Overview

overview

10

Static

static

1

bestthings...rt.rtf

windows7-x64

10

bestthings...rt.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bestthingswithgoodnweswthcihcgivingsuchanidea_______itsreallygreatthingseverytimetounderstandbetterthingon_______betterwaywithgreatthingswhichenoughtounderstand.doc

  • Size

    83KB

  • Sample

    241023-hfrqhsyajr

  • MD5

    2cf4b897ab47808cc8b96d2804e2ab61

  • SHA1

    5a8dbba3aef1d5388b9ad1e5daa06bb3ec108c78

  • SHA256

    903c11a14a5af5a8b9594c1f5fa92b22b6d631c07c112a26c23fea6cd586789e

  • SHA512

    a64e172ad506d81787e1b0dd539d19b55d1e7a5209313898dc5a0332f5f9b1d34d9ea2e966c25f30109b29baefb6c2b4f2c6fbfb3179fbf24b445e70d4f5ddda

  • SSDEEP

    384:dgNcayG/Quubhij37JcVPut6+u/Bk7qGlco6/Ijwz96i3KJO/b7XB6ZbqYhCt:dgW1Euby37sPVJk7qGJjyoI7XcZO

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Targets

    • Target

      bestthingswithgoodnweswthcihcgivingsuchanidea_______itsreallygreatthingseverytimetounderstandbetterthingon_______betterwaywithgreatthingswhichenoughtounderstand.doc

    • Size

      83KB

    • MD5

      2cf4b897ab47808cc8b96d2804e2ab61

    • SHA1

      5a8dbba3aef1d5388b9ad1e5daa06bb3ec108c78

    • SHA256

      903c11a14a5af5a8b9594c1f5fa92b22b6d631c07c112a26c23fea6cd586789e

    • SHA512

      a64e172ad506d81787e1b0dd539d19b55d1e7a5209313898dc5a0332f5f9b1d34d9ea2e966c25f30109b29baefb6c2b4f2c6fbfb3179fbf24b445e70d4f5ddda

    • SSDEEP

      384:dgNcayG/Quubhij37JcVPut6+u/Bk7qGlco6/Ijwz96i3KJO/b7XB6ZbqYhCt:dgW1Euby37sPVJk7qGJjyoI7XcZO

    Score
    10/10
    defense_evasiondiscoveryexecution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks