General

  • Target

    Correo Externo R3912349DS --- Referencia POSIBLE SANCIÓN E INHABILIDA... (723 KB).msg

  • Size

    109KB

  • Sample

    241206-awszhszqgz

  • MD5

    45684554337c2beb94dcdbda136c6661

  • SHA1

    1f2ccc3c43a899e4f43296a8eff2ed152899590d

  • SHA256

    d7d0a5f88b8d3660144c7df7b32d4ea1151ccc255a356839cbc5a2637b5d66a0

  • SHA512

    d2b87cb69548567ca559d3eff2837f7595463f0ea6ff40b5803032d797831624b4d8418a6e799d50a1d7ce718aaf8158a050406cc9bfa04b0a3887117d0c21e5

  • SSDEEP

    1536:9AAE5O4JZL6hgSgyov5tCVGXEYrq8JMBJDp8LvGXMeiA:9AAE5DL6qiYs8WHVyvGTiA

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Targets

    • Target

      Correo Externo R3912349DS --- Referencia POSIBLE SANCIÓN E INHABILIDA... (723 KB).msg

    • Size

      109KB

    • MD5

      45684554337c2beb94dcdbda136c6661

    • SHA1

      1f2ccc3c43a899e4f43296a8eff2ed152899590d

    • SHA256

      d7d0a5f88b8d3660144c7df7b32d4ea1151ccc255a356839cbc5a2637b5d66a0

    • SHA512

      d2b87cb69548567ca559d3eff2837f7595463f0ea6ff40b5803032d797831624b4d8418a6e799d50a1d7ce718aaf8158a050406cc9bfa04b0a3887117d0c21e5

    • SSDEEP

      1536:9AAE5O4JZL6hgSgyov5tCVGXEYrq8JMBJDp8LvGXMeiA:9AAE5DL6qiYs8WHVyvGTiA

    Score
    5/10
    • Drops file in System32 directory

    • Target

      OFICIO 023 POSIBLE SANCIÓN E INHABILIDAD DEL CARGO.pdf

    • Size

      60KB

    • MD5

      5cc6a0590df5c2d11054e648427f551b

    • SHA1

      ea31839c9f7bdddde3e8b20e44408cefb885c285

    • SHA256

      d1b3251e0896d300fe8764d0e820c2707515f27364e28115b7e7392274cfa10d

    • SHA512

      51c5bde8ea5482e318aebc06968a9cdce83575d3c06ada3a958962448431af31a5a906d95f172a544ff79fdc16aa09c97066b7d2bdc9f6fec42620e681cb97e6

    • SSDEEP

      768:hghgubg2NEdvvEbaXtgX5VG2/fOHxEYrqGSyLN2hBicL5ughpzT8LiADuVXIA0N:ChgSgyov5tCVGXEYrq8JMBJDp8LvGXMN

    Score
    10/10
    • Blocklisted process makes network request

    • Drops startup file

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks