Overview

overview

10

Static

static

10

2020-01-01...6.dotm

windows7-x64

10

2020-01-01...6.dotm

windows10-2004-x64

10

2020-01-02_74751.doc

windows7-x64

4

2020-01-02_74751.doc

windows10-2004-x64

1

2020-01-03_105342.doc

windows7-x64

10

2020-01-03_105342.doc

windows10-2004-x64

1

2020-01-03_134610.doc

windows7-x64

10

2020-01-03_134610.doc

windows10-2004-x64

1

2020-01-06_123924.doc

windows7-x64

4

2020-01-06_123924.doc

windows10-2004-x64

1

2020-01-06...9.dotm

windows7-x64

10

2020-01-06...9.dotm

windows10-2004-x64

10

2020-01-09...5.docm

windows7-x64

10

2020-01-09...5.docm

windows10-2004-x64

10

2020-01-11_81623.dotm

windows7-x64

10

2020-01-11_81623.dotm

windows10-2004-x64

10

2020-01-13_104457.rtf

windows7-x64

10

2020-01-13_104457.rtf

windows10-2004-x64

10

2020-01-13_144901.doc

windows7-x64

10

2020-01-13_144901.doc

windows10-2004-x64

6

2020-01-13_145745.doc

windows7-x64

10

2020-01-13_145745.doc

windows10-2004-x64

10

2020-01-13_152510.doc

windows7-x64

10

2020-01-13_152510.doc

windows10-2004-x64

10

2020-01-13_152527.doc

windows7-x64

10

2020-01-13_152527.doc

windows10-2004-x64

10

2020-01-13_153140.doc

windows7-x64

10

2020-01-13_153140.doc

windows10-2004-x64

10

2020-01-13_154531.doc

windows7-x64

10

2020-01-13_154531.doc

windows10-2004-x64

10

2020-01-13_154640.doc

windows7-x64

10

2020-01-13_154640.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ecdf26dffbf572bde7ae3b7fbc4f92e958dcf41f047a8af086e131173c49090d

  • Size

    74.7MB

  • Sample

    241116-pxsgpszrbk

  • MD5

    63104f1136e47541905995131175c7d6

  • SHA1

    dc2113117af8f9e1450a8122b1f5110852cf5314

  • SHA256

    ecdf26dffbf572bde7ae3b7fbc4f92e958dcf41f047a8af086e131173c49090d

  • SHA512

    d055de6d831c9bfc7ade82c71654d6f051b07d455bffcce9320080bc4ee1961c308c8e2d6e0b7a8d0f1c3df3113733f944a98d8ce3fa89ed786721c092c2c2a1

  • SSDEEP

    786432:gztyymjtZYdr4lIyM/MWMGMEMwMOM0MiMAIMnpih4tRbfklobt:4m0Qmpih4tRAybt

Score
10/10
ostapdiscoveryexecutionmacromacro_on_action

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bhraman.org/exe/wenL.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://kccambodia.com/exe/okayf.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://meublesinde.in/cry/rware.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://bit.ly/2NmQqH7%20

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.entreprendre-en-alsace.com/cust_service/Hp/
exe.dropper

https://www.ambiance-piscines.fr/wp-admin/tQQvQCL/
exe.dropper

https://www.akarosi.com/0868e784ba5af656b959f6ec5e4e9428/a1a/
exe.dropper

https://thecurrenthotel.com/wp-content/zel617r/
exe.dropper

https://wholesaleusedbooks.co.uk/jetpack-temp/Xl1SeJPW/

Targets

    • Target

      2020-01-01_162556.doc

    • Size

      21KB

    • MD5

      ae3d8d88bd51083ed45622c125dddeed

    • SHA1

      8a04d0cbde8ae822a1f7179cb8669441534f4ada

    • SHA256

      fbc515049263135d70c68e58c634fce00d0e73a1f085d5fd30de1b29876a8784

    • SHA512

      9c41fa0b3e99fcc0b40c069193ee0f3d6aa6ce0253ecb17cb5afd303058fd351a6fc3e1fa21d4c489cfc9668dbbf2330620f5b16432e57a229714f883511ddca

    • SSDEEP

      384:3eK8Imh5a70iPlvREJoERXZmHRmhcgOm42GG6F7//o4MA4ENci1XIb:uKpC6pRal+x25A44ccX2

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral1behavioral2

    • Target

      2020-01-02_74751.doc

    • Size

      300KB

    • MD5

      22ecc2004189347144ed28e2858cebf5

    • SHA1

      eab6b6281fbadb07ee0a70821bed782d7a853f61

    • SHA256

      04afe7b71381c3eda760fd44b9d5b5d8653fbc7139e9b6626ccd001b3944055f

    • SHA512

      9f6cfd6fbbd5bf81d349349a4dd08cd117fc58c4ce57598fbaecab6377d341b75f0482063c004e0550b14231baeb48a3a45604946b8ab6109cef2396dcb17677

    • SSDEEP

      3072:TIlsIvVcDJhz8+4b9zqaXykqLW6pIXARyODl7A2nvFdeyxbR6KsV:8zqkqLrYJV

    Score
    4/10
    discovery
    behavioral3behavioral4

    • Target

      2020-01-03_105342.doc

    • Size

      166KB

    • MD5

      22f0101259aca82cc2b8dd103c58a3bd

    • SHA1

      a23644411338f408a8a34a02f6350ae9fae51eee

    • SHA256

      05d5e69f86c94bf709bec9cca1ddc533ad9a91573797ac3ab8173d15c6aa93bb

    • SHA512

      fe467a7f3bf0280dfaf6271b0d80c27ae6053def3cda54c26bea8f714f6d573380a2e947318dc2076361b57dfd8f1402316b2c8e7c72b2b0e9c8ef5af7f314bc

    • SSDEEP

      1536:3OwUaJIwFKZwiRysuqoKTjpimH9JMuyqWADsuMeC9nKP/5PJ0Zqm76Fwfq:eTaIlZwi9n7Qt/ADDMeCxUBPsqmGSf

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral5behavioral6

    • Target

      2020-01-03_134610.doc

    • Size

      158KB

    • MD5

      3e9bc9561cff7bb87123cfcd560d9c59

    • SHA1

      ceea93071e72a4190f37510fa0f684930d383a9a

    • SHA256

      849703e5ced8577b1de1f7b895914d60c423e98dc42ec20cc8a5df9408a9dcf9

    • SHA512

      e24a6a1f3d8d058b5c597e93e176c12b1425555f7a002a8b31edf1a3ebb3d51ab83927bab5199562469658f2f3454adf16b71186b3164d180843308745539820

    • SSDEEP

      3072:dTaIlZwi9nBhBaGoEyGxnt3cUKIjdHURh8:0ywSBhBaGbyat3JLjK

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral7behavioral8

    • Target

      2020-01-06_123924.doc

    • Size

      114KB

    • MD5

      c55821c463bda31017f37357951ee1fa

    • SHA1

      a13881041e977a6c6f607e03d53d50e9495f0e12

    • SHA256

      93bbc734a36f7d73a05ededf5870cec3f28c88325322306184f035f340671eb7

    • SHA512

      f689710ed01531bd58f11c41b8ad50991f9a2901ca033c271bfc8ce40f9e7983e456b09053c48d7ff1ccb18e71bd1d9359bfa605124e018f099da737333f48e9

    • SSDEEP

      3072:mBftEE9JMu4fYJaiJwe6JiJGpAAAAAAAAAAAAA2lgi:aeuUYkiWAwpAAAAAAAAAAAAA2l

    Score
    4/10
    discovery
    behavioral10behavioral9

    • Target

      2020-01-06_193259.doc

    • Size

      21KB

    • MD5

      4f02c50f97c3b12f7ea10760b6e0d490

    • SHA1

      2c66fbf312c036fe407d2acd95b9d666a5a1b2ea

    • SHA256

      312fb2addec654d2322674d8c47aeef7cda941cb9047fc311affbdd2fff2297a

    • SHA512

      0210659f3f725f7b2e748b4fffff5219510a21a1b77110e80d76da2a01526505495c6737d80d3cc145d2dae7d023729cdb87930479d133d4bc92a7d963fd72a5

    • SSDEEP

      384:3ea5s/dhP6E+xUJUnhOQG6SG6F7//o4MAuVNci1VBW:ut1hCnUCnweAuvcci

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral11behavioral12

    • Target

      2020-01-09_174205.doc

    • Size

      164KB

    • MD5

      da314846063cf72c4aa800c4d6a88f8f

    • SHA1

      a01a8905965d59f896968958f9b39115420a636b

    • SHA256

      068f7e67f52d97eef2929a08dad735e85dc91bebc2e14b794cb670f915a1074b

    • SHA512

      62102482e1206317abb4bd3adefcb3134d0d9133c10ac988990e6ebead2b4dee30e2374a0635f07850206d813cce22d412b316ac6b246f7a330ccbebf5ecc15a

    • SSDEEP

      3072:0UgwWw+CnDOLnT0dRGLvkD4Q74N6GO2FMgZ4E56VvdvbFcZ:CHMDy0UkDL4MGO2n5y6

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral13behavioral14

    • Target

      2020-01-11_81623.doc

    • Size

      19KB

    • MD5

      05ff7f28554aa6e9518c848c4134d9cd

    • SHA1

      3f91e20ab999e7bd748ba1a182bbce47b165b4f7

    • SHA256

      b0a8a64c754bff466691853bc74ab0e0a41cd3b954e8d0af5c6cffc80f1ead34

    • SHA512

      5fb5c0369d66e95de650b08e298879a6a8e33f41297d9dec9e4f7af6d687028eadcca3867db65876bb1924d21921fcd2538c16491aec4bc6d23015354da006f3

    • SSDEEP

      384:3eMx5U8ybXqgeUGbj3M5aLesOfV57G6F7//o4MAYtNci19zy:u98yO9NjM5TsoVOAocc0

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral15behavioral16

    • Target

      2020-01-13_104457.doc

    • Size

      1.6MB

    • MD5

      c72b6a05064912fded813ede3595c6a5

    • SHA1

      95a0fbdffa5f2084831716f1a488f8c3f1c7888a

    • SHA256

      2644a076e344cf636e095c35ddec6cae24836bf76793fd311814075d74ec4f62

    • SHA512

      0d36c16e21726c4143267872a660886cbecf0bc93b3abe80b4174a7a8a40fb28dcd023ae0d4cf006656ba76dc4a90cf4f8113707d9a0dc5895a77bbf54130cc4

    • SSDEEP

      12288:ZHqKeOQqKeOQqKeOQqKeOQqKeOQqKeOQqKeOQqKeOQqKeOD:Zz

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral17behavioral18

    • Target

      2020-01-13_144901.doc

    • Size

      230KB

    • MD5

      c0539e1d90d021c13feee0aa5d6ccbf8

    • SHA1

      cfe0f5101fd5df62e541fb38270ecf8d1b764537

    • SHA256

      f2eb11ec679948522a86030c3f5b2c93b6c08e6d6bc0a7213feb0d555d7616f3

    • SHA512

      a84f9a3b116904f05a0cec1dc915ddfa784c4bb35b8ff88b2890c11b5b3797137599153b639d9879a12cbd503e64cc161880d5ffb9d47c44d1f3b723a35a9ddf

    • SSDEEP

      6144:50Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+FyXM:50E3dxtR/iU9mvUPQXM

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Drops file in System32 directory

    behavioral19behavioral20

    • Target

      2020-01-13_145745.doc

    • Size

      231KB

    • MD5

      7ad8f3b53dbb5a57d250c93beadb95b1

    • SHA1

      2e5f8975927d270a479f4b703ed1146298dd470c

    • SHA256

      d5eb644ce9dc3eae6e25d119b6407945d80feb436d43924c9c8c234f11932e5c

    • SHA512

      b9975f0654694804adb16539988ddaa110e74838363c2be073d1d4a51ac9f3f82e5d9308f6e26e91e741eec8e3d8f7862302815d66e2fd9b57b1aac947ca504b

    • SSDEEP

      6144:50Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+JOXK:50E3dxtR/iU9mvUPQXK

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in System32 directory

    behavioral21behavioral22

    • Target

      2020-01-13_152510.doc

    • Size

      230KB

    • MD5

      fe3997f787f6855e35a27b44afa11c29

    • SHA1

      f04bd67fd9cb44274476adfe2f19bece4c8cbfa6

    • SHA256

      8d1e320dd026267c01926b358ef8765f23f759d5519fcaf7ad8a36f95f5d71e7

    • SHA512

      794ee9c602fcfdd8a5b133d3a0664bb5a4aed9e60bf3e02c2c07c2c2e5946fa10649853525971adffa5d80b27fef179b6dbdc256b5413d5e58eab46e70717533

    • SSDEEP

      6144:50Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+F5Xk:50E3dxtR/iU9mvUP3Xk

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in System32 directory

    behavioral23behavioral24

    • Target

      2020-01-13_152527.doc

    • Size

      231KB

    • MD5

      7c667d0ca5879c12efd2839e373f50b0

    • SHA1

      955a8725a27f5b6abda97eb36ecbec3c34e7efbf

    • SHA256

      10f14648423ffb424a634065e2e56aadd364068df5b0b03f8bc62e402da2025d

    • SHA512

      a62943edc6f27e4d5ca0f716a4a61f12795e5df21466e7395a743d505e4d2ebacb33ce69b167f5bfb97d31d8b2ff50d9eb03c9be90152da90a625dec5ec0df5a

    • SSDEEP

      6144:50Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+JWXm:50E3dxtR/iU9mvUPcXm

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in System32 directory

    behavioral25behavioral26

    • Target

      2020-01-13_153140.doc

    • Size

      231KB

    • MD5

      1e0d0d07a697e6d0c4384cef98fc7f1f

    • SHA1

      c9e927871b9c76a9825fe3ba5b7e773bdc652f27

    • SHA256

      9769b9ed40a8e07ef3e2c201b83dbc666217eefd3deaddc6f49d00adc8a4ce17

    • SHA512

      24e7ef4a711c039455ceb8e191016d30bd073d966bb62de9b439babe4ead4f4602dfc61e83d78d640db795a38d37349f3f4922645dba0c8a44a2d8488c532856

    • SSDEEP

      6144:50Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+JTXN:50E3dxtR/iU9mvUPlXN

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in System32 directory

    behavioral27behavioral28

    • Target

      2020-01-13_154531.doc

    • Size

      231KB

    • MD5

      590062113ac8eeffaa2febf5619433cf

    • SHA1

      82413ff4d0ca5290192e34363434dcdb0cfff326

    • SHA256

      e13b8d1f31e60dd801a8b6fd61c140367bf04cc736e7ac44f982e1d34654fd91

    • SHA512

      5fcb9bcb041f1650ae1bcd0e4c6fe29161529ef493cd4b421bd60b1604aeb14fae05b0e73354c90fbccd339fafce23a762e61be283e355900d7f17bdfc93e8ad

    • SSDEEP

      6144:50Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+FpXo:50E3dxtR/iU9mvUP/Xo

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      2020-01-13_154640.doc

    • Size

      230KB

    • MD5

      24b6540e2bc216548cf59b3419b39c18

    • SHA1

      86547d2b5bf28ced8dfcc7e798ad197429712e90

    • SHA256

      5f1d009ea31ec14955108c773b5445166200164b147f7cae1f08360adb8b0a56

    • SHA512

      7fe813a7a71f3bee1cd637f8dd7dfc725306cb7e8ce0743a7422243703cd15591e1626ddc2a9ed55e575543f1afad7983474cd0ced36e1c0b9bd9c73995c1dd0

    • SSDEEP

      6144:50Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+JgXj:50E3dxtR/iU9mvUPiXj

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops file in System32 directory

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

macromacro_on_actionostap
Score
10/10

behavioral1

discoveryexecution
Score
10/10

behavioral2

execution
Score
10/10

behavioral3

discovery
Score
4/10

behavioral4

Score
1/10

behavioral5

discovery
Score
10/10

behavioral6

Score
1/10

behavioral7

discovery
Score
10/10

behavioral8

Score
1/10

behavioral9

discovery
Score
4/10

behavioral10

Score
1/10

behavioral11

discoveryexecution
Score
10/10

behavioral12

execution
Score
10/10

behavioral13

discoveryexecution
Score
10/10

behavioral14

execution
Score
10/10

behavioral15

discoveryexecution
Score
10/10

behavioral16

execution
Score
10/10

behavioral17

discoveryexecution
Score
10/10

behavioral18

execution
Score
10/10

behavioral19

discoveryexecution
Score
10/10

behavioral20

Score
6/10

behavioral21

discoveryexecution
Score
10/10

behavioral22

execution
Score
10/10

behavioral23

discoveryexecution
Score
10/10

behavioral24

execution
Score
10/10

behavioral25

discoveryexecution
Score
10/10

behavioral26

execution
Score
10/10

behavioral27

discoveryexecution
Score
10/10

behavioral28

execution
Score
10/10

behavioral29

discoveryexecution
Score
10/10

behavioral30

execution
Score
10/10

behavioral31

discoveryexecution
Score
10/10

behavioral32

execution
Score
10/10