Overview

overview

10

Static

static

8

besked_282...36.doc

windows7_x64

10

besked_282...36.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    besked_2821599 364436.doc

  • Size

    158KB

  • Sample

    210114-gdvrr787js

  • MD5

    d5000b230a8233a3a2accf351349dc61

  • SHA1

    ab2281d43fd61122ef577b24f33b3376823f76f2

  • SHA256

    1be61e9a502a880e31d7732ee6c82c0aaf3bd5ae7e30654f42755e51bda9d2ba

  • SHA512

    f7d76f41a0c2f224e24841f2145e1542846b9d709d4bdc3ed1dfeeded9f734c116d55f2d09665ecb8c12d96dfedf77f8e44a849e4768e1b1b53ae41e68517371

Score
10/10
macroxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://fynart.com/wp-admin/aNuMy/
exe.dropper

http://dermedicoclinic.com/js/NElI8ZC/
exe.dropper

http://geolifesciences.com/font/r/
exe.dropper

http://rollinghood.com/how-to-ifwed/buj6VQx/
exe.dropper

http://jardindhelena.com/wp-content/u20/
exe.dropper

http://kingshowworldshoppingmall.com/cgi-bin/Ga/
exe.dropper

http://davinciworldshoppingmall.com/cgi-bin/Eh/

Targets

    • Target

      besked_2821599 364436.doc

    • Size

      158KB

    • MD5

      d5000b230a8233a3a2accf351349dc61

    • SHA1

      ab2281d43fd61122ef577b24f33b3376823f76f2

    • SHA256

      1be61e9a502a880e31d7732ee6c82c0aaf3bd5ae7e30654f42755e51bda9d2ba

    • SHA512

      f7d76f41a0c2f224e24841f2145e1542846b9d709d4bdc3ed1dfeeded9f734c116d55f2d09665ecb8c12d96dfedf77f8e44a849e4768e1b1b53ae41e68517371

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks