Overview

overview

10

Static

static

8

38c556d386...b6.doc

windows7_x64

10

38c556d386...b6.doc

windows7_x64

10

38c556d386...b6.doc

windows10_x64

10

38c556d386...b6.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4902777655558144.zip

  • Size

    37KB

  • Sample

    211013-n1l9eseah4

  • MD5

    f4a042fbd9d770b4fb940e45c8061fd6

  • SHA1

    3dce85832b1e9946886308ba2c8933bd89ecdf11

  • SHA256

    04ea345004fd7f49f6ef909fbbabdcb2ef9436b95d400fa30f64e9b1b1d17d46

  • SHA512

    adde5554b408a7756e2188b5c7b1e2a5b5bb1a813274d0e0bca00a57c373e73c4afcfe3749ed9c7e444f3fef555c066b17aac972e1d619fb64359b51e502b4a4

Score
10/10
evasionmacropersistencetrojanxlm

Malware Config

Targets

    • Target

      38c556d3864acffc91332ffad4285b60d465c430ed37fc09c35a1b97a2dc2cb6

    • Size

      69KB

    • MD5

      ab29df2b07096f2122b18e54d5d45a80

    • SHA1

      e96f9660f7ea0e45f168edf4242f7d70390e935c

    • SHA256

      38c556d3864acffc91332ffad4285b60d465c430ed37fc09c35a1b97a2dc2cb6

    • SHA512

      6a3e2106019a1ba4c01ea21f7561bbbc74a63999bea057b6ad6178d205597ac5be286ca1788a4536c0aabb95df977bee960c3f8d704c816161a0d48e83a9be40

    Score
    10/10
    evasionpersistencetrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Registers COM server for autorun

      persistence

    • Blocklisted process makes network request

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

4
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks