Overview

overview

10

Static

static

8

0113_203089882.doc

windows7_x64

10

0113_203089882.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0113_203089882.doc

  • Size

    633KB

  • Sample

    210113-xvldqt5e82

  • MD5

    8cde22c011629e537c9f3ef15225c2d7

  • SHA1

    e85624f6fb796946b75d2091c3c38ed61764cde8

  • SHA256

    678da85cecff2cdda8559281dfc8a89f87c44c6371cbda4de4bc9ea5cd2f5cf9

  • SHA512

    59ebe8c806d7585bd0c44a08dfacf1f2cdede087b9e86d75608771ff2ce4bfe2a4ac7fbd364f87dff89099fe8223e736680de9d700320bbb42944b3e9ad62ab2

Score
10/10
macrospyware

Malware Config

Targets

    • Target

      0113_203089882.doc

    • Size

      633KB

    • MD5

      8cde22c011629e537c9f3ef15225c2d7

    • SHA1

      e85624f6fb796946b75d2091c3c38ed61764cde8

    • SHA256

      678da85cecff2cdda8559281dfc8a89f87c44c6371cbda4de4bc9ea5cd2f5cf9

    • SHA512

      59ebe8c806d7585bd0c44a08dfacf1f2cdede087b9e86d75608771ff2ce4bfe2a4ac7fbd364f87dff89099fe8223e736680de9d700320bbb42944b3e9ad62ab2

    Score
    10/10
    spyware

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks