2ac13e163b9bdd76aa1dd7ebcfc2dd9ddc6a32712c328889495637a5d0d2a5ea | Triage

Submit
Reports

Overview

overview

Static

static

IMG-0641.doc

windows7_x64

IMG-0641.doc

windows10_x64

1

Sharing

General

Target

IMG-0641.doc
Size

598KB
Sample

210114-6926w9a1ss
MD5

44c09f25925b3a659e19dae6b5e70cc5
SHA1

4eb7ae147669bdb3cc508efc1160fd820e662fa9
SHA256

2ac13e163b9bdd76aa1dd7ebcfc2dd9ddc6a32712c328889495637a5d0d2a5ea
SHA512

d9bdabf18d25ea6ac434c63062c8119ecc2c52fc76b4c31ccc5079f7c4ffd7472a43574aa614ed15bafd7655011221f79dba1657dcba81e8fd86f30c979c2579

Score

10^/10

persistence spyware

Static task

static1

Behavioral task

behavioral1

Sample

IMG-0641.doc

Resource

win7v20201028

persistence spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

IMG-0641.doc

Resource

win10v20201028

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  IMG-0641.doc
- Size
  
  598KB
- MD5
  
  44c09f25925b3a659e19dae6b5e70cc5
- SHA1
  
  4eb7ae147669bdb3cc508efc1160fd820e662fa9
- SHA256
  
  2ac13e163b9bdd76aa1dd7ebcfc2dd9ddc6a32712c328889495637a5d0d2a5ea
- SHA512
  
  d9bdabf18d25ea6ac434c63062c8119ecc2c52fc76b4c31ccc5079f7c4ffd7472a43574aa614ed15bafd7655011221f79dba1657dcba81e8fd86f30c979c2579
Score

10^/10

persistence spyware
- Modifies WinLogon for persistence
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

persistencespyware

behavioral2

© 2018-2024

Terms | Privacy