Overview

overview

10

Static

static

8

Inv_9909.doc

windows7_x64

10

Inv_9909.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Inv_9909.doc

  • Size

    168KB

  • Sample

    210121-9ka9pgclsa

  • MD5

    8d51f2980d168881acf1aca6d1c9f047

  • SHA1

    91c1906001a4db13964de40ca50c9881fd8aff72

  • SHA256

    1654619b2532228600711117c58dd4f3b715f1b6973f182865b93bf186fa68c9

  • SHA512

    19a0bc944262abb60c96e0a7db3e50583fb4cb4d16065abe6fa948d44804ecb85a47875b9f65fdfea9e10b239a3b0bb0a6c75a570e1f571b108cf303cbfe4980

Score
10/10
macroransomwarexlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://trainwithconviction.com/wp-admin/y/
exe.dropper

http://trainwithconviction.webdmcsolutions.com/wp-admin/rEEEU/
exe.dropper

https://perrasmoore.ca/wp-admin/rM6HK/
exe.dropper

https://canadabrightway.com/wp-admin/n3/
exe.dropper

https://upinsmokebatonrouge.com/var/Ux1V/
exe.dropper

https://thelambertagency.com/staging/Vo/
exe.dropper

https://stormhansen.com/2556460492/if/

Targets

    • Target

      Inv_9909.doc

    • Size

      168KB

    • MD5

      8d51f2980d168881acf1aca6d1c9f047

    • SHA1

      91c1906001a4db13964de40ca50c9881fd8aff72

    • SHA256

      1654619b2532228600711117c58dd4f3b715f1b6973f182865b93bf186fa68c9

    • SHA512

      19a0bc944262abb60c96e0a7db3e50583fb4cb4d16065abe6fa948d44804ecb85a47875b9f65fdfea9e10b239a3b0bb0a6c75a570e1f571b108cf303cbfe4980

    Score
    10/10
    ransomware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks