General

  • Target

    1b6a63e174d1201ac9d6957c033328f45753ffcb7e1894f82f8b9e5f8a0807e1

  • Size

    178KB

  • Sample

    241113-kdkwas1qaq

  • MD5

    5027a6da7ee95a4edf7763f1d6781012

  • SHA1

    f6dfd3e621b0082c39cea56e53b50d183edbcd6c

  • SHA256

    1b6a63e174d1201ac9d6957c033328f45753ffcb7e1894f82f8b9e5f8a0807e1

  • SHA512

    127cef71952698dba0144cade0e729ad6d3619fe8d43fd010e4a24baa8084aa68673bb5a2ffdf2483e1c7e1e628ef1e886e2c9f70bc9b23e5bd7eff0d86c61ea

  • SSDEEP

    3072:Z62y/GdyDktGDWLS0HZWD5w8K7Nk9+D7IBUpQdY/R9LGv:Z62k4TtGiL3HJk9+D7bpuOLLm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://trendinformatica.eu/arcfabrics/i88ixy9/

exe.dropper

http://theomelet.com/wp-content/fQd/

exe.dropper

http://kgd898.com/wp-admin/h45mi/

exe.dropper

http://idealssschang.com/calendar/60PcB/

exe.dropper

http://happiness360degree.com/wp-admin/fj/

Targets

    • Target

      1b6a63e174d1201ac9d6957c033328f45753ffcb7e1894f82f8b9e5f8a0807e1

    • Size

      178KB

    • MD5

      5027a6da7ee95a4edf7763f1d6781012

    • SHA1

      f6dfd3e621b0082c39cea56e53b50d183edbcd6c

    • SHA256

      1b6a63e174d1201ac9d6957c033328f45753ffcb7e1894f82f8b9e5f8a0807e1

    • SHA512

      127cef71952698dba0144cade0e729ad6d3619fe8d43fd010e4a24baa8084aa68673bb5a2ffdf2483e1c7e1e628ef1e886e2c9f70bc9b23e5bd7eff0d86c61ea

    • SSDEEP

      3072:Z62y/GdyDktGDWLS0HZWD5w8K7Nk9+D7IBUpQdY/R9LGv:Z62k4TtGiL3HJk9+D7bpuOLLm

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks