General
-
Target
doc20219119979791.r00
-
Size
15KB
-
Sample
211109-xyq92afgd9
-
MD5
6f4901dd7316b533fcc1f78f1fde74a0
-
SHA1
670b056a3e06b1c47e84fb5625584b84a4072cb6
-
SHA256
1bb0dbfc5f3b6b1548976ce6b675b1333305ffd33a002cedbd0b7d1d72377913
-
SHA512
3c53709aae84be0604466be074db6cc456f52da519558154a1e9f49ee355833dc098cc6c0ea8a395362a1757c91cb7b1cd3ad49b0e5c6b9f0570b15e7634c035
Static task
static1
Behavioral task
behavioral1
Sample
doc20219119979791.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
doc20219119979791.exe
Resource
win10-en-20211104
Malware Config
Targets
-
-
Target
doc20219119979791.exe
-
Size
28KB
-
MD5
848514d3293e05eef636c27ee777fe29
-
SHA1
0386b781ab84c9309d24eb15ef68628363a21fb0
-
SHA256
827adb7149301b3ba792a95aabfae0457354e38f87f6dd2da629a1cfe5c30801
-
SHA512
d6764b887d64874f98b0be4a79e18a7b91cc6e8e1a8ead0c00d11e200a1297d711d3f1af64138a50d7d0be615c61923d48cbb42d6e6e9ba8d36b26fd32d4bd3c
-
Turns off Windows Defender SpyNet reporting
-
Nirsoft
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-