General

  • Target

    script.vbs

  • Size

    1012B

  • Sample

    241001-vfn1vatgpe

  • MD5

    5cc8785cf3be739d25c71218c74a8195

  • SHA1

    314adada442d0b49d4af631032ed5b763cbe51c9

  • SHA256

    18959bdc6ccba9e863eb842c4c4852786c6f998615955fc6981e26690fbaf7ea

  • SHA512

    fb571e84186a415636d2d156acafb1af2bac7601328beb9ebf20f49cd3788f017a5daa71dfdb899bad89e930c99a67bf7a5f81c65d1b0ce122a7ba6ec70143ab

Malware Config

Targets

    • Target

      script.vbs

    • Size

      1012B

    • MD5

      5cc8785cf3be739d25c71218c74a8195

    • SHA1

      314adada442d0b49d4af631032ed5b763cbe51c9

    • SHA256

      18959bdc6ccba9e863eb842c4c4852786c6f998615955fc6981e26690fbaf7ea

    • SHA512

      fb571e84186a415636d2d156acafb1af2bac7601328beb9ebf20f49cd3788f017a5daa71dfdb899bad89e930c99a67bf7a5f81c65d1b0ce122a7ba6ec70143ab

    • Renames multiple (9610) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Network Share Discovery

      Attempt to gather information on host network.

MITRE ATT&CK Enterprise v15

Tasks