General

  • Target

    siyah_.doc

  • Size

    7.9MB

  • Sample

    201008-zz3jjg4pxn

  • MD5

    81f6232eec40898bd0ba0cc1601a82b3

  • SHA1

    be0c271f83112b07d55582b89a113dc8b3d5097d

  • SHA256

    64aeffe15aece5ae22e99d9fd55657788e71c1c52ceb08e3b16b8475b8655059

  • SHA512

    2a14e7083132d0041963faec181912ef3f441a2ef2b77c2c70eb2b6be3c676a92321253cf254fc502f86373aaf4b8499e04c02380a28e7fcd1dfda7cdea991ad

Malware Config

Targets

    • Target

      siyah_.doc

    • Size

      7.9MB

    • MD5

      81f6232eec40898bd0ba0cc1601a82b3

    • SHA1

      be0c271f83112b07d55582b89a113dc8b3d5097d

    • SHA256

      64aeffe15aece5ae22e99d9fd55657788e71c1c52ceb08e3b16b8475b8655059

    • SHA512

      2a14e7083132d0041963faec181912ef3f441a2ef2b77c2c70eb2b6be3c676a92321253cf254fc502f86373aaf4b8499e04c02380a28e7fcd1dfda7cdea991ad

    • PoetRAT

      PoetRAT is remote administration tool written in python.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Loads dropped DLL

    • JavaScript code in executable

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks