404b4dc973010fb5414e8c1de1ebc7ca26dad76e3ef8b39f86fdfb358983d5bf | Triage

Submit
Reports

Overview

overview

Static

static

3

NEW PURCHA...GS.pdf

windows10-2004-x64

Sharing

General

Target

NEW PURCHASE ORDER SAMPLES & CATALOGS.pdf
Size

63KB
Sample

220924-rjpj1abda3
MD5

b7dd4fcd5758f3de9c18f6088384e6d2
SHA1

62ba915ed6871a397a35f9c768fac5e7c0578f20
SHA256

404b4dc973010fb5414e8c1de1ebc7ca26dad76e3ef8b39f86fdfb358983d5bf
SHA512

4f333d6090ca505902dd676a7a689829e768b19af28e780bd915f4fe399b2ca59154eb487041489c21f635f9a5788406b03a1fa5ef1eea23f0497d128b405536
SSDEEP

768:4/EZcsdZcsjZcs0ZcsiAAAf/Lu7RP3mbJBnv9Fn6HIGrDtRhikIbb814ckFN7sD:qEXV28AAAf/aBmbfPuJrMkIM1KsD

Score

10^/10

collection link pdf persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

NEW PURCHASE ORDER SAMPLES & CATALOGS.pdf

Resource

win10v2004-20220812-en

collection persistence

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.bndsafety.xyz/p/4.html

Extracted

Credentials

Protocol: ftp
Host:
107.182.129.168
Port:
21
Username:
ncbcnv4
Password:
djfhdffdf

Targets

- Target
  
  NEW PURCHASE ORDER SAMPLES & CATALOGS.pdf
- Size
  
  63KB
- MD5
  
  b7dd4fcd5758f3de9c18f6088384e6d2
- SHA1
  
  62ba915ed6871a397a35f9c768fac5e7c0578f20
- SHA256
  
  404b4dc973010fb5414e8c1de1ebc7ca26dad76e3ef8b39f86fdfb358983d5bf
- SHA512
  
  4f333d6090ca505902dd676a7a689829e768b19af28e780bd915f4fe399b2ca59154eb487041489c21f635f9a5788406b03a1fa5ef1eea23f0497d128b405536
- SSDEEP
  
  768:4/EZcsdZcsjZcs0ZcsiAAAf/Lu7RP3mbJBnv9Fn6HIGrDtRhikIbb814ckFN7sD:qEXV28AAAf/aBmbfPuJrMkIM1KsD
Score

10^/10

collection persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

collectionpersistence

© 2018-2024

Terms | Privacy