Overview

overview

10

Static

static

8

tmpqc6o9hsi.xls

windows7_x64

10

tmpqc6o9hsi.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmpqc6o9hsi

  • Size

    154KB

  • Sample

    220128-dymr3aehgn

  • MD5

    02f2895dac8e2bae5d84dc7b60a0fc46

  • SHA1

    0a0084e237bbe3470718a837d6dccaf5fbd2889e

  • SHA256

    315802408ec0fb7845845436ceb8a6aac4bb344cd4d8f4c33aae47c719b71993

  • SHA512

    9e9ede0a2a996d1dbf3026ba3558101967e74dd7e52a1cdd9e25def0280069bc5228270fbe5838f0dc6b799f507d93af07e059f1a196b9ddbbee9b7e904a3b99

Score
10/10
macroxlm

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://91.240.118.168/qqqw/aaas/se.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.240.118.168/qqqw/aaas/se.png

Targets

    • Target

      tmpqc6o9hsi

    • Size

      154KB

    • MD5

      02f2895dac8e2bae5d84dc7b60a0fc46

    • SHA1

      0a0084e237bbe3470718a837d6dccaf5fbd2889e

    • SHA256

      315802408ec0fb7845845436ceb8a6aac4bb344cd4d8f4c33aae47c719b71993

    • SHA512

      9e9ede0a2a996d1dbf3026ba3558101967e74dd7e52a1cdd9e25def0280069bc5228270fbe5838f0dc6b799f507d93af07e059f1a196b9ddbbee9b7e904a3b99

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks