General

  • Target

    script.vbs

  • Size

    938B

  • Sample

    241001-vb858ateqf

  • MD5

    3e9abc13d2f8e273f58f009d14084057

  • SHA1

    7abc22693a2a566d00f853ef3cd9073ac975ed7e

  • SHA256

    34609ffd4821ae46f4afb1735992bd34a33fd5c7a7b6a9dd9c00226ec8f72b8c

  • SHA512

    12d91f87c10365f4bef248d20aab80d66ded11f8b52d65a13819792a6b15ebadbe46ac14a7992f3b68be152a095917f9250655ae4946bff37d5df868e3b912ae

Malware Config

Targets

    • Target

      script.vbs

    • Size

      938B

    • MD5

      3e9abc13d2f8e273f58f009d14084057

    • SHA1

      7abc22693a2a566d00f853ef3cd9073ac975ed7e

    • SHA256

      34609ffd4821ae46f4afb1735992bd34a33fd5c7a7b6a9dd9c00226ec8f72b8c

    • SHA512

      12d91f87c10365f4bef248d20aab80d66ded11f8b52d65a13819792a6b15ebadbe46ac14a7992f3b68be152a095917f9250655ae4946bff37d5df868e3b912ae

    • Renames multiple (10065) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Network Share Discovery

      Attempt to gather information on host network.

MITRE ATT&CK Enterprise v15

Tasks