b5f5d6de381bb2bd2f5f4520727a307c7f094435fa22fa05b840a3ce5b400c67

General

Target

b5f5d6de381bb2bd2f5f4520727a307c7f094435fa22fa05b840a3ce5b400c67.bin.sample
Size

138KB
Sample

221121-n2sgtsch2t
MD5

430d7c853638524e59abe98c593b2ae5
SHA1

6ed415997a658f5b749dded6347bf970acac2601
SHA256

b5f5d6de381bb2bd2f5f4520727a307c7f094435fa22fa05b840a3ce5b400c67
SHA512

e7100c0e17f4910305077018350c625d815115b09044764d037c98a9b847d48400c8fd7f0fb194617b96ca955f06f5b076e64887c33e89dcac7de08dbb93f40c
SSDEEP

3072:zKehv7q2Pjx45uoDGTj+5xtekEvi8/dg0a3Wm47CdX5gVvhoxzYrasdJXIch1L:Wehv7q2Pjx45uoDGTj+5xtFEvi8/dg0x

Score

10^/10

macro macro_on_action

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://midnightsilvercrafters.com/store/wBjNOUw/

exe.dropper

http://tempral.com/NATE_05_22_2009/BI710N4cQ6R3/

exe.dropper

https://redington.karmatechmediaworks.com/wp-content/3JVuVx7QUM/

exe.dropper

https://uhc.karmatechmediaworks.com/wp-content/0EqfdeznntlOpaIP2Qv/

exe.dropper

https://servilogic.net/b/14hqrdyP0Z3WsbQib8/

exe.dropper

https://comezmuhendislik.com/ljfrmm/VTpHRFWoORAHnRQ3aQL/

exe.dropper

http://webmail.glemedical.com/wp-content/J1M2xxodH/

exe.dropper

http://toto.karmatechmediaworks.com/wp-content/i826vbcVgRJ/

exe.dropper

https://golfpia.karmatechmediaworks.com/wp-content/oEicpDnEkk/

exe.dropper

https://fortiuspharma.com/y6krss/EGm347cqj5/

exe.dropper

https://garyjharris.com/cgi-bin/0hH/

exe.dropper

https://vietnam.karmatechmediaworks.com/wp-content/PfSVQagusZy7AaMw/

exe.dropper

https://vinculinc.karmatechmediaworks.com/wp-content/VlcOPPwgidWlXDJNs6/

Targets

- Target
  
  b5f5d6de381bb2bd2f5f4520727a307c7f094435fa22fa05b840a3ce5b400c67.bin.sample
- Size
  
  138KB
- MD5
  
  430d7c853638524e59abe98c593b2ae5
- SHA1
  
  6ed415997a658f5b749dded6347bf970acac2601
- SHA256
  
  b5f5d6de381bb2bd2f5f4520727a307c7f094435fa22fa05b840a3ce5b400c67
- SHA512
  
  e7100c0e17f4910305077018350c625d815115b09044764d037c98a9b847d48400c8fd7f0fb194617b96ca955f06f5b076e64887c33e89dcac7de08dbb93f40c
- SSDEEP
  
  3072:zKehv7q2Pjx45uoDGTj+5xtekEvi8/dg0a3Wm47CdX5gVvhoxzYrasdJXIch1L:Wehv7q2Pjx45uoDGTj+5xtFEvi8/dg0x
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Checks computer location settings

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2