General
-
Target
script.vbs
-
Size
1KB
-
Sample
240701-qkkf1atdqg
-
MD5
45c4cc84643d2187b897af10ef28c00d
-
SHA1
0ce82132d7311a18f1473c32164258757125aa52
-
SHA256
b1c8beebe331d458d9c2e57d2f198c0943398abe5fa18f264ef80a4861557c57
-
SHA512
f5551f72134262851aac9eebb0340b2200c6eef7db05538c67051a79c8814f79092ff809292215e6d86f0b09a273a35f76150155181e216f55a98579de815f04
Malware Config
Targets
-
-
Target
script.vbs
-
Size
1KB
-
MD5
45c4cc84643d2187b897af10ef28c00d
-
SHA1
0ce82132d7311a18f1473c32164258757125aa52
-
SHA256
b1c8beebe331d458d9c2e57d2f198c0943398abe5fa18f264ef80a4861557c57
-
SHA512
f5551f72134262851aac9eebb0340b2200c6eef7db05538c67051a79c8814f79092ff809292215e6d86f0b09a273a35f76150155181e216f55a98579de815f04
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Detected potential entity reuse from brand microsoft.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1