General
-
Target
rule_010.21.doc
-
Size
33KB
-
Sample
211022-tlhwcabgh5
-
MD5
4b420bc3f81ce0f0313a1e4dda8c2b5f
-
SHA1
5fa4c3a4b8809f57aaa0dcffa88d48711bc2389e
-
SHA256
aa410115edee64b35a2dc46bb5f6243f3d351d3e8e3bb7e94142949f76e25893
-
SHA512
3a1a8ceb057f937359df4dca286f5952c7f318a9b0b661804f4f4af2bfb18d886f1b8501bcc9baa7fcb061a8e9f24597d5232b5c970f91e1660a1c2f36176099
Static task
static1
Behavioral task
behavioral1
Sample
rule_010.21.doc
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
rule_010.21.doc
Resource
win10-en-20210920
Malware Config
Targets
-
-
Target
rule_010.21.doc
-
Size
33KB
-
MD5
4b420bc3f81ce0f0313a1e4dda8c2b5f
-
SHA1
5fa4c3a4b8809f57aaa0dcffa88d48711bc2389e
-
SHA256
aa410115edee64b35a2dc46bb5f6243f3d351d3e8e3bb7e94142949f76e25893
-
SHA512
3a1a8ceb057f937359df4dca286f5952c7f318a9b0b661804f4f4af2bfb18d886f1b8501bcc9baa7fcb061a8e9f24597d5232b5c970f91e1660a1c2f36176099
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Bazar/Team9 Loader payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-