Overview

overview

10

Static

static

documents.07.21.doc

windows7_x64

10

documents.07.21.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    documents.07.21.doc

  • Size

    72KB

  • Sample

    210721-h382n7l8dj

  • MD5

    2b7fbd7553c2c0079775ff71624f6e1d

  • SHA1

    de14f7af8b1e4f44c075f699dfedaa7ada95cc49

  • SHA256

    03fe24d7f895988c09b48880d841096dcc9e3623254884d93769a4e362473950

  • SHA512

    96554a7da2d220c8037281352de6271dc51fac4623ca3a55ba01035376e00a8e2f7334e9555e22706dd96f857f7bab6c3c342503c32a08335b35a0b36cc70a34

Score
10/10

Malware Config

Targets

    • Target

      documents.07.21.doc

    • Size

      72KB

    • MD5

      2b7fbd7553c2c0079775ff71624f6e1d

    • SHA1

      de14f7af8b1e4f44c075f699dfedaa7ada95cc49

    • SHA256

      03fe24d7f895988c09b48880d841096dcc9e3623254884d93769a4e362473950

    • SHA512

      96554a7da2d220c8037281352de6271dc51fac4623ca3a55ba01035376e00a8e2f7334e9555e22706dd96f857f7bab6c3c342503c32a08335b35a0b36cc70a34

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks