General

  • Target

    cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

  • Size

    89KB

  • Sample

    220521-pepm4aadbp

  • MD5

    b52f6306e6c5af7bd87fab6f32a937b9

  • SHA1

    e7043e9907b332b9039eeb4487959d10e05d2dc0

  • SHA256

    cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

  • SHA512

    0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

Score
10/10

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.164/api.php

Targets

    • Target

      cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

    • Size

      89KB

    • MD5

      b52f6306e6c5af7bd87fab6f32a937b9

    • SHA1

      e7043e9907b332b9039eeb4487959d10e05d2dc0

    • SHA256

      cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

    • SHA512

      0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation