General

  • Target

    be9059cbe4e01b3f7fc6ad53cbdc4a9172b97e758a81be2a0b2fb133895d285e

  • Size

    181KB

  • Sample

    241113-n4naws1flh

  • MD5

    ecf7ebb01203d373f23cedda79ded3c9

  • SHA1

    d2b7bf48fbee5342ea65ceb16427b947d338368d

  • SHA256

    be9059cbe4e01b3f7fc6ad53cbdc4a9172b97e758a81be2a0b2fb133895d285e

  • SHA512

    e553ed9af531c747c214554ff860a1e7b12f97271823c15fc132f32a8486d264f03b9c65da762f525fb349e3cdfc7137cdeb0593a980f60c18ccd41d2071cf89

  • SSDEEP

    3072:9Nq2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBU5asiv8Ou7v:9Nq2k4PF7tGiL3HJk9rD7b5asiv837

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://diwafashions.com/wp-admin/mqau6/

exe.dropper

http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/

exe.dropper

http://dixartcontractors.com/cgi-bin/nnuv/

exe.dropper

http://diaspotv.info/wordpress/G/

exe.dropper

http://easyvisaoverseas.com/cgi-bin/v/

Targets

    • Target

      be9059cbe4e01b3f7fc6ad53cbdc4a9172b97e758a81be2a0b2fb133895d285e

    • Size

      181KB

    • MD5

      ecf7ebb01203d373f23cedda79ded3c9

    • SHA1

      d2b7bf48fbee5342ea65ceb16427b947d338368d

    • SHA256

      be9059cbe4e01b3f7fc6ad53cbdc4a9172b97e758a81be2a0b2fb133895d285e

    • SHA512

      e553ed9af531c747c214554ff860a1e7b12f97271823c15fc132f32a8486d264f03b9c65da762f525fb349e3cdfc7137cdeb0593a980f60c18ccd41d2071cf89

    • SSDEEP

      3072:9Nq2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBU5asiv8Ou7v:9Nq2k4PF7tGiL3HJk9rD7b5asiv837

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks