Overview

overview

10

Static

static

Revised Pro-forma.doc

windows7_x64

10

Revised Pro-forma.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Revised Pro-forma.doc

  • Size

    245KB

  • Sample

    200707-jv85lnnd6s

  • MD5

    31355a427ccc38ba77df8c75626e33f7

  • SHA1

    47d42d7885c1f27ebdae079d70a72042c94debe9

  • SHA256

    cfbbe350a3a5b906db87fa22e8a58a1760cfa776e6f1e0149b73a02b799d9b3a

  • SHA512

    917d2f60b8ac0f2f18158e382a8ce66ffbf13ddca867786a2833d1c9f0e54922e9d3db080eec8ec59fbe8d00b0c77095224f34a6347999e2378d6e24284943bf

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

httP://198.12.66.110/JCwZyb0zjyDTDj3.exe

Targets

    • Target

      Revised Pro-forma.doc

    • Size

      245KB

    • MD5

      31355a427ccc38ba77df8c75626e33f7

    • SHA1

      47d42d7885c1f27ebdae079d70a72042c94debe9

    • SHA256

      cfbbe350a3a5b906db87fa22e8a58a1760cfa776e6f1e0149b73a02b799d9b3a

    • SHA512

      917d2f60b8ac0f2f18158e382a8ce66ffbf13ddca867786a2833d1c9f0e54922e9d3db080eec8ec59fbe8d00b0c77095224f34a6347999e2378d6e24284943bf

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks