Overview

overview

10

Static

static

1

ico/receipt#295.vbs

windows7-x64

10

ico/receipt#295.vbs

windows10-2004-x64

10

receipt.lnk

windows7-x64

10

receipt.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5882b019b2e198796c8a641a21f12f21886e178d20985c44a155dfe096db036d.unknown

  • Size

    8.0MB

  • Sample

    240920-bq7fdssarp

  • MD5

    869f974153f82254d731f8deda4fc40d

  • SHA1

    d68566ea5e071cf12183a8196d33494e5c70054e

  • SHA256

    5882b019b2e198796c8a641a21f12f21886e178d20985c44a155dfe096db036d

  • SHA512

    98c9412a28ef39fb2187721816b79e8c746c0f9365ffcc3940c75f424a9d0875a322edb09bb4f98c8a504de27477842d539ce25aab1f486e48d53e1e8bb8615e

  • SSDEEP

    24576:5bH/vjxjgTv9CTyKMIERhnuMiaOYqlj4cAqis1q:5b/rx41JKzERJuQql4qis

Score
10/10
executionpersistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg
exe.dropper

https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg

Targets

    • Target

      ico/receipt#295.vbs

    • Size

      526KB

    • MD5

      ed7c0924f17062f0a8529be119ac681f

    • SHA1

      7b2fe31aab29c926aee9917955b63c882565a6a8

    • SHA256

      2be32404db27ff805fc5d7293a7daaf6955613637852580b6bd744d061df28f2

    • SHA512

      6347509f3160134d14a8c1623f0e128845fd413c6e1a0ce3ec3a95117b143ed28cf626fdb2f7f810c1630e24834cc6c3c3b2690f3144c446186169404d443f36

    • SSDEEP

      12288:0KGqe3sjWlECjW5J5fbFFhvFpt05P8eli+tTebpFJr+kCp2Y5m9MoqHzqra/:pKxjgTv90

    Score
    10/10
    executionpersistence

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      receipt.lnk

    • Size

      1KB

    • MD5

      6ee65029676d821a770329f564b90a65

    • SHA1

      cf107578ca3db7c4fdd7c2d0b6b11702e96eeac7

    • SHA256

      97dc4b2ee8d560c3b2073ae20559149ce6bf86d708a669a9a831211665b4fc88

    • SHA512

      c348e371a49fd76235cf98c076607e4c7331ee75791d906ed17dd2e640c35b9bf5aa124ffdf38b8a353f5e25a9adf3d6358738aba7c4106ecaedf69a981b87e3

    Score
    10/10
    executionpersistence

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks