Overview

overview

10

Static

static

8

0d6e79a1ce...2a.doc

windows7_x64

10

0d6e79a1ce...2a.doc

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0d6e79a1ce172fd964c9c98a3bc5a94cb5f901e7253f1c2ce14bf30c34747b2a

  • Size

    178KB

  • Sample

    220630-wb9bnagdb6

  • MD5

    c6715d228fa872203c0d2042f2b8a774

  • SHA1

    2a0e970566a85d06c60bc801493e92803bca9f28

  • SHA256

    0d6e79a1ce172fd964c9c98a3bc5a94cb5f901e7253f1c2ce14bf30c34747b2a

  • SHA512

    19ac3d7a633218803ebb129b194f11b2c5cbd90d9473ee82b2295021eead7b4f9c11eb9c6624d2de8ad94976b467d10faf5d80e1f7d1280a56d27498311f5e99

Score
10/10
macro

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ortusbeauty.com/error/tQ_p/
exe.dropper

http://mstreet.com.au/wp-includes/S_bZ/
exe.dropper

http://www.2996316.com/wp-admin/Mh_Q8/
exe.dropper

http://brianmonroney.com/wp-includes/Nb_eL/
exe.dropper

http://dermosaglik.com.tr/store/B_B/

Targets

    • Target

      0d6e79a1ce172fd964c9c98a3bc5a94cb5f901e7253f1c2ce14bf30c34747b2a

    • Size

      178KB

    • MD5

      c6715d228fa872203c0d2042f2b8a774

    • SHA1

      2a0e970566a85d06c60bc801493e92803bca9f28

    • SHA256

      0d6e79a1ce172fd964c9c98a3bc5a94cb5f901e7253f1c2ce14bf30c34747b2a

    • SHA512

      19ac3d7a633218803ebb129b194f11b2c5cbd90d9473ee82b2295021eead7b4f9c11eb9c6624d2de8ad94976b467d10faf5d80e1f7d1280a56d27498311f5e99

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks