5a5b7c3bda80944f90724322b9fbb2c44b180c790c09192c5007ab9e1410c95c | Triage

Sharing

General

Target

5a5b7c3bda80944f90724322b9fbb2c44b180c790c09192c5007ab9e1410c95c.zip
Size

691B
Sample

250326-dmt21azmt9
MD5

c215fe7b715023c7c2f1252638b8e7ca
SHA1

97fdc549b46c090b5bfb456d210f2c1aedea79a0
SHA256

5a5b7c3bda80944f90724322b9fbb2c44b180c790c09192c5007ab9e1410c95c
SHA512

81c570bdb6dc4bee28173db8809d65330bb955f350abc2ee89810a05632e298ecb07d652915e52317c0b305353eb52887bb9fc63a5e1897c283b5765287c84ff

Score

10^/10

dropper execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://217.8.117.63/wtava.exe

Targets

- Target
  
  94fefbae1f1c369c6fcc718d0ea40828b98f55b18c8b4fa68915ceef2d725707.js
- Size
  
  720B
- MD5
  
  ae846ea82b1d91f86790be6f0ebcf771
- SHA1
  
  2ac8c84cd73cddc5f56573ef431b9eda914bc63b
- SHA256
  
  94fefbae1f1c369c6fcc718d0ea40828b98f55b18c8b4fa68915ceef2d725707
- SHA512
  
  ed9718786972eccc49d8e8f7294a6bedaa026662d637c9016fdd64cf4106b72772d61f08274c15a6da7583bb38035c470eeac3f77ac3cb94185c4aa70430734e
Score

10^/10

dropper execution
- Blocklisted process makes network request
- Download via BitsAdmin
  dropper
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

BITS Jobs

Privilege Escalation

Defense Evasion

BITS Jobs

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

dropperexecution

behavioral2

dropperexecution