Overview

overview

10

Static

static

8

838cc5dce6...52.pps

windows7-x64

10

838cc5dce6...52.pps

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    838cc5dce62c8aa40087fa0cfa2767770628a0e3dac934a462d71376f5536852.ppa

  • Size

    88KB

  • Sample

    220809-f4sxdafch7

  • MD5

    ffa581d9569249786a74858e8ee3d699

  • SHA1

    6893957407389085b60df7b50130398dca181b51

  • SHA256

    838cc5dce62c8aa40087fa0cfa2767770628a0e3dac934a462d71376f5536852

  • SHA512

    fd00b5c3e70d51ac994253942881dcffd16959906f9bbb05eaeb1285b0192dc7c18bf39affd7b33dbf7c10de61a42ec1f5dc28a4832eb3b3c6723d967aea1420

Score
10/10
macromacro_on_action

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://bitbucket.org/!api/2.0/snippets/warzonepro/7kL497/72a0310075eb4b3caa2f30613ac56ca38d79802f/files/johnmain

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://bitbucket.org/!api/2.0/snippets/warzonepro/RkqRXy/2c2062aec1b9f4518f8e5a248239e1983f01fdbd/files/john.txt

Targets

    • Target

      838cc5dce62c8aa40087fa0cfa2767770628a0e3dac934a462d71376f5536852.ppa

    • Size

      88KB

    • MD5

      ffa581d9569249786a74858e8ee3d699

    • SHA1

      6893957407389085b60df7b50130398dca181b51

    • SHA256

      838cc5dce62c8aa40087fa0cfa2767770628a0e3dac934a462d71376f5536852

    • SHA512

      fd00b5c3e70d51ac994253942881dcffd16959906f9bbb05eaeb1285b0192dc7c18bf39affd7b33dbf7c10de61a42ec1f5dc28a4832eb3b3c6723d967aea1420

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks