Overview

overview

10

Static

static

8

2020_1844777494.docm

windows7_x64

10

2020_1844777494.docm

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    56026452a702848eff03a95438026851443790e7be4fa030a2a75a0594421ba1

  • Size

    373KB

  • Sample

    220521-d7p9jscaal

  • MD5

    6e776bb6aa29e1112192d668b85b766c

  • SHA1

    a1ef374282b2cd2f7cd90cd6e2b5aaeada57ce46

  • SHA256

    56026452a702848eff03a95438026851443790e7be4fa030a2a75a0594421ba1

  • SHA512

    70a057a0f13b4b92c0ee1bbe1b9e1c21496b94b9d42ca574c5d142f519877e90e2f128ad36007efacbc7dfc4c2bec48c36abc5b2c08d49094d7693ac2eeebbad

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://werfpop.nl/client.exe

Targets

    • Target

      2020_1844777494.doc

    • Size

      380KB

    • MD5

      bbea719b296b81cb70e294246c9d6eae

    • SHA1

      d79c7c9a0ddc7d3c7d90eb90f47783e999bb7ebd

    • SHA256

      99d22eb3d584f502292d847497713c8db10f7aa9d2b08f5f6da8e690be4f7832

    • SHA512

      40d7d306bfc8fad85f82d7f3fe9b5baec403a953178bf8284043afcb136b2356084151ded8f1e5c75aaa480e30a2aad0235adea09fdf4fffb7341d5890c67d17

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks