General
-
Target
Order 84889-CVE2-52022, pdf.vbs
-
Size
1KB
-
Sample
220926-kaqmdaaaf9
-
MD5
415205ccfc65496a54c3950d8952e746
-
SHA1
f038af8eac0f8f891562fa384581af56095aab88
-
SHA256
cd011dcdaf5457367b5b4abcd73e78f017f207c610a11f26db8841238dca7733
-
SHA512
e8cece44f3e7713d69decb82d048c3a22abad463ffbc21c00ca96aa8a8422c0dafd3c94282a9e88a1b31eefbf9af1ab21678c7bbefcc6c6793d1507996e1afbb
Malware Config
Extracted
https://bitbucket.org/!api/2.0/snippets/tinypro/LM4y7B/d786db1d7d41c23b0f2223f35de36cc93821c732/files/xblessed2.txt
Targets
-
-
Target
Order 84889-CVE2-52022, pdf.vbs
-
Size
1KB
-
MD5
415205ccfc65496a54c3950d8952e746
-
SHA1
f038af8eac0f8f891562fa384581af56095aab88
-
SHA256
cd011dcdaf5457367b5b4abcd73e78f017f207c610a11f26db8841238dca7733
-
SHA512
e8cece44f3e7713d69decb82d048c3a22abad463ffbc21c00ca96aa8a8422c0dafd3c94282a9e88a1b31eefbf9af1ab21678c7bbefcc6c6793d1507996e1afbb
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Registers COM server for autorun
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-