General

  • Target

    5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090

  • Size

    217KB

  • Sample

    241113-zxtd4ssmem

  • MD5

    af97eef8cd5b30d5ead954548db326a7

  • SHA1

    63eb4293992cc087ed269d91eef0c6d299c68c5d

  • SHA256

    5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090

  • SHA512

    19ce039ed518fcb9c3aae1691c691051722113eec7499b65bd4338bf32bf1982150101c82b9eb2f0d5c3210a4049397fbe4f12ca93e418ed0e9720bb7f9eb160

  • SSDEEP

    3072:tD2y/GdyEktGDWLS0HZWD5w8K7Nk9wD7IBUmY9a1m1P7Q4hk9Z4o4XJ5C:tD2k4itGiL3HJk9wD7bM4i9uxJ5

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://theaustinochuks.com/personal_array/kvrmif/

exe.dropper

http://sarafifallahi.com/wp-admin/uUXtpLhI/

exe.dropper

http://faustosarli.com/wp-admin/mYZW0/

exe.dropper

http://janejahan.com/wp-content/hqiw1u9/

exe.dropper

http://vikstory.ca/h/f2cgRvw/

Targets

    • Target

      5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090

    • Size

      217KB

    • MD5

      af97eef8cd5b30d5ead954548db326a7

    • SHA1

      63eb4293992cc087ed269d91eef0c6d299c68c5d

    • SHA256

      5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090

    • SHA512

      19ce039ed518fcb9c3aae1691c691051722113eec7499b65bd4338bf32bf1982150101c82b9eb2f0d5c3210a4049397fbe4f12ca93e418ed0e9720bb7f9eb160

    • SSDEEP

      3072:tD2y/GdyEktGDWLS0HZWD5w8K7Nk9wD7IBUmY9a1m1P7Q4hk9Z4o4XJ5C:tD2k4itGiL3HJk9wD7bM4i9uxJ5

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks