Overview

overview

10

Static

static

8

Mes 53060.doc

windows7_x64

10

Mes 53060.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    E1-20210120-xxxx.zip

  • Size

    83KB

  • Sample

    210120-cxpvkvzryj

  • MD5

    6d0ae70e23c1c9acebe404b0b8b53dd3

  • SHA1

    8501e30709b8cb126bd56d10b247a7dd700db038

  • SHA256

    1c064b17f6fa7744770a9a8465c41bf2f6711bf65b9992763be5f792b756cf0f

  • SHA512

    3a4cae8e5c6bdf6b7a41172cecfde897a983606130ee384484b30c6150157d44b3eae9a704aa21f2b48bda783bb18be0b66ef7400b2690fe3b00cd95979c06cb

Score
10/10
macroxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://avz-pr.com/wp-includes/hJ/
exe.dropper

https://ultimatesoftwarenet.com/wp-content/upB/
exe.dropper

https://sundargarhmirror.com/wp-content/sRu7KK/
exe.dropper

https://cawada.com/wp-content/7SSUz0/
exe.dropper

https://hilmagym.com/alden-s-ylxyau/Rljs3s/
exe.dropper

https://yurdumaku.com/blogs/zQAwwA/
exe.dropper

http://www.surveycanada.xyz/wp-content/0sDDTy/

Targets

    • Target

      Mes 53060.doc

    • Size

      162KB

    • MD5

      5d6e34e6e9d3025d3fbf43075c149965

    • SHA1

      3f38dc61f0d24411753e55f5abb8a3eb3bcd9a6a

    • SHA256

      9811dc518086c80be81829db246a7e7dce042b6630d27f2f8361608e655d7aa9

    • SHA512

      97d4c04ff6a82ca7462caf411e6bdb408d7098884315da2f130a852c16c25a783af1f2a90a10d3689fedcbb576a9a4ae53151eda0e1d581f7eec762a907ab4d9

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks