Overview

overview

10

Static

static

8

btrhgymo.doc

windows7_x64

10

btrhgymo.doc

windows10-2004_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    btrhgymo

  • Size

    254KB

  • Sample

    220419-etf96aehh4

  • MD5

    b28ac13475bfa5af9555ee68b1a1fcd1

  • SHA1

    a027df13a1a3bdbf45640ad1e18a8dd4ba701559

  • SHA256

    2f90590da13be020cab94f6054224224af5d674bb07964796cbb051cef5dde3a

  • SHA512

    db8c5531fa396dd9da9dc82e830e6567c89a6d71a7627d7eaefcedb3760c4b5d842272235b10d560a130f0594ff42dddad20225fe8610aa48dc986642586faf6

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://okaseo.com/cache/12zl5o-duttqzih2-31839309/
exe.dropper

https://koddata.com/wp-content/VDgENx/
exe.dropper

https://parentingtopsecrets.com/pts/ys8cwojcvc-k1ks0vpkk9-3619095223/
exe.dropper

http://neproperty.in/cgi-bin/hjjz1r5p-5n7mea41-7609513198/
exe.dropper

https://mcuong.000webhostapp.com/wp-admin/aggrp2crnz-nt74vk3f-91560/

Targets

    • Target

      btrhgymo

    • Size

      254KB

    • MD5

      b28ac13475bfa5af9555ee68b1a1fcd1

    • SHA1

      a027df13a1a3bdbf45640ad1e18a8dd4ba701559

    • SHA256

      2f90590da13be020cab94f6054224224af5d674bb07964796cbb051cef5dde3a

    • SHA512

      db8c5531fa396dd9da9dc82e830e6567c89a6d71a7627d7eaefcedb3760c4b5d842272235b10d560a130f0594ff42dddad20225fe8610aa48dc986642586faf6

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks