General
-
Target
doc20219119979791.exe
-
Size
28KB
-
Sample
211109-txhpqacfbp
-
MD5
848514d3293e05eef636c27ee777fe29
-
SHA1
0386b781ab84c9309d24eb15ef68628363a21fb0
-
SHA256
827adb7149301b3ba792a95aabfae0457354e38f87f6dd2da629a1cfe5c30801
-
SHA512
d6764b887d64874f98b0be4a79e18a7b91cc6e8e1a8ead0c00d11e200a1297d711d3f1af64138a50d7d0be615c61923d48cbb42d6e6e9ba8d36b26fd32d4bd3c
Static task
static1
Behavioral task
behavioral1
Sample
doc20219119979791.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
doc20219119979791.exe
Resource
win10-en-20211104
Malware Config
Targets
-
-
Target
doc20219119979791.exe
-
Size
28KB
-
MD5
848514d3293e05eef636c27ee777fe29
-
SHA1
0386b781ab84c9309d24eb15ef68628363a21fb0
-
SHA256
827adb7149301b3ba792a95aabfae0457354e38f87f6dd2da629a1cfe5c30801
-
SHA512
d6764b887d64874f98b0be4a79e18a7b91cc6e8e1a8ead0c00d11e200a1297d711d3f1af64138a50d7d0be615c61923d48cbb42d6e6e9ba8d36b26fd32d4bd3c
-
Turns off Windows Defender SpyNet reporting
-
Nirsoft
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-