b536378dd73811960730ca3fd3628ce7376d0f6b3b300a5d34c75bb87c704ef1 | Triage

Submit
Reports

Overview

overview

Static

static

8

payment_in...MG.xls

windows7_x64

payment_in...MG.xls

windows10_x64

Sharing

General

Target

payment_invoice_copy_A86gmDlYqpHVq5d3QIMG.xls
Size

74KB
Sample

211025-rx6qfagcd6
MD5

3f99e2f0043b4446380371be2bf7569b
SHA1

d32cb945505e054cb3118194a5a804c3ee4c0571
SHA256

b536378dd73811960730ca3fd3628ce7376d0f6b3b300a5d34c75bb87c704ef1
SHA512

a52f8657c440e8645337970674013e74b8849ada713cf41e95506da02178e37be43614dbc76c9fedaa34dd3c3b79af42ef16c6dc23f3075a316f98f871e9bd58

Score

10^/10

collection macro macro_on_action

Static task

static1

macro macro_on_action

Behavioral task

behavioral1

Sample

payment_invoice_copy_A86gmDlYqpHVq5d3QIMG.xls

Resource

win7-en-20210920

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

payment_invoice_copy_A86gmDlYqpHVq5d3QIMG.xls

Resource

win10-en-20210920

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://18.159.149.5/nbl/joy/11/A86gmDlYqpHVq5d3QIMG.exe

Targets

- Target
  
  payment_invoice_copy_A86gmDlYqpHVq5d3QIMG.xls
- Size
  
  74KB
- MD5
  
  3f99e2f0043b4446380371be2bf7569b
- SHA1
  
  d32cb945505e054cb3118194a5a804c3ee4c0571
- SHA256
  
  b536378dd73811960730ca3fd3628ce7376d0f6b3b300a5d34c75bb87c704ef1
- SHA512
  
  a52f8657c440e8645337970674013e74b8849ada713cf41e95506da02178e37be43614dbc76c9fedaa34dd3c3b79af42ef16c6dc23f3075a316f98f871e9bd58
Score

10^/10

collection
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Downloads MZ/PE file
- Executes dropped EXE
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

© 2018-2024

Terms | Privacy