Overview

overview

10

Static

static

8

TTP-US-424730721.docm

windows7_x64

10

TTP-US-424730721.docm

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0f309e63c58d55ab0fee1ef2924cf648690e371ed9ae633742555629b219b785

  • Size

    80KB

  • Sample

    220521-pespraadck

  • MD5

    2e80453d3d26670dac68562bb0d974a1

  • SHA1

    717232c15b22c6b00c6cfd96466fc365e215cf37

  • SHA256

    0f309e63c58d55ab0fee1ef2924cf648690e371ed9ae633742555629b219b785

  • SHA512

    af203780a73408d44e43d02182ac10a6c17a207909c734d2f37751fd7556e86f985fb2167cf37e8fdea9a987effee1a506ee46a6eec6c5ed5353774054185174

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.164/api.php

Targets

    • Target

      TTP-US-424730721.doc

    • Size

      89KB

    • MD5

      b52f6306e6c5af7bd87fab6f32a937b9

    • SHA1

      e7043e9907b332b9039eeb4487959d10e05d2dc0

    • SHA256

      cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

    • SHA512

      0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks