Resubmissions

14-10-2021 18:15

211014-wvyn9sahbr 10

14-10-2021 17:51

211014-wfggfaahaj 10

14-10-2021 17:48

211014-wdmwfaaag5 10

General

  • Target

    BIlls-8172135.doc

  • Size

    43KB

  • Sample

    211014-wfggfaahaj

  • MD5

    12489be76fc04c1226707d1029f834a8

  • SHA1

    6aedf03afe4e5b7cb220d8541473243a9bd17179

  • SHA256

    ccff267f5824ca8d8480b9050ff631681b3d7a0817241374cfa65fc7a3b58476

  • SHA512

    1a7d7ddbc7f6da7e448ce83af6a3802c8e57bf1da8fe51e494e52c143ebda3759b0fbe044e1ecc394b02e3c7cba803ae2156dc781bb4242402bb8e58e55ee79b

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/851105085270523917/895674622702399538/Server.txt

Targets

    • Target

      BIlls-8172135.doc

    • Size

      43KB

    • MD5

      12489be76fc04c1226707d1029f834a8

    • SHA1

      6aedf03afe4e5b7cb220d8541473243a9bd17179

    • SHA256

      ccff267f5824ca8d8480b9050ff631681b3d7a0817241374cfa65fc7a3b58476

    • SHA512

      1a7d7ddbc7f6da7e448ce83af6a3802c8e57bf1da8fe51e494e52c143ebda3759b0fbe044e1ecc394b02e3c7cba803ae2156dc781bb4242402bb8e58e55ee79b

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks