General

  • Target

    code.vbs

  • Size

    1KB

  • Sample

    241011-s9dqvsvfpp

  • MD5

    f005bdca84c5bb5ec73a58ffae84a477

  • SHA1

    87ab175ea3905dfd6b857ae2e95c8c7dbcf41813

  • SHA256

    a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037

  • SHA512

    0bca32222e61bc0cb8807c30abbcb06c5aaa7de9407b50ceebc089c622188997650ab1d00497ff888c77b71f6ee8b5f3acf3e107756b6692692396fd081f8bf6

Malware Config

Targets

    • Target

      code.vbs

    • Size

      1KB

    • MD5

      f005bdca84c5bb5ec73a58ffae84a477

    • SHA1

      87ab175ea3905dfd6b857ae2e95c8c7dbcf41813

    • SHA256

      a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037

    • SHA512

      0bca32222e61bc0cb8807c30abbcb06c5aaa7de9407b50ceebc089c622188997650ab1d00497ff888c77b71f6ee8b5f3acf3e107756b6692692396fd081f8bf6

    • Renames multiple (13075) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Possible privilege escalation attempt

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Modifies file permissions

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks