0f309e63c58d55ab0fee1ef2924cf648690e371ed9ae633742555629b219b785

General
Target

0f309e63c58d55ab0fee1ef2924cf648690e371ed9ae633742555629b219b785

Size

80KB

Sample

220521-pespraadck

Score
10 /10
MD5

2e80453d3d26670dac68562bb0d974a1

SHA1

717232c15b22c6b00c6cfd96466fc365e215cf37

SHA256

0f309e63c58d55ab0fee1ef2924cf648690e371ed9ae633742555629b219b785

SHA512

af203780a73408d44e43d02182ac10a6c17a207909c734d2f37751fd7556e86f985fb2167cf37e8fdea9a987effee1a506ee46a6eec6c5ed5353774054185174

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.164/api.php

Targets
Target

TTP-US-424730721.doc

MD5

b52f6306e6c5af7bd87fab6f32a937b9

Filesize

89KB

Score
10/10
SHA1

e7043e9907b332b9039eeb4487959d10e05d2dc0

SHA256

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

SHA512

0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10