4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924.vbs
Size

778B
Sample

240930-wsk1dsydpp
MD5

b8eecf433c05f73660b69c7f2e407f8e
SHA1

ad6942899ae40f00e4dd33725930e0238d5b435c
SHA256

4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924
SHA512

5b1d21349ad7bfd051be37ebb31a981de7bae3b60ee80f8014d3f49a017d484ed61af5384cda847689e5935fb36a863c98491d04980c2b817c01f32c23b8ea88

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt

Targets

- Target
  
  4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924.vbs
- Size
  
  778B
- MD5
  
  b8eecf433c05f73660b69c7f2e407f8e
- SHA1
  
  ad6942899ae40f00e4dd33725930e0238d5b435c
- SHA256
  
  4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924
- SHA512
  
  5b1d21349ad7bfd051be37ebb31a981de7bae3b60ee80f8014d3f49a017d484ed61af5384cda847689e5935fb36a863c98491d04980c2b817c01f32c23b8ea88
Score

10^/10

execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2