General

  • Target

    cnewqstk

  • Size

    183KB

  • Sample

    220522-f1tz9sahfl

  • MD5

    13fca40dc4820dc73c751e70130201f7

  • SHA1

    3edaa4017e9f54561bafb3b2e5406e666e271146

  • SHA256

    b9867ead986e6afb8337409a0b509cac26e3d383deb83f38f1cfcde8eaf3ab01

  • SHA512

    fc9ca9a0b1b6ca19f41ae506e85f17b0e05e5dd6b80641e130274e219b02a91aeac7f718db1f4804c81c17e830e1ca67a2f59384d8df5e412ad76c3592c4b23b

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://aci.serabd.com/gt7pie/WMq/

exe.dropper

http://acainacumbuca.com.br/protected-disk/x/

exe.dropper

http://airmaxx.rs/available-zone/UFxfTGg/

exe.dropper

http://labersa.com/preview/atbFjM/

exe.dropper

http://agenciaetalk.com/common-zone/uF5x3RF/

exe.dropper

http://brizboy.com/site/WrrdOMS/

exe.dropper

http://clutchinc.net/image/1/

Targets

    • Target

      cnewqstk

    • Size

      183KB

    • MD5

      13fca40dc4820dc73c751e70130201f7

    • SHA1

      3edaa4017e9f54561bafb3b2e5406e666e271146

    • SHA256

      b9867ead986e6afb8337409a0b509cac26e3d383deb83f38f1cfcde8eaf3ab01

    • SHA512

      fc9ca9a0b1b6ca19f41ae506e85f17b0e05e5dd6b80641e130274e219b02a91aeac7f718db1f4804c81c17e830e1ca67a2f59384d8df5e412ad76c3592c4b23b

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks