Overview

overview

10

Static

static

8

Compensati...21.xls

windows7_x64

Compensati...21.xls

windows10_x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CompensationClaim_605614143_03152021.xls

  • Size

    233KB

  • Sample

    210315-hd8sfj8j6s

  • MD5

    40a0ac4f15fbdb21b9301283956afc03

  • SHA1

    5980ff25f008f5500d7f5733a181f77ae88b4a3f

  • SHA256

    1852801558498c3bbc67b028b592ba9444a4e687a7f67737a393ce3f756d8c87

  • SHA512

    8e7a23f4f86b36b2136e15e2692173db960963cdc41a15ddffd3b31c388c478eabfc1d50ba022920923df0d64987a2d812eb5056ccbcd5e1154a951a9fabef6e

Score
10/10
bootkitmacroransomwarexlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://188.127.254.114/44270.7354857639.dat
xlm40.dropper

http://185.82.219.160/44270.7354857639.dat
xlm40.dropper

http://45.140.146.34/44270.7354857639.dat

Targets

    • Target

      CompensationClaim_605614143_03152021.xls

    • Size

      233KB

    • MD5

      40a0ac4f15fbdb21b9301283956afc03

    • SHA1

      5980ff25f008f5500d7f5733a181f77ae88b4a3f

    • SHA256

      1852801558498c3bbc67b028b592ba9444a4e687a7f67737a393ce3f756d8c87

    • SHA512

      8e7a23f4f86b36b2136e15e2692173db960963cdc41a15ddffd3b31c388c478eabfc1d50ba022920923df0d64987a2d812eb5056ccbcd5e1154a951a9fabef6e

    Score
    10/10
    bootkitransomware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks