General

  • Target

    600914387ada982dd415cf1dc9136c5a4e81cf6addf1e84e7611c1eb96b12392

  • Size

    411KB

  • Sample

    241113-khtzrs1qgj

  • MD5

    2286fb23cd749e2f265040740898e6be

  • SHA1

    c31790176d0638ab42d62de77dcfb8e6c12bfd2c

  • SHA256

    600914387ada982dd415cf1dc9136c5a4e81cf6addf1e84e7611c1eb96b12392

  • SHA512

    643d53e5dbb34bdc7c7805c125302f960da3c991e50f43287646f5ab94d161923abcab4a4e5942eb18350f966b771431cb751f0f8f123f751b0b3a36fec3c2e1

  • SSDEEP

    6144:dehvMqAPjxO5roDGWjV5xtuEVi8/dgsqHexnsE5ira0DptvJXC3RnUTcSwRa+Mym:kexsc4aGthXqRSqaPyjOV6FLbZNbhFs

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://webnatico.com/wp-content/upgrade/0MX2VOYxID/

exe.dropper

http://www.schoolsolutions.com.do/bats/q48ky59LIY/

exe.dropper

https://samanuvidhatr.com/wp-includes/jH8xq5/

exe.dropper

https://starzfoundationtrust.org/lori-toll/37NyS/

exe.dropper

http://s39134.p938.sites.pressdns.com/mcoc-gltf/Jjctz2J/

exe.dropper

https://shrinandrajoverseas.com/old/DKrM3rb3YibtEJUVmvS/

exe.dropper

https://produkgendeng.stormapp.in/wp-admin/HjfAgevd0a/

exe.dropper

https://tamilyogi.one/wp-includes/o8rvflsmJJE4j/

exe.dropper

https://ufbr.in/nioh-tlen/Nln4qyUEWTKyPbSb4/

exe.dropper

https://mariemont.edu.co/wp-admin/i8Lqty/

exe.dropper

https://pouget-malescours.fr/wp-content/1oyGiKJgrGOQE/

exe.dropper

http://xn--t60b69m1ey68a22oyvh.com/wp-content/Ie0/

exe.dropper

http://york-show.ru/Kennedya/nmKdRgc70/

exe.dropper

https://meusite023.000webhostapp.com/wp-admin/YmtLrDpaiEWD4arPCnb/

Targets

    • Target

      600914387ada982dd415cf1dc9136c5a4e81cf6addf1e84e7611c1eb96b12392

    • Size

      411KB

    • MD5

      2286fb23cd749e2f265040740898e6be

    • SHA1

      c31790176d0638ab42d62de77dcfb8e6c12bfd2c

    • SHA256

      600914387ada982dd415cf1dc9136c5a4e81cf6addf1e84e7611c1eb96b12392

    • SHA512

      643d53e5dbb34bdc7c7805c125302f960da3c991e50f43287646f5ab94d161923abcab4a4e5942eb18350f966b771431cb751f0f8f123f751b0b3a36fec3c2e1

    • SSDEEP

      6144:dehvMqAPjxO5roDGWjV5xtuEVi8/dgsqHexnsE5ira0DptvJXC3RnUTcSwRa+Mym:kexsc4aGthXqRSqaPyjOV6FLbZNbhFs

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v15

Tasks