Overview

overview

10

Static

static

1

Pyyidau.vbs

windows7-x64

10

Pyyidau.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pyyidau.vbs

  • Size

    8.4MB

  • Sample

    241123-bz81kszrdr

  • MD5

    c1108260f7a287cb16f93c11a40fbf90

  • SHA1

    8eab07aef27baae17d1ce013cce58b2b43dcaa1d

  • SHA256

    484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c

  • SHA512

    59d3023cc0287ff45894bbcce2175c8fda7a36b2f1687ab7b93fb49a578e38f874587bed0e3d69eff1a20deb4f20fc27c1155026bd962d007c9b0e8c028edc0c

  • SSDEEP

    49152:1uld2u6UP5rpZxEeMuatPwmOI06dzq5kz9zV7AujEy4q7YcGqaLjt1yLQ+RZyBvd:+P5j

Score
10/10
netsupportdiscoverypersistenceprivilege_escalationrat

Malware Config

Targets

    • Target

      Pyyidau.vbs

    • Size

      8.4MB

    • MD5

      c1108260f7a287cb16f93c11a40fbf90

    • SHA1

      8eab07aef27baae17d1ce013cce58b2b43dcaa1d

    • SHA256

      484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c

    • SHA512

      59d3023cc0287ff45894bbcce2175c8fda7a36b2f1687ab7b93fb49a578e38f874587bed0e3d69eff1a20deb4f20fc27c1155026bd962d007c9b0e8c028edc0c

    • SSDEEP

      49152:1uld2u6UP5rpZxEeMuatPwmOI06dzq5kz9zV7AujEy4q7YcGqaLjt1yLQ+RZyBvd:+P5j

    Score
    10/10
    discoverynetsupportpersistenceprivilege_escalationrat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Netsupport family

      netsupport

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks