Overview

overview

10

Static

static

Purchase O...f.ppam

windows7-x64

10

Purchase O...f.ppam

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase Order_3_812937_pdf.ppam

  • Size

    42KB

  • Sample

    221003-kd568sfbc8

  • MD5

    38fdfc043596f30da30ffd84a5e8bc3f

  • SHA1

    a0e0c82a7614a2528b84b2d42153f4b52cbe2302

  • SHA256

    14b25b8d5c181fc6aeb59ad3c7170575201070a52c5428ca6c6a57fca295595c

  • SHA512

    139166ad594fcab5ad8be8526eb3d006d0c4a5480e924a86ceb291f2cedfbb3ee962966632fc6d8a23bafb939077158313c0300fb47d2e5b7f200f20518f27b1

  • SSDEEP

    768:JJ/c/lsTsK/n/Okf6R9/i/LIlfKEe89Vva6PdYI4+zMZvJA0FHwZH+T6gXJ1gxPZ:Pkt09fmj7ajsurtPgxP6ZD1/K8Nytsdk

Score
10/10
collection

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    107.182.129.168
  • Port:
    21
  • Username:
    ashgdhfg3
  • Password:
    jfghfjgh545

Targets

    • Target

      Purchase Order_3_812937_pdf.ppam

    • Size

      42KB

    • MD5

      38fdfc043596f30da30ffd84a5e8bc3f

    • SHA1

      a0e0c82a7614a2528b84b2d42153f4b52cbe2302

    • SHA256

      14b25b8d5c181fc6aeb59ad3c7170575201070a52c5428ca6c6a57fca295595c

    • SHA512

      139166ad594fcab5ad8be8526eb3d006d0c4a5480e924a86ceb291f2cedfbb3ee962966632fc6d8a23bafb939077158313c0300fb47d2e5b7f200f20518f27b1

    • SSDEEP

      768:JJ/c/lsTsK/n/Okf6R9/i/LIlfKEe89Vva6PdYI4+zMZvJA0FHwZH+T6gXJ1gxPZ:Pkt09fmj7ajsurtPgxP6ZD1/K8Nytsdk

    Score
    10/10
    collection

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks