SHA512

    85f4de149962425e2976fe717c62671383120daf6284e7fc437b766eb79a8f24dd52cde7edfe816ceea4129dcd8a086a5bb39e736e454058c0133189bc13c192

Malware Config

Targets

    • Target

      run.vbs

    • Size

      3KB

    • MD5

      79fe68e50f2d014440bb6b7859720877

    • SHA1

      5532a3680caa3327b2cbe04d5c4a0a4036ccffec

    • SHA256

      be3b880f963273b3669f0a46d504965736bfdda77bca8821afc605563a965d1b

    • SHA512

      85f4de149962425e2976fe717c62671383120daf6284e7fc437b766eb79a8f24dd52cde7edfe816ceea4129dcd8a086a5bb39e736e454058c0133189bc13c192

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Modifies file permissions

    • Modifies system executable filetype association

MITRE ATT&CK Enterprise v15

Tasks