Overview

overview

10

Static

static

8

Complaint-...21.xls

windows7_x64

10

Complaint-...21.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Complaint-Letter-2050692395-03102021.xls

  • Size

    281KB

  • Sample

    210311-fybkx6t54n

  • MD5

    1defa9216b9455154b38c0775991e30f

  • SHA1

    b35e76b7ae9b2aaf253a44c6d3a8500b41458818

  • SHA256

    9c0656e6e8de2c3dc70989d4c563d3f250bc81bb1598cff78e0ec72aa854176a

  • SHA512

    d958e8f5dbc1dee799e08ed8ec331702d2ad289b241fd90b1f7df3b055122af230c611ab4078dbc7bf8bf6f92812a41b2e703a5321027ec84afc86cdf0168d07

Score
10/10
evasionmacroxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://t.amynx.com/gim.jsp

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://oracledispatch.com/pijxju/44266.5112703704.dat
xlm40.dropper

http://alvaelectrical.ir/jfvrrvwxrsv/44266.5112703704.dat
xlm40.dropper

http://www.bekagayrimenkul.com/xtgudsvqubbk/44266.5112703704.dat
xlm40.dropper

http://civil-group.ir/rvnhdtkyxgu/44266.5112703704.dat
xlm40.dropper

http://kumarpropack.com/jdvcnedwvpr/44266.5112703704.dat

Targets

    • Target

      Complaint-Letter-2050692395-03102021.xls

    • Size

      281KB

    • MD5

      1defa9216b9455154b38c0775991e30f

    • SHA1

      b35e76b7ae9b2aaf253a44c6d3a8500b41458818

    • SHA256

      9c0656e6e8de2c3dc70989d4c563d3f250bc81bb1598cff78e0ec72aa854176a

    • SHA512

      d958e8f5dbc1dee799e08ed8ec331702d2ad289b241fd90b1f7df3b055122af230c611ab4078dbc7bf8bf6f92812a41b2e703a5321027ec84afc86cdf0168d07

    Score
    10/10
    evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Modifies Windows Firewall

      evasion

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks