Overview

overview

10

Static

static

8

bbwsnzse.docm

windows7_x64

10

bbwsnzse.docm

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bbwsnzse

  • Size

    134KB

  • Sample

    220522-fzpzxsahaq

  • MD5

    b239675c09b6095367ded732a1259e93

  • SHA1

    15162071221210983a8bcd5fcf61524edd551f80

  • SHA256

    f351e1457d7673a650544a0130b943fc10aba1ee461e398687a2d85fabb79129

  • SHA512

    3418304703b8f5e968310f2d90a22eba15eb454efd64456a4e0a622a188358befc3389acd05e3168b63d21a3775188d0375d2910a1b49117d990f6f3c9db08a0

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://isuzu-mientrung.com/wp-content/0qigu/
exe.dropper

http://kimt.edu.au/wp-admin/3el/
exe.dropper

http://kausarimran.com/css/wnrm/
exe.dropper

http://laparomc.com/wp-includes/yQUW1/
exe.dropper

http://leasemyproperty.ca/wp-includes/lvh799l/

Targets

    • Target

      bbwsnzse

    • Size

      134KB

    • MD5

      b239675c09b6095367ded732a1259e93

    • SHA1

      15162071221210983a8bcd5fcf61524edd551f80

    • SHA256

      f351e1457d7673a650544a0130b943fc10aba1ee461e398687a2d85fabb79129

    • SHA512

      3418304703b8f5e968310f2d90a22eba15eb454efd64456a4e0a622a188358befc3389acd05e3168b63d21a3775188d0375d2910a1b49117d990f6f3c9db08a0

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks