Overview

overview

10

Static

static

1

ba164adf0e...f5.wsf

windows7-x64

10

ba164adf0e...f5.wsf

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ba164adf0e3d7ada31a03e9bf73e26f5.WSF

  • Size

    31KB

  • Sample

    241217-s9943asmfy

  • MD5

    ba164adf0e3d7ada31a03e9bf73e26f5

  • SHA1

    2580810407a9e6189d3ea643c6a49679babf230c

  • SHA256

    61801bf75d5af4f325190112cdd42e811a857d77284db0cd8022f926ae922823

  • SHA512

    c674aeb0c34c9b9c66b99384f5a75ab77aad9c14356f33a0ef741325f1de455af635f73bc14b8283ed7890cfbf875adbfb9d48a84904cd080a6f22962dba9e57

  • SSDEEP

    768:i+vnInInInInInInInIncnjnInInInInInInInInInInInInInInInInm:i+f22222222yL2222222222222222m

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://desckvbrat.com.br/Upcrypter/01/DLL01.txt
exe.dropper

https://drive.google.com/uc?export=download&id=
exe.dropper

https://desckvbrat.com.br/Upcrypter/01/DLL01.txt

Targets

    • Target

      ba164adf0e3d7ada31a03e9bf73e26f5.WSF

    • Size

      31KB

    • MD5

      ba164adf0e3d7ada31a03e9bf73e26f5

    • SHA1

      2580810407a9e6189d3ea643c6a49679babf230c

    • SHA256

      61801bf75d5af4f325190112cdd42e811a857d77284db0cd8022f926ae922823

    • SHA512

      c674aeb0c34c9b9c66b99384f5a75ab77aad9c14356f33a0ef741325f1de455af635f73bc14b8283ed7890cfbf875adbfb9d48a84904cd080a6f22962dba9e57

    • SSDEEP

      768:i+vnInInInInInInInIncnjnInInInInInInInInInInInInInInInInm:i+f22222222yL2222222222222222m

    Score
    10/10
    execution

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks