General

  • Target

    Docs_92ebafcc950619596e93a4215d05e6cb.doc

  • Size

    218KB

  • Sample

    191205-lskkescds6

  • MD5

    92ebafcc950619596e93a4215d05e6cb

  • SHA1

    4c620b0d5e3685086d3f7359b89de3ea79afe4c1

  • SHA256

    94c241402910892dc472c95bec71350b2201bb0b3216b0ea988782af6a05c08a

  • SHA512

    41e95e4e98c3ddf25d3218f8adec5a2402a0082dd03534bb1d3f6e6b464383bdceef35c03579b1f7541aff3107363bacfa483b158c2f28d3a6bdf515e1afc768

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://colfev12.site/Bijka.dat

exe.dropper

http://colfev12.site/sfera.dat

exe.dropper

http://colfev12.site/oYWE.dat

Targets

    • Target

      Docs_92ebafcc950619596e93a4215d05e6cb.doc

    • Size

      218KB

    • MD5

      92ebafcc950619596e93a4215d05e6cb

    • SHA1

      4c620b0d5e3685086d3f7359b89de3ea79afe4c1

    • SHA256

      94c241402910892dc472c95bec71350b2201bb0b3216b0ea988782af6a05c08a

    • SHA512

      41e95e4e98c3ddf25d3218f8adec5a2402a0082dd03534bb1d3f6e6b464383bdceef35c03579b1f7541aff3107363bacfa483b158c2f28d3a6bdf515e1afc768

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Program crash

    • Windows security modification

    • Checks for installed software on the system

    • Modifies system certificate store

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

5
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Tasks