General
-
Target
Attachedoc.xlsm
-
Size
12KB
-
Sample
210811-ke6mdql7mn
-
MD5
6ccb838e604105af2b82aa4ac9de8124
-
SHA1
3fb66d6953ded7f871eac0cc6aaef152c26b15c4
-
SHA256
d0f3ca8216dcf21d271fbc8f37104a8677d3d58f6f4178e60ded7b17a9ce180e
-
SHA512
3100c139d74ee6c7f5aed47d3956d76d5945be17ad8d8b5275ff18e1005787348172603ed299aefe910617f5f74506a1114789c4b83e66863f3dc691a15ba195
Behavioral task
behavioral1
Sample
Attachedoc.xlsm
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Attachedoc.xlsm
Resource
win10v20210410
Malware Config
Extracted
http://iurl.vip/x03qc
Extracted
oski
accdemo.axwebsite.com
Targets
-
-
Target
Attachedoc.xlsm
-
Size
12KB
-
MD5
6ccb838e604105af2b82aa4ac9de8124
-
SHA1
3fb66d6953ded7f871eac0cc6aaef152c26b15c4
-
SHA256
d0f3ca8216dcf21d271fbc8f37104a8677d3d58f6f4178e60ded7b17a9ce180e
-
SHA512
3100c139d74ee6c7f5aed47d3956d76d5945be17ad8d8b5275ff18e1005787348172603ed299aefe910617f5f74506a1114789c4b83e66863f3dc691a15ba195
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-
Suspicious use of SetThreadContext
-