Overview

overview

10

Static

static

1

Payment_Ac...30.vbs

windows7-x64

8

Payment_Ac...30.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment_Activity_0037_2025-3-30.vbs

  • Size

    13KB

  • Sample

    250330-w8v6astyg1

  • MD5

    257ea8ae99c0f328251eecebbb3c4301

  • SHA1

    0f6c115c4169c73269ee17955cd6858f71bd9b45

  • SHA256

    0d69c127cf01104b06b3407364bbd1c04ae5b6a831317b58d835c50ff9a0468c

  • SHA512

    631c1e004e71412b05bf1fb919d26d303a16c3cfbc5bf5e0fdf44533fbd8e47e4cd1ad1e00a39dfd038c51eceaf6bb19404eca49756a657b623b4acccda37b71

  • SSDEEP

    192:NB0v8qa258i+nxp2YXBoN8x6kgqDMOhWm3Gmim3jzVcGZlIyB1AQaAMKz3N2v:3qyiAdxoY6HyLjpLZlIyUQanKzN2v

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decrypt_files.txt

Ransom Note
ATTENTION! You can return your files! All your files are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and key. Do not try to recover your files without a decrypt tool or try to turn off your pc, this may damage your files making them making them impossible to recover. We advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :E5968CDEA22A242F59C870BB4FA7522320572AC2BE310B723FBB80C1393CCC74

Targets

    • Target

      Payment_Activity_0037_2025-3-30.vbs

    • Size

      13KB

    • MD5

      257ea8ae99c0f328251eecebbb3c4301

    • SHA1

      0f6c115c4169c73269ee17955cd6858f71bd9b45

    • SHA256

      0d69c127cf01104b06b3407364bbd1c04ae5b6a831317b58d835c50ff9a0468c

    • SHA512

      631c1e004e71412b05bf1fb919d26d303a16c3cfbc5bf5e0fdf44533fbd8e47e4cd1ad1e00a39dfd038c51eceaf6bb19404eca49756a657b623b4acccda37b71

    • SSDEEP

      192:NB0v8qa258i+nxp2YXBoN8x6kgqDMOhWm3Gmim3jzVcGZlIyB1AQaAMKz3N2v:3qyiAdxoY6HyLjpLZlIyUQanKzN2v

    Score
    10/10
    discoveryexecutioncredential_accessdefense_evasionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Ignore Process Interrupts

1
T1564.011

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks