Overview

overview

10

Static

static

8

INF19055690579.doc

windows7_x64

10

INF19055690579.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INF19055690579.doc

  • Size

    169KB

  • Sample

    210121-7k8bz1ecye

  • MD5

    3182a6576e47b1922f12c85c7e19c373

  • SHA1

    9cd78666899d3162925176fadf13310a4199d4a2

  • SHA256

    1ec830f4f660e14c451e6063217184782638b273411691582d92e47291a42278

  • SHA512

    a1d0c23dacd72304a0b95a4fbce5aa5105ee468bbb75b65209313222828df709d46b1ce470f71603b0a17fb1786e2e54140854da7d49b13bd3b4a42871f56901

Score
10/10
macroransomwarexlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://trainwithconviction.com/wp-admin/y/
exe.dropper

http://trainwithconviction.webdmcsolutions.com/wp-admin/rEEEU/
exe.dropper

https://perrasmoore.ca/wp-admin/rM6HK/
exe.dropper

https://canadabrightway.com/wp-admin/n3/
exe.dropper

https://upinsmokebatonrouge.com/var/Ux1V/
exe.dropper

https://thelambertagency.com/staging/Vo/
exe.dropper

https://stormhansen.com/2556460492/if/

Targets

    • Target

      INF19055690579.doc

    • Size

      169KB

    • MD5

      3182a6576e47b1922f12c85c7e19c373

    • SHA1

      9cd78666899d3162925176fadf13310a4199d4a2

    • SHA256

      1ec830f4f660e14c451e6063217184782638b273411691582d92e47291a42278

    • SHA512

      a1d0c23dacd72304a0b95a4fbce5aa5105ee468bbb75b65209313222828df709d46b1ce470f71603b0a17fb1786e2e54140854da7d49b13bd3b4a42871f56901

    Score
    10/10
    ransomware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks