General

  • Target

    script.vbs

  • Size

    927B

  • Sample

    241001-vbgqzazekm

  • MD5

    f01859341d1818f8a85204582a72416b

  • SHA1

    8cbab8682263b91fa5326e946a46443f698fa3aa

  • SHA256

    a8be666bcafd2381de467ec2bdecd0d050a9b316f6ac4dd31cbe2b758ff12365

  • SHA512

    4d60b148d0df18c5e14c162dcf2eefc31655187b3e2fb0d23f834940178e555638e469cb316054bcaa8872d3286a4114cced5f33bb989cc6a0bf5426049671ed

Malware Config

Targets

    • Target

      script.vbs

    • Size

      927B

    • MD5

      f01859341d1818f8a85204582a72416b

    • SHA1

      8cbab8682263b91fa5326e946a46443f698fa3aa

    • SHA256

      a8be666bcafd2381de467ec2bdecd0d050a9b316f6ac4dd31cbe2b758ff12365

    • SHA512

      4d60b148d0df18c5e14c162dcf2eefc31655187b3e2fb0d23f834940178e555638e469cb316054bcaa8872d3286a4114cced5f33bb989cc6a0bf5426049671ed

    • Renames multiple (10028) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks