Overview

overview

10

Static

static

invoice_4_...f.ppam

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    invoice_4_812937_pdf.ppam

  • Size

    40KB

  • Sample

    220924-rv76gscgdj

  • MD5

    fd8bb8ce0dfc0d9f8073812211673d99

  • SHA1

    8e6d62db5005939bc45b0b4a6281e5f8d60ddb01

  • SHA256

    0a78f630b03cdcafaf8a056986ad208651d72ea1365a75f1c53202292b48dfc1

  • SHA512

    73a48176585c3e402278c6f3d341b06d2ff5fd584004c4763edc8ef989c0d547cbb445ccd90002c731b8602a7e7ab690aa29b96ebcc41b753612b4fab10aa7fa

  • SSDEEP

    768:eARJ/c/lsTsK/n/Okf6R9/i/L2pdAVQuLPdYIhjtzCNKJAlFCgwZHyTZigXJ1OdK:eAXkt09fmj7ajvZqvzPY1/K8NytsdqCo

Score
10/10
collection

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://www.bndsafety.xyz/p/4.html

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    107.182.129.168
  • Port:
    21
  • Username:
    ncbcnv4
  • Password:
    djfhdffdf

Targets

    • Target

      invoice_4_812937_pdf.ppam

    • Size

      40KB

    • MD5

      fd8bb8ce0dfc0d9f8073812211673d99

    • SHA1

      8e6d62db5005939bc45b0b4a6281e5f8d60ddb01

    • SHA256

      0a78f630b03cdcafaf8a056986ad208651d72ea1365a75f1c53202292b48dfc1

    • SHA512

      73a48176585c3e402278c6f3d341b06d2ff5fd584004c4763edc8ef989c0d547cbb445ccd90002c731b8602a7e7ab690aa29b96ebcc41b753612b4fab10aa7fa

    • SSDEEP

      768:eARJ/c/lsTsK/n/Okf6R9/i/L2pdAVQuLPdYIhjtzCNKJAlFCgwZHyTZigXJ1OdK:eAXkt09fmj7ajvZqvzPY1/K8NytsdqCo

    Score
    10/10
    collection

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks