Overview

overview

10

Static

static

1

picturewit...in.vbs

windows7-x64

10

picturewit...in.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    picturewithattitudeevenbetterforallthin.vbs

  • Size

    137KB

  • Sample

    241118-xc1atatamr

  • MD5

    8575080d678736f4370fa4b88d00c148

  • SHA1

    ec4023c9d47d5d4c93e1f76d6400c6dfbec3a143

  • SHA256

    521c52c7c4e3e15c8d9805eeb75b45c85679c7ac9e744d9f53d67a7840cf309f

  • SHA512

    3b3e106f9ff3f57a41ca101e179c373e0782a1d5a82a113ee72b993893c4f5ad615d075631904ee3ab417f4b7f10062f15153280b159623ad8b0f71d49073593

  • SSDEEP

    3072:pybRgt5pgGwRr2wGUTqqfMYUlPgmsLnPe0A4g:1o0Y8gNLnPe0A4g

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Targets

    • Target

      picturewithattitudeevenbetterforallthin.vbs

    • Size

      137KB

    • MD5

      8575080d678736f4370fa4b88d00c148

    • SHA1

      ec4023c9d47d5d4c93e1f76d6400c6dfbec3a143

    • SHA256

      521c52c7c4e3e15c8d9805eeb75b45c85679c7ac9e744d9f53d67a7840cf309f

    • SHA512

      3b3e106f9ff3f57a41ca101e179c373e0782a1d5a82a113ee72b993893c4f5ad615d075631904ee3ab417f4b7f10062f15153280b159623ad8b0f71d49073593

    • SSDEEP

      3072:pybRgt5pgGwRr2wGUTqqfMYUlPgmsLnPe0A4g:1o0Y8gNLnPe0A4g

    Score
    10/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks