General

  • Target

    script.vbs

  • Size

    1019B

  • Sample

    241011-s419zazdpb

  • MD5

    8ae0e65f9d9144c1488523278ad89cba

  • SHA1

    8ae2f0a6df8cd00025722a7d9886987527b7db58

  • SHA256

    a87d04d8757e41482bc19cd0ead2948fd7a5f40aac33f1834f5972579578d79a

  • SHA512

    59b645105175d23c0be34e02a5f77eddbdf09268caf94f5dae5e9e0d876d3bad46ed035254850973243388c384d8a2fee49e873258d9fe9725b1de1843ae9917

Malware Config

Targets

    • Target

      script.vbs

    • Size

      1019B

    • MD5

      8ae0e65f9d9144c1488523278ad89cba

    • SHA1

      8ae2f0a6df8cd00025722a7d9886987527b7db58

    • SHA256

      a87d04d8757e41482bc19cd0ead2948fd7a5f40aac33f1834f5972579578d79a

    • SHA512

      59b645105175d23c0be34e02a5f77eddbdf09268caf94f5dae5e9e0d876d3bad46ed035254850973243388c384d8a2fee49e873258d9fe9725b1de1843ae9917

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Possible privilege escalation attempt

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Modifies file permissions

    • Drops file in System32 directory

    • Modifies termsrv.dll

      Commonly used to allow simultaneous RDP sessions.

MITRE ATT&CK Enterprise v15

Tasks