1a23cac89869879a8096b7ae1eecff4aefd7c1e3a5b9ccebce1519e7575b7131 | Triage

Sharing

General

Target

1a23cac89869879a8096b7ae1eecff4aefd7c1e3a5b9ccebce1519e7575b7131
Size

151KB
Sample

221125-x2gvrshf26
MD5

2e520417cfc2d9d8bd1bb78db29776c6
SHA1

59621f547d43b1d2ed9ebbc70918a75367540a7c
SHA256

1a23cac89869879a8096b7ae1eecff4aefd7c1e3a5b9ccebce1519e7575b7131
SHA512

2c3699bb667f3c699be97f8a902cf438a516d762774bbf123d69e233981faec9949c427ca44bcc5cef9b6151ffb9a5631ae61bf7b2668a9cb3e4829dbc4c2542
SSDEEP

3072:7yrtNi3s3sy6UiXODbbUDCwdEEUPMQ1+GBBCMwAQ:Wy3k10ODbbAChRQ

Score

10^/10

evasion macro macro_on_action persistence xlm

Malware Config

Targets

- Target
  
  成果项目专家鉴定意见表.doc
- Size
  
  26KB
- MD5
  
  36d47364e02e258f2bf2c624828c8dcf
- SHA1
  
  cb1def5f4211966aecd5ef81378ad6b145d9b965
- SHA256
  
  3ed0b9dcec85fdd65e491885d5564345072c99bdfd8bc9a2a387b39db4d5fafc
- SHA512
  
  8821bd4f37b193977156f69be4a6b4203ed45cdef18292559985d3582f83946c96a8e3eb0a56979263c58b6615e7a06fee766148156300dbec5c04789414159c
- SSDEEP
  
  192:AJWtHyfpg9Fwh2222PHIvjEKJKXPDO/gDIk8x5Ao:eWtSfpg9+2222PO/g
Score

4^/10
behavioral1 behavioral2
- Target
  
  申请表.doc
- Size
  
  60KB
- MD5
  
  32f19b3fc833575fb6cf44852b13de49
- SHA1
  
  1cbfcacb449576cbe0dc7e4219ae247b6482d758
- SHA256
  
  26937645d615eaf2b0d6736b75e082d29bc8f8558f57599e097e3aff81d7c6b5
- SHA512
  
  8dd73a35aa54b3b54d8c6d543234055c092c152b7d62510a23e1234693d61953189fcf33354ad207fc2e048e7a53af8896cb9ac0e617455c76008c7fd303033f
- SSDEEP
  
  768:SGdQXK9+6w020tnWifCWS4S4SqfJOuT4O:qWCWS4S4SKJ+
Score

4^/10
behavioral3 behavioral4
- Target
  
  登记表.xls
- Size
  
  263KB
- MD5
  
  b638cc21d05316ae407500e2f0777bfc
- SHA1
  
  b40550fab16f392e9cdacf444e5ccea82d0c8aa3
- SHA256
  
  1f9b7faf1e8049b82734ef3caa14a560aebcd027679db1c16482f5e25b8a6e4d
- SHA512
  
  65060ddd8073c8e915079cb53a8ac4bb0e431dadaba3999f80ebffa08134e089f79531604e57ce99f702e48a221608d258ed27eef566f0a8cc35c72af2b6554e
- SSDEEP
  
  6144:75ro+54uoqIj6XUEImVw/P67vRfCpGAZrkOCakKZgW9ef9g+9f9kHMiVP:u+5JSZiy/P6JC4Wgf9fq
Score

10^/10

evasion macro macro_on_action persistence xlm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  通知.doc
- Size
  
  67KB
- MD5
  
  583458381f566322b7868e8cefc836aa
- SHA1
  
  6ecb6caf7cd455cbde585ae3cf839af86482efb4
- SHA256
  
  38e6634ba3c4d1e242385b3112af7dd3cd40883c7dca6833314e531d1978ca7b
- SHA512
  
  057b1cfbb194d110378f0fa1f3f5f0f8a889c86a3a20c589fc4ace2bd14cff83532fa974168d2f041541b6d505cc700c09a14663c1e9996b770f81de800cd30d
- SSDEEP
  
  1536:4r05RV1zOym/IJoeiuRbRoQA5EcbXazye:7OyAUHoQWZrazy
Score

4^/10
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

evasionmacromacro_on_actionpersistencexlm

behavioral6

behavioral7

behavioral8