Extracted

• • Target

    Tax Challan.xlsm

  • Size

    88KB

  • MD5

    8927ad6be7ff24a708641467b7f699d5

  • SHA1

    9973dad26ac516f3a4f413624fa908a828e5df9b

  • SHA256

    5f005ef79f2a337aa3e3537f304316bdb931dffa3cecacadc1cd094c1414bf4f

  • SHA512

    fa5d459357e53bdf963126d3f0fa7fc840a6bb62448807f9ee8e38e65a58d0f9f00c0bdefcb0df3a6186843e80e9870df2c7ae455fbb623dfc92264e5dddea34

  Score

  10^/10

  persistencespyware

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blacklisted process makes network request

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    persistence

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

  • Adds Run key to start application

    persistence

  • JavaScript code in executable

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  • Modifies service

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2