Overview

overview

10

Static

static

8

DAT83800393391.doc

windows7_x64

10

DAT83800393391.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DAT83800393391.doc

  • Size

    168KB

  • Sample

    210121-ghdss9bq6s

  • MD5

    769e4a8122074e95c794adf6500757e1

  • SHA1

    0c8e63e9bf8557734bf9b33c763e9aad22ed95da

  • SHA256

    3a73b83fca4f2414c578ecd54d7327095d0405828cddad0e46b4c988060f7ffe

  • SHA512

    21a4f375fe8ced6263244b9c7d86c7e8afc5e9bd80d29db1820580912a8cb0ba7bbb2d8b6a47eb67bdf2cc72d4bfb5bdf4a968ad8eaed72211158ec52b770d2e

Score
10/10
macroransomwarexlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://trainwithconviction.com/wp-admin/y/
exe.dropper

http://trainwithconviction.webdmcsolutions.com/wp-admin/rEEEU/
exe.dropper

https://perrasmoore.ca/wp-admin/rM6HK/
exe.dropper

https://canadabrightway.com/wp-admin/n3/
exe.dropper

https://upinsmokebatonrouge.com/var/Ux1V/
exe.dropper

https://thelambertagency.com/staging/Vo/
exe.dropper

https://stormhansen.com/2556460492/if/

Targets

    • Target

      DAT83800393391.doc

    • Size

      168KB

    • MD5

      769e4a8122074e95c794adf6500757e1

    • SHA1

      0c8e63e9bf8557734bf9b33c763e9aad22ed95da

    • SHA256

      3a73b83fca4f2414c578ecd54d7327095d0405828cddad0e46b4c988060f7ffe

    • SHA512

      21a4f375fe8ced6263244b9c7d86c7e8afc5e9bd80d29db1820580912a8cb0ba7bbb2d8b6a47eb67bdf2cc72d4bfb5bdf4a968ad8eaed72211158ec52b770d2e

    Score
    10/10
    ransomware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks