Overview

overview

10

Static

static

8

5cf13a476f...f2.doc

windows7-x64

10

5cf13a476f...f2.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2

  • Size

    34KB

  • Sample

    240726-z5zk4aydnc

  • MD5

    5c2797ab79310c379e44ae2987dca9f3

  • SHA1

    2fcc0edddc6274f89e03711ae40c8e5ef0bb47e9

  • SHA256

    5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2

  • SHA512

    6c31d93e8f3a22ce20ecfe3d6a0e2b1c72f9526b4c39a197dea6d47ffb282a00cb44768bdd57c57a2772af749d989564a4b6ec8b14f47d997a1e5cabee013a4c

  • SSDEEP

    384:A3SiSwvxjk+tb/sWk+MlTT50jmtcgWFeFaJH:A3Vxw+tD7SXMgWFeFa9

Score
10/10
discoveryexecutionmacromacro_on_action

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://192.168.166.158/payload.txt

Targets

    • Target

      5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2

    • Size

      34KB

    • MD5

      5c2797ab79310c379e44ae2987dca9f3

    • SHA1

      2fcc0edddc6274f89e03711ae40c8e5ef0bb47e9

    • SHA256

      5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2

    • SHA512

      6c31d93e8f3a22ce20ecfe3d6a0e2b1c72f9526b4c39a197dea6d47ffb282a00cb44768bdd57c57a2772af749d989564a4b6ec8b14f47d997a1e5cabee013a4c

    • SSDEEP

      384:A3SiSwvxjk+tb/sWk+MlTT50jmtcgWFeFaJH:A3Vxw+tD7SXMgWFeFa9

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks