Overview

overview

10

Static

static

8

cd580936ca...4.docm

windows7_x64

10

cd580936ca...4.docm

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

  • Size

    89KB

  • Sample

    220521-pepm4aadbp

  • MD5

    b52f6306e6c5af7bd87fab6f32a937b9

  • SHA1

    e7043e9907b332b9039eeb4487959d10e05d2dc0

  • SHA256

    cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

  • SHA512

    0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.164/api.php

Targets

    • Target

      cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

    • Size

      89KB

    • MD5

      b52f6306e6c5af7bd87fab6f32a937b9

    • SHA1

      e7043e9907b332b9039eeb4487959d10e05d2dc0

    • SHA256

      cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

    • SHA512

      0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks