General

  • Target

    0949319f174a220b4e719715d9d5b20e.bin

  • Size

    390KB

  • Sample

    240725-bcyw4a1eqa

  • MD5

    88f752fc8c776bf17f27033357386598

  • SHA1

    4cbf1a7663435960c6c253220ff9b32a7d491c0b

  • SHA256

    93d24b6111ff29e9e649557f74ff36c80a51d759752bbd27bea5d78afe2c4d6e

  • SHA512

    3fd94d78c8423071b9d657a91b75852b1726463507b6f202a65ae777d882fcbeac8472b0b1f64d85b59b883813c3fc8809f4db71bd48df39e3f2cbfc9c69c78c

  • SSDEEP

    12288:qOHOCl3P+nOmsEgQG7x8bP2p+g6pevhnAZlC0n:RjlYsUGWO+gM8nAyo

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/pw1Ht9hR

Targets

    • Target

      5fe9554ff8c4a81a2a99ff2a12a6393c0cc1e89e6291751db310913431785077.doc

    • Size

      781KB

    • MD5

      0949319f174a220b4e719715d9d5b20e

    • SHA1

      cdebf579f8f30226872d0b5bbeaeaa81877fe9c8

    • SHA256

      5fe9554ff8c4a81a2a99ff2a12a6393c0cc1e89e6291751db310913431785077

    • SHA512

      9e5f5362ea147aa19ae6ebe74cbf037b2a295343f01cab5b1a44a076954abf3773d77e3fae26e0ebf488b1fde579e2178a75183b6a74a5acb669b4ed503d9632

    • SSDEEP

      6144:rcnOY442OGwG1e3MenWfLds5Gn/RQQDPzuUC3uJXfr2opd91pV0mccMRdWIb8haR:rvCG1PenjQzi5Wyk/yJY0F

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks