General

  • Target

    36cfa87ba3f5fdf893937365b60189aec1163986a8548d857da356119fd00553

  • Size

    181KB

  • Sample

    241121-ayjhvs1pek

  • MD5

    d1dcac0221c9412998c82b5c17b1a4db

  • SHA1

    c4e384e51f4fa6652e70d1ffbd5245c4819e714b

  • SHA256

    36cfa87ba3f5fdf893937365b60189aec1163986a8548d857da356119fd00553

  • SHA512

    074c74dd798a133085e309f9d1c8bbb640d9bd5810755f3c59df31b148f8856e06e45dbbb6c3fb1f6cf623d17db8eb12c0f936ea0070bdd03079f6f7709a14ad

  • SSDEEP

    3072:9NO2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBUdasiv8OP7V:9NO2k4PF7tGiL3HJk9rD7bdasiv86Z

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://diwafashions.com/wp-admin/mqau6/

exe.dropper

http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/

exe.dropper

http://dixartcontractors.com/cgi-bin/nnuv/

exe.dropper

http://diaspotv.info/wordpress/G/

exe.dropper

http://easyvisaoverseas.com/cgi-bin/v/

Targets

    • Target

      36cfa87ba3f5fdf893937365b60189aec1163986a8548d857da356119fd00553

    • Size

      181KB

    • MD5

      d1dcac0221c9412998c82b5c17b1a4db

    • SHA1

      c4e384e51f4fa6652e70d1ffbd5245c4819e714b

    • SHA256

      36cfa87ba3f5fdf893937365b60189aec1163986a8548d857da356119fd00553

    • SHA512

      074c74dd798a133085e309f9d1c8bbb640d9bd5810755f3c59df31b148f8856e06e45dbbb6c3fb1f6cf623d17db8eb12c0f936ea0070bdd03079f6f7709a14ad

    • SSDEEP

      3072:9NO2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBUdasiv8OP7V:9NO2k4PF7tGiL3HJk9rD7bdasiv86Z

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks