Overview

overview

10

Static

static

8

bb37e159_b...s.xlsm

windows7_x64

10

bb37e159_b...s.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bb37e159_by_Libranalysis

  • Size

    15KB

  • Sample

    210505-z93fsc8tcs

  • MD5

    bb37e1592a9611dc521167ac5a2034a2

  • SHA1

    a9a1e60803fcb5a0b68659195ce5d0c15455646b

  • SHA256

    038214d4fc146d3a0b09db57ab584e3cef198a466d82206a03af0ca6aff4ac2e

  • SHA512

    ddfa6ba01694e9a9e7355cb4ce2db69d3aaee908180a1bce066b382c02f5bf938bbd21240df7e0aa505fed64a440d420cecb11736e2855a3fee4589342b31a49

Score
10/10
macro

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://www.j.mp/jasidjalsdjlijlijasd

Targets

    • Target

      bb37e159_by_Libranalysis

    • Size

      15KB

    • MD5

      bb37e1592a9611dc521167ac5a2034a2

    • SHA1

      a9a1e60803fcb5a0b68659195ce5d0c15455646b

    • SHA256

      038214d4fc146d3a0b09db57ab584e3cef198a466d82206a03af0ca6aff4ac2e

    • SHA512

      ddfa6ba01694e9a9e7355cb4ce2db69d3aaee908180a1bce066b382c02f5bf938bbd21240df7e0aa505fed64a440d420cecb11736e2855a3fee4589342b31a49

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks