Extracted

• • Target

    ballz.ps1

  • Size

    23KB

  • MD5

    b6eb389046df18695de5a33a7ee99945

  • SHA1

    26198f7f328a4ba8e0d4cdf233806f7ed0d06a61

  • SHA256

    ffb5696214ffb9c8bf87c62319a23de3c0f8f4966173a86617de741bf1d16429

  • SHA512

    b7eba55f9c955c93d2a5272bb3f2eb656aea491372b96ba147c053213f06a2476f55aab578d40df7bfb7dd3c556f3a18443963bdc3f57adcd47575d97e5c3058

  • SSDEEP

    192:8Syr8R+PR9KPI/zUAxzPVintiKwA/ntfnHeJ5knYpBwnnHnx13jdPflxRS5xVLTM:BrHeJER7AKApfOfv

  Score

  10^/10

  ransomwarespywarestealer

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of SetThreadContext

  behavioral1