General

  • Target

    Pyyidau.vbs

  • Size

    8.4MB

  • Sample

    241123-bwkhtazqgk

  • MD5

    c1108260f7a287cb16f93c11a40fbf90

  • SHA1

    8eab07aef27baae17d1ce013cce58b2b43dcaa1d

  • SHA256

    484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c

  • SHA512

    59d3023cc0287ff45894bbcce2175c8fda7a36b2f1687ab7b93fb49a578e38f874587bed0e3d69eff1a20deb4f20fc27c1155026bd962d007c9b0e8c028edc0c

  • SSDEEP

    49152:1uld2u6UP5rpZxEeMuatPwmOI06dzq5kz9zV7AujEy4q7YcGqaLjt1yLQ+RZyBvd:+P5j

Malware Config

Targets

    • Target

      Pyyidau.vbs

    • Size

      8.4MB

    • MD5

      c1108260f7a287cb16f93c11a40fbf90

    • SHA1

      8eab07aef27baae17d1ce013cce58b2b43dcaa1d

    • SHA256

      484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c

    • SHA512

      59d3023cc0287ff45894bbcce2175c8fda7a36b2f1687ab7b93fb49a578e38f874587bed0e3d69eff1a20deb4f20fc27c1155026bd962d007c9b0e8c028edc0c

    • SSDEEP

      49152:1uld2u6UP5rpZxEeMuatPwmOI06dzq5kz9zV7AujEy4q7YcGqaLjt1yLQ+RZyBvd:+P5j

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Netsupport family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks