General

  • Target

    script.vbs

  • Size

    893B

  • Sample

    241001-t983fazdnk

  • MD5

    ec33cef3e775d7c6bec9f237c4fe9ea7

  • SHA1

    cab989771371d11b0f9ab09d23060e3220a6fb3b

  • SHA256

    ccd1df53fc4e3feeec5b55c4e7a2eb42d3fcaa47de94be1d07fd778c7c5dae91

  • SHA512

    2b78042d8583680b4f94c59191a3114fae0014231de80c29d140ed1a74fc9e6ad2e41344f19cfc67d538faf5099483831aa5f547bffdb22dff2a16f2cb73a9a5

Malware Config

Targets

    • Target

      script.vbs

    • Size

      893B

    • MD5

      ec33cef3e775d7c6bec9f237c4fe9ea7

    • SHA1

      cab989771371d11b0f9ab09d23060e3220a6fb3b

    • SHA256

      ccd1df53fc4e3feeec5b55c4e7a2eb42d3fcaa47de94be1d07fd778c7c5dae91

    • SHA512

      2b78042d8583680b4f94c59191a3114fae0014231de80c29d140ed1a74fc9e6ad2e41344f19cfc67d538faf5099483831aa5f547bffdb22dff2a16f2cb73a9a5

    • Renames multiple (787) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

MITRE ATT&CK Enterprise v15

Tasks