3e2db082da1ae9d9e4c61a3a3f6fcb537ec035ade48adbeaf8507b90253ab674

General
Target

3e2db082da1ae9d9e4c61a3a3f6fcb537ec035ade48adbeaf8507b90253ab674

Size

84KB

Sample

220521-pep9maadbr

Score
10 /10
MD5

851679ab73106c4941838d0d614a2144

SHA1

38c73b10f756b592fb0af01dc8eb315a0fda1eea

SHA256

3e2db082da1ae9d9e4c61a3a3f6fcb537ec035ade48adbeaf8507b90253ab674

SHA512

ad117630eed78d75f551380a4030baa4785cfb0e17c05d285a1edeaaecbe679dfe0cb91c51e188be9769abb60da9961d683721ffa4dbac1445d7f602fee2368e

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.26/generator.php

Targets
Target

TTP-US-246841413.doc

MD5

674d7910c1ee176de0e24fd0179d83ab

Filesize

93KB

Score
10/10
SHA1

ff11c4281f065fa38d91e606a5e294d7fd8e312d

SHA256

567b7fe91330078fd3ba9e0f152203bb4e8edf5af0d43dd09deb7273cff24b39

SHA512

3825964d5a19453885e521c8e79cfc086b253bbbef34467abf94bc7044cb3c89409bcdae1313ba01ab109a60961abaa960a41e3d963f45531d377186994a94b6

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10