General
-
Target
New-Order December-15th.xlsx
-
Size
2.3MB
-
Sample
201215-6y9fpc37ea
-
MD5
e03ed5e77e5800540f0448a8318eaf34
-
SHA1
56af39d425961607df89dabb30480038828701c0
-
SHA256
3994471e828d2d7e89e3c7c07ef01662173333700ac9dc14461b3e418cb75db7
-
SHA512
4d26a232dd177a2670fc4272823d7de3feb30e06d9970b331c02e1b299df5dca7811e4ccae707cb4b5018d8b08af70ca2b265fe1fde5a0650ebb9e54ae01eb76
Static task
static1
Behavioral task
behavioral1
Sample
New-Order December-15th.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
New-Order December-15th.xlsx
Resource
win10v20201028
Malware Config
Targets
-
-
Target
New-Order December-15th.xlsx
-
Size
2.3MB
-
MD5
e03ed5e77e5800540f0448a8318eaf34
-
SHA1
56af39d425961607df89dabb30480038828701c0
-
SHA256
3994471e828d2d7e89e3c7c07ef01662173333700ac9dc14461b3e418cb75db7
-
SHA512
4d26a232dd177a2670fc4272823d7de3feb30e06d9970b331c02e1b299df5dca7811e4ccae707cb4b5018d8b08af70ca2b265fe1fde5a0650ebb9e54ae01eb76
-
NetWire RAT payload
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Modifies Installed Components in the registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-