General

  • Target

    759a79d326ec2adba9922e42f8062027af72a6660c7aa57a14af043d513931b8

  • Size

    124KB

  • Sample

    241120-1ac92sykbp

  • MD5

    335fe9fa1a92089b7ef769503667900d

  • SHA1

    aa1744f5e5b91d7f71fbca4cefaf10e50d84c0cd

  • SHA256

    759a79d326ec2adba9922e42f8062027af72a6660c7aa57a14af043d513931b8

  • SHA512

    4786f92c7025589812abc2ab8944c7ef7c05531bb78e99801adb25a9ee7a37b1b7aecb90afe74f571257ad6bb6dec4ecc0c1436a5d23f160abd91e8bb542158e

  • SSDEEP

    3072:FaKgdzSrG8KyIwLx3BhgC1s0rPOWfKNRP:FaKUzSLnLx3P3O0r2WfKN5

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://sandiegohomevalues.com/engl/4de-kzsyhu-768611/

exe.dropper

https://www.wenkawang.com/data/bofze0s-7ji4-15/

exe.dropper

https://www.bruidsfotograaf-utrecht.com/wp-includes/QLvFLy/

exe.dropper

http://ma.jopedu.com/img/8z8dl-3xn-655019278/

exe.dropper

http://pay.jopedu.com/ThinkPHP/l9okcguh6-b9nnrh7-96245524/

Targets

    • Target

      759a79d326ec2adba9922e42f8062027af72a6660c7aa57a14af043d513931b8

    • Size

      124KB

    • MD5

      335fe9fa1a92089b7ef769503667900d

    • SHA1

      aa1744f5e5b91d7f71fbca4cefaf10e50d84c0cd

    • SHA256

      759a79d326ec2adba9922e42f8062027af72a6660c7aa57a14af043d513931b8

    • SHA512

      4786f92c7025589812abc2ab8944c7ef7c05531bb78e99801adb25a9ee7a37b1b7aecb90afe74f571257ad6bb6dec4ecc0c1436a5d23f160abd91e8bb542158e

    • SSDEEP

      3072:FaKgdzSrG8KyIwLx3BhgC1s0rPOWfKNRP:FaKUzSLnLx3P3O0r2WfKN5

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks