cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

General
Target

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

Size

89KB

Sample

220521-pepm4aadbp

Score
10 /10
MD5

b52f6306e6c5af7bd87fab6f32a937b9

SHA1

e7043e9907b332b9039eeb4487959d10e05d2dc0

SHA256

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

SHA512

0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.164/api.php

Targets
Target

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

MD5

b52f6306e6c5af7bd87fab6f32a937b9

Filesize

89KB

Score
10/10
SHA1

e7043e9907b332b9039eeb4487959d10e05d2dc0

SHA256

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

SHA512

0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10