General

  • Target

    d14ba6bd2f68f07e737d847e85e2be7d51203fe075449d7be9283e72060df87a

  • Size

    181KB

  • Sample

    241113-k6bhbsyglh

  • MD5

    f5b6eedad465b4e329aac3e5b90267c9

  • SHA1

    dc72bd25f900e8a9c71adcd4762c91a026864c5d

  • SHA256

    d14ba6bd2f68f07e737d847e85e2be7d51203fe075449d7be9283e72060df87a

  • SHA512

    0136ee02b95a9ba03ea3b65b29da4810983224988ea9d6d8809518447c30df9f173449b3c955d9617f7f5c83a20b8f7be9d6cb640ddbfae9f2b608a5774970ad

  • SSDEEP

    3072:9NO2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBUdasiv8OP7F:9NO2k4PF7tGiL3HJk9rD7bdasiv86J

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://diwafashions.com/wp-admin/mqau6/

exe.dropper

http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/

exe.dropper

http://dixartcontractors.com/cgi-bin/nnuv/

exe.dropper

http://diaspotv.info/wordpress/G/

exe.dropper

http://easyvisaoverseas.com/cgi-bin/v/

Targets

    • Target

      d14ba6bd2f68f07e737d847e85e2be7d51203fe075449d7be9283e72060df87a

    • Size

      181KB

    • MD5

      f5b6eedad465b4e329aac3e5b90267c9

    • SHA1

      dc72bd25f900e8a9c71adcd4762c91a026864c5d

    • SHA256

      d14ba6bd2f68f07e737d847e85e2be7d51203fe075449d7be9283e72060df87a

    • SHA512

      0136ee02b95a9ba03ea3b65b29da4810983224988ea9d6d8809518447c30df9f173449b3c955d9617f7f5c83a20b8f7be9d6cb640ddbfae9f2b608a5774970ad

    • SSDEEP

      3072:9NO2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBUdasiv8OP7F:9NO2k4PF7tGiL3HJk9rD7bdasiv86J

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks