Overview

overview

10

Static

static

1

Document_4...oc.lnk

windows7-x64

10

Document_4...oc.lnk

windows10-2004-x64

10

Resubmissions

29/08/2023, 12:14

230829-pellfafd41 10

28/08/2023, 06:52

230828-hneqxsaf5t 10

28/08/2023, 01:20

230828-bp4ywaed58 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Document_45.zip

  • Size

    1KB

  • Sample

    230829-pellfafd41

  • MD5

    846c0d4a4a5f2774a69bbf6988dfdcd8

  • SHA1

    d49d4b92cc000bc7f1c9ac99267cb8065e72ba57

  • SHA256

    c8617f2c6432c96c35b9142798530695511d45a1fb780f33b122542ee9dc3e8a

  • SHA512

    4440bd36d8af55aaf05dcfe08727bf444a7da3e1d27770cd66329aaeb912173e093d9ce068232c06a2bf5dc71e70b62aef16980571d1c8146c00183a31592448

Score
10/10
persistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://twizt.net/s.exe

Targets

    • Target

      Document_45/Document_45.doc.lnk

    • Size

      1KB

    • MD5

      c7eb920f5717b5911ca1565067a5a314

    • SHA1

      aad1960e04ce48f707fe297e17eeb0cbe2ddbb83

    • SHA256

      b3dac534d0ce19efdf1aa37718283318e94a82446b3fad721076bb63f427eee3

    • SHA512

      5baab10dfe542581f4ec2e38fd5481c2d6d69192c6775de5e2326e73b3547d46a61608fae55082f184ef1c5d613358bfcca067c18514668d9842e95be6d7533b

    Score
    10/10
    persistence

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks