Overview

overview

10

Static

static

8

1aca62502e...6a.doc

windows7_x64

10

1aca62502e...6a.doc

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a

  • Size

    40KB

  • Sample

    220520-2m2c3safhj

  • MD5

    9b7212f54d8460d8144f65d1f644bb13

  • SHA1

    3c2eaba89eab872ee549f22f08fdb83e0a34ad99

  • SHA256

    1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a

  • SHA512

    a5db7be20fdde31a2f329ce27c60036516cf7e13418bb30a4c66a872d12061b74438dbad25ce461e0424a0eb412035e8001a61624f40d46c29ac69ec4cd2d595

Score
10/10
macromacro_on_action

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/scriptsample/mal/master/cs-test.ps1

Targets

    • Target

      1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a

    • Size

      40KB

    • MD5

      9b7212f54d8460d8144f65d1f644bb13

    • SHA1

      3c2eaba89eab872ee549f22f08fdb83e0a34ad99

    • SHA256

      1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a

    • SHA512

      a5db7be20fdde31a2f329ce27c60036516cf7e13418bb30a4c66a872d12061b74438dbad25ce461e0424a0eb412035e8001a61624f40d46c29ac69ec4cd2d595

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks