General

  • Target

    code.vbs

  • Size

    910B

  • Sample

    241011-s5f1eszdqf

  • MD5

    b0496fd6e35d29aa539b67275779f968

  • SHA1

    8f3408608c0f8437ca32739a190234e8388b881e

  • SHA256

    69983df4e763c21c65d22182966c032d269943f974123f395974e931de7459d5

  • SHA512

    05dbfb96bbc745ae30dae0d15313f2a9fc1aa223708b3c9ab934b083b7f773512a0c4abf9844e72a9b40c2dcd491f5fcd4abdcb6803d790b5593932cdcff7729

Malware Config

Targets

    • Target

      code.vbs

    • Size

      910B

    • MD5

      b0496fd6e35d29aa539b67275779f968

    • SHA1

      8f3408608c0f8437ca32739a190234e8388b881e

    • SHA256

      69983df4e763c21c65d22182966c032d269943f974123f395974e931de7459d5

    • SHA512

      05dbfb96bbc745ae30dae0d15313f2a9fc1aa223708b3c9ab934b083b7f773512a0c4abf9844e72a9b40c2dcd491f5fcd4abdcb6803d790b5593932cdcff7729

    • Renames multiple (286) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Possible privilege escalation attempt

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Modifies file permissions

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Modifies termsrv.dll

      Commonly used to allow simultaneous RDP sessions.

MITRE ATT&CK Enterprise v15

Tasks