General

  • Target

    bed065aac49fea70993394b73504a0f53f6609c40b330c914910c7042ca938d1.vbs

  • Size

    21KB

  • Sample

    241106-d48lqavbrr

  • MD5

    8d5dd9bf315ddce15fe2dac85e196250

  • SHA1

    6e6b5c82e1dd6b59e5e175b00092e37db3191b7c

  • SHA256

    bed065aac49fea70993394b73504a0f53f6609c40b330c914910c7042ca938d1

  • SHA512

    b4f9b2c4048262ddc66fd2be6dc3447debaf41db4946ffbf29b27c0e235ec439db0637763efee6bdbb1f812a0de9104cd4765a428980a3373f4883c7f0a8b3f6

  • SSDEEP

    384:teGbplStxYHQHSH7l+icHVn27vXQayXwA+9xQ+E6O:l2R2YJ+EF

Malware Config

Targets

    • Target

      bed065aac49fea70993394b73504a0f53f6609c40b330c914910c7042ca938d1.vbs

    • Size

      21KB

    • MD5

      8d5dd9bf315ddce15fe2dac85e196250

    • SHA1

      6e6b5c82e1dd6b59e5e175b00092e37db3191b7c

    • SHA256

      bed065aac49fea70993394b73504a0f53f6609c40b330c914910c7042ca938d1

    • SHA512

      b4f9b2c4048262ddc66fd2be6dc3447debaf41db4946ffbf29b27c0e235ec439db0637763efee6bdbb1f812a0de9104cd4765a428980a3373f4883c7f0a8b3f6

    • SSDEEP

      384:teGbplStxYHQHSH7l+icHVn27vXQayXwA+9xQ+E6O:l2R2YJ+EF

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks