Overview

overview

10

Static

static

8

Payments.docm

windows7_x64

10

Payments.docm

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    47edfbe9d61e39a1c4f2f1542e48f2ebac25be5a2939c98dc9bf86150f0abf1f

  • Size

    59KB

  • Sample

    220521-et9xgacghp

  • MD5

    4495407d181c55a114d558a715c57219

  • SHA1

    79add88ebbfb6d262b6b8fa202c672aed97bec8e

  • SHA256

    47edfbe9d61e39a1c4f2f1542e48f2ebac25be5a2939c98dc9bf86150f0abf1f

  • SHA512

    39ed5104618b66a20a14131dab854bbc09d59dbae7d090f587f4d3d0ae5761ada1d9fe320794f8786814b5b1a03fe862f4988100532b7ba331a137100d903e09

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://cdn.discordapp.com/attachments/709738084001906749/709738177027637330/Purchase.exe

Targets

    • Target

      Payments.docm

    • Size

      83KB

    • MD5

      27cb67322a39cf49a0560f784df67969

    • SHA1

      0750c70072f37062a1079f14a1e4da0f78a5fdfe

    • SHA256

      37c52ac76731fec0a321cae8cd5cf91597de3c90aed254f28fbcb4764e617e23

    • SHA512

      4260a95093659d0beaf40c63a6bfbee4d63b5ec4a69760130cacef4c441c1ebe591111ed964b0ae3d6b508052bde145a8d6893dc1f2eea624bc7bbdecd5a3968

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks