Overview

overview

10

Static

static

3

NEW PURCHA...GS.pdf

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEW PURCHASE ORDER SAMPLES CATALOGS.pdf.zip

  • Size

    34KB

  • Sample

    220923-a96grsgfap

  • MD5

    50c24570103908476e38d7ef662ba9ab

  • SHA1

    15f905abb7112a148a93c56b94d30328d03fc72a

  • SHA256

    72b11627c5e2d104563eb6873c00cd3bb1be8ab3b81aefa59cdb1f8bc37f66f1

  • SHA512

    8b3e892543b36f4df946b8f647eb904eb2545de5116561b368313fe1ff8ea9e40aeae670c91fe4c134582023a4acdaaf76d923a1040b6dc4d52886514f6833a8

  • SSDEEP

    768:oxaXPf8MUFKCyMq+Ehsi2YC5QTKpOYi/GDXLLazxkdi1kfymEwcs:oxa/QKCy+EFC+TKB2GDXLmKdf9H1

Score
10/10
collectionlinkpdfpersistence

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://www.bndsafety.xyz/p/4.html

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    107.182.129.168
  • Port:
    21
  • Username:
    ncbcnv4
  • Password:
    djfhdffdf

Targets

    • Target

      NEW PURCHASE ORDER SAMPLES CATALOGS.pdf

    • Size

      63KB

    • MD5

      b7dd4fcd5758f3de9c18f6088384e6d2

    • SHA1

      62ba915ed6871a397a35f9c768fac5e7c0578f20

    • SHA256

      404b4dc973010fb5414e8c1de1ebc7ca26dad76e3ef8b39f86fdfb358983d5bf

    • SHA512

      4f333d6090ca505902dd676a7a689829e768b19af28e780bd915f4fe399b2ca59154eb487041489c21f635f9a5788406b03a1fa5ef1eea23f0497d128b405536

    • SSDEEP

      768:4/EZcsdZcsjZcs0ZcsiAAAf/Lu7RP3mbJBnv9Fn6HIGrDtRhikIbb814ckFN7sD:qEXV28AAAf/aBmbfPuJrMkIM1KsD

    Score
    10/10
    collectionpersistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks