General
-
Target
trigger.vbs
-
Size
868B
-
Sample
241001-vhf31szgrm
-
MD5
c7dcf5028ff4b4a9ff209860a3fd4687
-
SHA1
95d66c6ae9d16172ba9823e47cd3afe76dbab02f
-
SHA256
1895ac4d6d8ca78567e71f3c1ec8bf4215e55751a58bd39b19cb881dfe6fee72
-
SHA512
b7c420c1e2d44055128e44388e183ae3fabc48ecd46e2869b1024e182c77f6470c60cd6e7e1c8ccba74bbdfff9891d066d3ee05d8279df5e4caa4ec726ad09fa
Static task
static1
Behavioral task
behavioral1
Sample
trigger.vbs
Resource
win7-20240903-en
Malware Config
Targets
-
-
Target
trigger.vbs
-
Size
868B
-
MD5
c7dcf5028ff4b4a9ff209860a3fd4687
-
SHA1
95d66c6ae9d16172ba9823e47cd3afe76dbab02f
-
SHA256
1895ac4d6d8ca78567e71f3c1ec8bf4215e55751a58bd39b19cb881dfe6fee72
-
SHA512
b7c420c1e2d44055128e44388e183ae3fabc48ecd46e2869b1024e182c77f6470c60cd6e7e1c8ccba74bbdfff9891d066d3ee05d8279df5e4caa4ec726ad09fa
-
Renames multiple (169) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Query Registry
2System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Time Discovery
1