Overview

overview

10

Static

static

command,07.21.doc

windows7_x64

10

command,07.21.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    command,07.21.doc

  • Size

    69KB

  • Sample

    210721-7mebd5ymj6

  • MD5

    1b265cbdfb47ef2675bbc19d7542aec3

  • SHA1

    f441fde137975ecfa73c6b9d80423872443b4247

  • SHA256

    173e1ba2a7c2995c59bd1d79c8c246dc5f75835552574c87bd9bd8129977de4d

  • SHA512

    62232fd788671d69bcdb725a52dec70caab92f790a7ae6b2f7964dd6ba5b6dd28526d0df11c428ed0bc1a910cecdac26445332e9016bbf5aa4c594e8779af255

Score
10/10

Malware Config

Targets

    • Target

      command,07.21.doc

    • Size

      69KB

    • MD5

      1b265cbdfb47ef2675bbc19d7542aec3

    • SHA1

      f441fde137975ecfa73c6b9d80423872443b4247

    • SHA256

      173e1ba2a7c2995c59bd1d79c8c246dc5f75835552574c87bd9bd8129977de4d

    • SHA512

      62232fd788671d69bcdb725a52dec70caab92f790a7ae6b2f7964dd6ba5b6dd28526d0df11c428ed0bc1a910cecdac26445332e9016bbf5aa4c594e8779af255

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks