Overview

overview

10

Static

static

8

cuenta de cobro.docm

windows7_x64

10

cuenta de cobro.docm

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f351b45dca909ae305f9b2c0b4ea93b34a3e0a7ee7af98f541d9ce8e170314d7

  • Size

    121KB

  • Sample

    220521-eskwyscgep

  • MD5

    e7af5171e46dac5391b4e8ef4a8b8a6b

  • SHA1

    42c349b38875bd353ce9f15fc2ccd306c9eb2703

  • SHA256

    f351b45dca909ae305f9b2c0b4ea93b34a3e0a7ee7af98f541d9ce8e170314d7

  • SHA512

    f57a95348d40936db1ea40ca7f36e900565cba8e220cffb4ee11de503c746df71c71e43ac7c81cac727e192574ce6aafcdb96c0a050d29aee586b4d111ca253d

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://37.59.90.90/dard/systen.exe

Targets

    • Target

      cuenta de cobro.docm

    • Size

      146KB

    • MD5

      65176316a898742993c5d97f22c5c3c1

    • SHA1

      bde7f705958036438ccc1f4b2f483324e2d3a61b

    • SHA256

      42ef90cd86cbc255c937743dc9207f7d16b95bc3e178b6bdd5e7299847320f62

    • SHA512

      2f72c44d442fbb8398b2621586388767fbb3333e00758e67f64dcacf2c4a43d361011f5cb02825e04f7f8f44fa200828789b60b231d789458902e227ff29aa41

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks