General

  • Target

    Documents.zip

  • Size

    42KB

  • Sample

    210113-5tdc5vs1d6

  • MD5

    14c12aa55e35368d0edfeded79f4fe53

  • SHA1

    094d56b7d66bdce6de6478182172ec01a6137443

  • SHA256

    acae007f33b0f17af13e07ca1087b3c349e3ac14b5ba089889ba8be756abcc66

  • SHA512

    f3d96205096986662d91ba2c6b49d2fcc3d469a9bed1f384ecbbfbe69781bfe06065e751a992994f0527f524424377df1f6ff1eaf40d056aac54958ecc80eaa5

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://globalruraldevelopmentagency.co.za/cgi-bin/inf/

exe.dropper

https://trioconcuerda.es/cgi-bin/Services/

exe.dropper

http://abbc.tv/wp-content/Triedit/

exe.dropper

http://asafina.co/wp-content/G3GLLO/

exe.dropper

http://bluepassgt.com/von-weise-ludzp/DNNXcQcRTT/

exe.dropper

http://larissarobles.com/wp-admin/SIGNUP/

Targets

    • Target

      Documents.doc

    • Size

      87KB

    • MD5

      1df0b5bc020b7debcd01a3634d2ece0f

    • SHA1

      6969d80789fccc3d66fc37fda2fb674e0bab6b25

    • SHA256

      19b82276e00c7dd94381cb2e5fb6889eeee013a79cf4fb74d2f1cdc40051c718

    • SHA512

      b00bac9ef3374cbb8a5864dc810c866ddbd86abe6a55d67c4922f86d28187353153ac1425622ff1f28bcec0d18ffe1e89ddb8e588e2f8739f3a771899745d5a4

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks