4f97d98d387bbc6b8de066ba3f9bdc78e1cde6fdf87b1f76611c9f3d7646345c | Triage

Sharing

Copy URL Twitter E-mail

General

Target

8a6083929086197c95518b8ce0bcabac.bin
Size

2.0MB
Sample

240706-dl53watgjp
MD5

1781533bf692cb50b78419aab4fde4a3
SHA1

b94fc0a1633465110c8f0aa4a7db91be94a41f0a
SHA256

4f97d98d387bbc6b8de066ba3f9bdc78e1cde6fdf87b1f76611c9f3d7646345c
SHA512

d896f05406adb7234e0f84cf1a0290b7dd648d98ae9542cfc5962caf905e5e0090f136eeb24e1124c7c506c6091c07bb011bc922bc2a0ac3950e4e5debb7c9de
SSDEEP

49152:xtZkf1CMe5H1yhpeJ5TdeR5exBJLYrwiQsc/xR+ccEA1v:vafR+1yre7JxBJ8rvDc/eNE2v

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://helpcenter.cyou/help.php?9446

exe.dropper

http://helpcenter.cyou/help.php?9446

Targets

- Target
  
  348afd0b860223c0a3d36e3788c497c90285d21c426b25967a0f955e12874d06.js
- Size
  
  7.3MB
- MD5
  
  8a6083929086197c95518b8ce0bcabac
- SHA1
  
  dbd7daf5830f884dfa4752b65b25bca2ceb5e8c2
- SHA256
  
  348afd0b860223c0a3d36e3788c497c90285d21c426b25967a0f955e12874d06
- SHA512
  
  667ed95353d152fe881c43c0f22e0826f8eb9b99572129a2d202526518bf0b0633ad58d56fc27badf794a66a3b4aaca16db576215b28f1fdfd4c014d45cb34e4
- SSDEEP
  
  49152:47h4zjCxb7qHlp4BOlN0KFhcuscyEMzYsm7++86mn3Ef/Vf7GI0/3qp6RCgScEQH:a
Score

10^/10

execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2