General

  • Target

    gbvtwssa

  • Size

    106KB

  • Sample

    220416-gcljnaccen

  • MD5

    30326e79afdba5026d51ab50b37939d2

  • SHA1

    b4b420c4a464d12f62b94c65aff4ba230c95f3f2

  • SHA256

    403fdb65274fbfeccb8868e0b400f3ee2281426c7dbbdc7bdb263dff0979d704

  • SHA512

    9821a19b0abb1c7ec8f929a47926bdd5a175a006e56e47cba8995cabc1de8c2b04d80b4ace7e7d6227544f58d00efc89f7d569da3bd917d70e42ae1c8dd9e0ce

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://amedion.net/uNMU39B

exe.dropper

http://biciculturabcn.com/6s97jYza

exe.dropper

http://valenetinternet.com.br/3Rdtv

exe.dropper

http://goshowcar.com/9RVqaX

exe.dropper

http://wheelbalancetraining.com/9il

Targets

    • Target

      gbvtwssa

    • Size

      106KB

    • MD5

      30326e79afdba5026d51ab50b37939d2

    • SHA1

      b4b420c4a464d12f62b94c65aff4ba230c95f3f2

    • SHA256

      403fdb65274fbfeccb8868e0b400f3ee2281426c7dbbdc7bdb263dff0979d704

    • SHA512

      9821a19b0abb1c7ec8f929a47926bdd5a175a006e56e47cba8995cabc1de8c2b04d80b4ace7e7d6227544f58d00efc89f7d569da3bd917d70e42ae1c8dd9e0ce

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • An obfuscated cmd.exe command-line is typically used to evade detection.

MITRE ATT&CK Enterprise v6

Tasks