Overview

overview

10

Static

static

1

unnamed (1).png

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    unnamed (1).png

  • Size

    66KB

  • Sample

    240420-jjpk1acd7z

  • MD5

    be0abc1b4049ac38585bb9ccac558501

  • SHA1

    8cd55863787008c3283bb81729105144d4602d4f

  • SHA256

    eb0c795001bb3ce85b653660116dcb0aaf246d1b4693360a3d5a2fe5ac372d44

  • SHA512

    5c495681152ceaf63e8281611158537e529dce3417d95dc1e89ce66e33e0377941b2d8f9c54b3c18468b8ffa9b64fbd2d87a004de6a11e0a253f708ee03fda65

  • SSDEEP

    1536:zuNULfFmFUqfmJpVthrUtJDyBBjEmnqIFt/1Kp+2:hdTq+JB2yBBNqQl1AZ

Score
10/10
discoverymacromacro_on_actionpersistenceupx

Malware Config

Targets

    • Target

      unnamed (1).png

    • Size

      66KB

    • MD5

      be0abc1b4049ac38585bb9ccac558501

    • SHA1

      8cd55863787008c3283bb81729105144d4602d4f

    • SHA256

      eb0c795001bb3ce85b653660116dcb0aaf246d1b4693360a3d5a2fe5ac372d44

    • SHA512

      5c495681152ceaf63e8281611158537e529dce3417d95dc1e89ce66e33e0377941b2d8f9c54b3c18468b8ffa9b64fbd2d87a004de6a11e0a253f708ee03fda65

    • SSDEEP

      1536:zuNULfFmFUqfmJpVthrUtJDyBBjEmnqIFt/1Kp+2:hdTq+JB2yBBNqQl1AZ

    Score
    10/10
    discoverymacromacro_on_actionpersistenceupx

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks