Overview

overview

10

Static

static

8

TRUE_doc.xls

windows7-x64

10

TRUE_doc.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TRUE_doc.xls

  • Size

    38KB

  • Sample

    221203-bjgw6abh34

  • MD5

    6b77a4c21a8ef90057c12cd41aa8fa51

  • SHA1

    82d0a47baa5e7a44a28315739a4a517a56ca3942

  • SHA256

    c19c1e39b5f614db3380b72dfb98fbe25ef4ed77bf3ac52055a1239a31a42519

  • SHA512

    6c42cb9f7be0df0dc45c2fcb6a335696c7bb05f03a8521c155b50bf32421256155e98df1832d7b26959ab2c3fac2085405d2d06d43fd79d777e527029299c974

  • SSDEEP

    768:glknKpbdrHYrMue8q7QPX+5xtekEd/68/dgALAoW8NFdU5PX+SSL0LHVfDM:gluKpbdrHYrMue8q7QPX+5xtekEdi8/V

Score
10/10
macromacro_on_action

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://78.85.17.88:8912/rev.ps1

Targets

    • Target

      TRUE_doc.xls

    • Size

      38KB

    • MD5

      6b77a4c21a8ef90057c12cd41aa8fa51

    • SHA1

      82d0a47baa5e7a44a28315739a4a517a56ca3942

    • SHA256

      c19c1e39b5f614db3380b72dfb98fbe25ef4ed77bf3ac52055a1239a31a42519

    • SHA512

      6c42cb9f7be0df0dc45c2fcb6a335696c7bb05f03a8521c155b50bf32421256155e98df1832d7b26959ab2c3fac2085405d2d06d43fd79d777e527029299c974

    • SSDEEP

      768:glknKpbdrHYrMue8q7QPX+5xtekEd/68/dgALAoW8NFdU5PX+SSL0LHVfDM:gluKpbdrHYrMue8q7QPX+5xtekEdi8/V

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks