General
-
Target
63c0755410ad88fd4567e6065fe9b0ab50ccc6a523bed1badd00af9e9b584180
-
Size
585KB
-
Sample
241031-qa7tjsyfpa
-
MD5
6ee42d913a6f852a7ce945ab71903499
-
SHA1
92a4833d9a4e5e613a53e45b0e6e93f6127b1e73
-
SHA256
63c0755410ad88fd4567e6065fe9b0ab50ccc6a523bed1badd00af9e9b584180
-
SHA512
24782aea1640e97aade7a543383161724d6ea612cb335808a33c0c77b393ae806862a1bfaef0592205b30b56985a0ffda9a9e36b6c61490610118cb9cce7615d
-
SSDEEP
1536:m/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/F/i/i/i/i/i/i/i/i/i/i/i/i/iQ:u3Jg6azbLal3Jg6azbLal3Jg6azbLao
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Targets
-
-
Target
Ödeme Onayı.vbs
-
Size
585KB
-
MD5
e8b451ec06c7782196418eb73e4b0731
-
SHA1
0b0b23f532f7e6241fabe6eb5cb1e8490b3dd1f4
-
SHA256
3e0f0059d28f652c2575514c53d31dbfa1c96bd13d1f3457a22fd0dca5336011
-
SHA512
a3b40c48836fe2dcb84c3803a1a815039a93b4463e0acbe90372610b64663d40c6642461cfa8931bcb199cb43f842f9552e08b95d7108578847b14cbb7742918
-
SSDEEP
1536:l/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/F/i/i/i/i/i/i/i/i/i/i/i/i/iW:j3Jg6azbLal3Jg6azbLal3Jg6azbLaO
Score10/10-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1