General

  • Target

    c0dda5d3c0ceda244e402296d93e5a34c713622305538e4383f8b46adf295562

  • Size

    200KB

  • Sample

    241120-w6rebs1lft

  • MD5

    f306a88f7c8193ae71abe61cb1717882

  • SHA1

    e2cb9b4767afa27f15407de43ee09cff4b362d0f

  • SHA256

    c0dda5d3c0ceda244e402296d93e5a34c713622305538e4383f8b46adf295562

  • SHA512

    bae2a7015edb9388300573f885b65ddc475504009bf0736012268777dda0da2c3dc88f76f2c6bfcadc9e35a036744b67859e6fd22bf3fb6cfb6ac084b22293e3

  • SSDEEP

    3072:im2y/GdyjktGDWLS0HZWD5w8K7Nk9LD7IBUTlwCDuRdj95ksG:im2k4ztGiL3HJk9LD7bJwC6Rdj95kn

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://moisesdavid.com/qoong/vy/

exe.dropper

http://insurancebabu.com/wp-admin/iXElcu9f/

exe.dropper

http://rishi99.com/framework.impossible/dhADGeie6/

exe.dropper

https://www.alertpage.net/confirmation/2nX/

exe.dropper

https://anttarc.org/chartaxd/DMBuiwf5u/

Targets

    • Target

      c0dda5d3c0ceda244e402296d93e5a34c713622305538e4383f8b46adf295562

    • Size

      200KB

    • MD5

      f306a88f7c8193ae71abe61cb1717882

    • SHA1

      e2cb9b4767afa27f15407de43ee09cff4b362d0f

    • SHA256

      c0dda5d3c0ceda244e402296d93e5a34c713622305538e4383f8b46adf295562

    • SHA512

      bae2a7015edb9388300573f885b65ddc475504009bf0736012268777dda0da2c3dc88f76f2c6bfcadc9e35a036744b67859e6fd22bf3fb6cfb6ac084b22293e3

    • SSDEEP

      3072:im2y/GdyjktGDWLS0HZWD5w8K7Nk9LD7IBUTlwCDuRdj95ksG:im2k4ztGiL3HJk9LD7bJwC6Rdj95kn

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks