General

  • Target

    ups_invoice3105183.doc

  • Size

    282KB

  • Sample

    191211-xasqnnchds

  • MD5

    48b57693d5b1647b3f7fc5b45c0a8213

  • SHA1

    5e2f6df0dde7caf8163921da45bf773db8514645

  • SHA256

    0346971c0cf96bb3b143aea0e307f2d94af8a18474cc8e50dab4bcad965d2aa6

  • SHA512

    1b2cbb36a74259c2d3566ab83c10380d07bc2586e6d0e07101b51104000e25ee3f09420ed261674154d08a612348da5b22962e26a04a16dba62f6ea1c2d9643f

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://corp4.site/cVIka.dat

exe.dropper

http://corp4.site/vben.dat

exe.dropper

http://corp4.site/LugVP.dat

Targets

    • Target

      ups_invoice3105183.doc

    • Size

      282KB

    • MD5

      48b57693d5b1647b3f7fc5b45c0a8213

    • SHA1

      5e2f6df0dde7caf8163921da45bf773db8514645

    • SHA256

      0346971c0cf96bb3b143aea0e307f2d94af8a18474cc8e50dab4bcad965d2aa6

    • SHA512

      1b2cbb36a74259c2d3566ab83c10380d07bc2586e6d0e07101b51104000e25ee3f09420ed261674154d08a612348da5b22962e26a04a16dba62f6ea1c2d9643f

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Program crash

    • Windows security modification

    • Checks for installed software on the system

    • Modifies system certificate store

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

6
T1012

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Peripheral Device Discovery

1
T1120

Tasks