General

  • Target

    b05f88b93443f155daea5abd4be0be42b997502dbbfe8098cb6f0dccf8c56657

  • Size

    242KB

  • Sample

    241113-nxx7hszrhx

  • MD5

    811ef2654782202c6135c0b2c3dede5c

  • SHA1

    89a6122c7aa6f5a8edfa816dd4c1addab732f3d9

  • SHA256

    b05f88b93443f155daea5abd4be0be42b997502dbbfe8098cb6f0dccf8c56657

  • SHA512

    0c4f46d4cb2f5dc61f501d487c9f4f27b56b0f09b9333e193e11ec3f4609acb267e40038421644d2147e5b3c8f237e367176dd79249d0cd9c97669f5b18439c4

  • SSDEEP

    6144:/0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+Zj80KY:/0E3dxtR/iU9mvUPZw0KY

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://lehraagrotech.com/wp-content/B/

exe.dropper

http://emdgames.com/calendar/xos/

exe.dropper

http://seca.infoavisos.com/wp-seca/f/

exe.dropper

http://arx163.com/wp-admin/uw4/

exe.dropper

http://youthplant.org/wp-admin/838/

Targets

    • Target

      b05f88b93443f155daea5abd4be0be42b997502dbbfe8098cb6f0dccf8c56657

    • Size

      242KB

    • MD5

      811ef2654782202c6135c0b2c3dede5c

    • SHA1

      89a6122c7aa6f5a8edfa816dd4c1addab732f3d9

    • SHA256

      b05f88b93443f155daea5abd4be0be42b997502dbbfe8098cb6f0dccf8c56657

    • SHA512

      0c4f46d4cb2f5dc61f501d487c9f4f27b56b0f09b9333e193e11ec3f4609acb267e40038421644d2147e5b3c8f237e367176dd79249d0cd9c97669f5b18439c4

    • SSDEEP

      6144:/0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+Zj80KY:/0E3dxtR/iU9mvUPZw0KY

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks