Overview

overview

10

task1

 

6

task2

 

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_92ebafcc950619596e93a4215d05e6cb.doc

  • Size

    218KB

  • Sample

    191205-xsaajpnzhs

  • MD5

    92ebafcc950619596e93a4215d05e6cb

  • SHA1

    4c620b0d5e3685086d3f7359b89de3ea79afe4c1

  • SHA256

    94c241402910892dc472c95bec71350b2201bb0b3216b0ea988782af6a05c08a

  • SHA512

    41e95e4e98c3ddf25d3218f8adec5a2402a0082dd03534bb1d3f6e6b464383bdceef35c03579b1f7541aff3107363bacfa483b158c2f28d3a6bdf515e1afc768

Score
10/10
discoveryevasionspreadingspywaretrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://colfev12.site/Bijka.dat
exe.dropper

http://colfev12.site/sfera.dat
exe.dropper

http://colfev12.site/oYWE.dat

Targets

    • Target

      Docs_92ebafcc950619596e93a4215d05e6cb.doc

    • Size

      218KB

    • MD5

      92ebafcc950619596e93a4215d05e6cb

    • SHA1

      4c620b0d5e3685086d3f7359b89de3ea79afe4c1

    • SHA256

      94c241402910892dc472c95bec71350b2201bb0b3216b0ea988782af6a05c08a

    • SHA512

      41e95e4e98c3ddf25d3218f8adec5a2402a0082dd03534bb1d3f6e6b464383bdceef35c03579b1f7541aff3107363bacfa483b158c2f28d3a6bdf515e1afc768

    Score
    10/10
    discoveryevasionspreadingspywaretrojan

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Program crash

    • Windows security modification

      evasiontrojan

    • Checks for installed software on the system

      discovery

    • Modifies system certificate store

      evasionspywaretrojan

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    task1task2

MITRE ATT&CK Enterprise v6

Tasks