Overview

overview

10

Static

static

10

20899b27a5...f.docx

windows7-x64

8

20899b27a5...f.docx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf.zip

  • Size

    7KB

  • Sample

    230308-nes5vafd2s

  • MD5

    876d2e840b9c1935c720e7b2e99f2617

  • SHA1

    6777d0073f5074737086cfb85b09f913f71becd6

  • SHA256

    7824023fb8fd0606c37c13e271456d5eeae5eb834f18f5b8f397c2105812da3f

  • SHA512

    23e5a76d5844996b2d082b94b74614aaac4049f9bf0293e64e918b09a761e8a5597a53151ba25ea72a60a916143d283833221dd9cf10dc43f30123041182f194

  • SSDEEP

    192:ZSGOgM8VZjYvMk2sWyAkKSUKPtDeE/f0PMU9KieF/nfOq1JKe:ZSFgM8/YvZey/KQDeXPMUU5tnj1Ee

Score
10/10
websettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://WWWEEEEERWEEWWWE0E090W0DDF0F9S0WEWRWQQQ09EW0QQQQQQQQQQQ09W9WEREWRRRRRRRR090R00R2333RERERZZZZ090ZXXX0XXXXXX00XX@392095676/31.31.31.doc

Targets

    • Target

      20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf.doc

    • Size

      10KB

    • MD5

      f300f686821deba927b954a36cb74874

    • SHA1

      1c076c17f47e2942035fcf63709aa85213c4f83d

    • SHA256

      20899b27a51843830df2084dce88cc97d752a7e2dd1a64ad3238080a145fceaf

    • SHA512

      7ddb21922884a405da9a865953c767eafec3ee2ea60b39de3388319cff15d74f11818e391823a42a38729bf973cb86edaee7fe503e7ed75da8d3cd728bcd0e68

    • SSDEEP

      192:ScIMmtP1aIG/bslPL++uOAl+CVWBXJC0c3De:SPXU/slT+LOAHkZC9q

    Score
    8/10

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks