General

  • Target

    567b7fe91330078fd3ba9e0f152203bb4e8edf5af0d43dd09deb7273cff24b39

  • Size

    93KB

  • Sample

    220521-pel7zaadbj

  • MD5

    674d7910c1ee176de0e24fd0179d83ab

  • SHA1

    ff11c4281f065fa38d91e606a5e294d7fd8e312d

  • SHA256

    567b7fe91330078fd3ba9e0f152203bb4e8edf5af0d43dd09deb7273cff24b39

  • SHA512

    3825964d5a19453885e521c8e79cfc086b253bbbef34467abf94bc7044cb3c89409bcdae1313ba01ab109a60961abaa960a41e3d963f45531d377186994a94b6

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.26/generator.php

Targets

    • Target

      567b7fe91330078fd3ba9e0f152203bb4e8edf5af0d43dd09deb7273cff24b39

    • Size

      93KB

    • MD5

      674d7910c1ee176de0e24fd0179d83ab

    • SHA1

      ff11c4281f065fa38d91e606a5e294d7fd8e312d

    • SHA256

      567b7fe91330078fd3ba9e0f152203bb4e8edf5af0d43dd09deb7273cff24b39

    • SHA512

      3825964d5a19453885e521c8e79cfc086b253bbbef34467abf94bc7044cb3c89409bcdae1313ba01ab109a60961abaa960a41e3d963f45531d377186994a94b6

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks