General

  • Target

    code.vbs

  • Size

    910B

  • Sample

    241011-s3n81szdle

  • MD5

    b0496fd6e35d29aa539b67275779f968

  • SHA1

    8f3408608c0f8437ca32739a190234e8388b881e

  • SHA256

    69983df4e763c21c65d22182966c032d269943f974123f395974e931de7459d5

  • SHA512

    05dbfb96bbc745ae30dae0d15313f2a9fc1aa223708b3c9ab934b083b7f773512a0c4abf9844e72a9b40c2dcd491f5fcd4abdcb6803d790b5593932cdcff7729

Malware Config

Targets

    • Target

      code.vbs

    • Size

      910B

    • MD5

      b0496fd6e35d29aa539b67275779f968

    • SHA1

      8f3408608c0f8437ca32739a190234e8388b881e

    • SHA256

      69983df4e763c21c65d22182966c032d269943f974123f395974e931de7459d5

    • SHA512

      05dbfb96bbc745ae30dae0d15313f2a9fc1aa223708b3c9ab934b083b7f773512a0c4abf9844e72a9b40c2dcd491f5fcd4abdcb6803d790b5593932cdcff7729

    • Renames multiple (286) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Modifies system executable filetype association

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Modifies termsrv.dll

      Commonly used to allow simultaneous RDP sessions.

MITRE ATT&CK Enterprise v15

Tasks