Documents.zip

General
Target

Documents.zip

Size

42KB

Sample

210113-5tdc5vs1d6

Score
10 /10
MD5

14c12aa55e35368d0edfeded79f4fe53

SHA1

094d56b7d66bdce6de6478182172ec01a6137443

SHA256

acae007f33b0f17af13e07ca1087b3c349e3ac14b5ba089889ba8be756abcc66

SHA512

f3d96205096986662d91ba2c6b49d2fcc3d469a9bed1f384ecbbfbe69781bfe06065e751a992994f0527f524424377df1f6ff1eaf40d056aac54958ecc80eaa5

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

https://globalruraldevelopmentagency.co.za/cgi-bin/inf/

exe.dropper

https://trioconcuerda.es/cgi-bin/Services/

exe.dropper

http://abbc.tv/wp-content/Triedit/

exe.dropper

http://asafina.co/wp-content/G3GLLO/

exe.dropper

http://bluepassgt.com/von-weise-ludzp/DNNXcQcRTT/

exe.dropper

http://larissarobles.com/wp-admin/SIGNUP/

Targets
Target

Documents.doc

MD5

1df0b5bc020b7debcd01a3634d2ece0f

Filesize

87KB

Score
10 /10
SHA1

6969d80789fccc3d66fc37fda2fb674e0bab6b25

SHA256

19b82276e00c7dd94381cb2e5fb6889eeee013a79cf4fb74d2f1cdc40051c718

SHA512

b00bac9ef3374cbb8a5864dc810c866ddbd86abe6a55d67c4922f86d28187353153ac1425622ff1f28bcec0d18ffe1e89ddb8e588e2f8739f3a771899745d5a4

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Loads dropped DLL

  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10