Overview

overview

10

Static

static

8

06.�...�.docx

windows7-x64

4

06.�...�.docx

windows10-2004-x64

1

06.�...��.xls

windows7-x64

10

06.�...��.xls

windows10-2004-x64

10

06.�...��.xls

windows7-x64

10

06.�...��.xls

windows10-2004-x64

1

06.�...��.xls

windows7-x64

10

06.�...��.xls

windows10-2004-x64

10

06.�...��.xls

windows7-x64

10

06.�...��.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ecbf56dd2155295eea3ce5bf03351e7f749029b1fff2c66cafaa58e5722a29b1

  • Size

    2.5MB

  • Sample

    221126-2cdt2adc9v

  • MD5

    b245ee85ebbcc7618c82ee9c88d29fdc

  • SHA1

    de4874e8331e6bf8c733d14cc5b8df28410752d0

  • SHA256

    ecbf56dd2155295eea3ce5bf03351e7f749029b1fff2c66cafaa58e5722a29b1

  • SHA512

    375b068a5e06b4a53d38078fb0b3858ab7a9d7a28c07bf6ad54ebc5974912bebfc327c316f2f91e7fbfa0f1486296460cd8c2ce453d515c44ade7c7023ef4e0a

  • SSDEEP

    49152:SmcBEBYlM6Lqehl0iCn2KNP5fm43SRD7nt+H6gHnzR/wqI6nwNVv:SLEuqehl0bn2OP44iuH6gTRK6wNVv

Score
10/10
macroxlm

Malware Config

Targets

    • Target

      06.ɼɺ޸ϣ1/G4147ؿϽŴļͳһ𸴣.docx

    • Size

      24KB

    • MD5

      71c67d19ecb32da9e3a88e48ebd3f079

    • SHA1

      f2a4c52d8703e2b3516f549501fa9bceb8811741

    • SHA256

      d784c097585048ce92f12f11d58bf5b8577794646990b7235288b01cddaada21

    • SHA512

      2d7028ac2be7c23bcf4f3a3a5e64982e4b398f71a545e13c85f23d5b1ce70af5daa775e809eb353d42e0aceee1f5225373709a7c31cf03fac634e8def9461494

    • SSDEEP

      384:56cP6ERvkHdiZI5/8hrWv3qUNfI/PKg7+t5Q3itylX/k2i0a2cuRXYL:56bERvSSIGwvaYAPa5QZyT2NK

    Score
    4/10
    behavioral1behavioral2

    • Target

      06.ɼɺ޸ϣ1/嵥ɺ޸嵥/ïñɽG41һڵܶϽŴ̹嵥2014.12.27/ïñɽG41һڵܶϽŴ̹嵥2014.12.19.xls

    • Size

      1.3MB

    • MD5

      64c22f14684dbfdd8f7c4bb83118d6b1

    • SHA1

      4c3b30c83748c9cd69e05f2fc6324ec57aac2dab

    • SHA256

      b92bb126cd6e582e760fc22dd03ca53120162fc78b9432f082d749cceea1560b

    • SHA512

      40f8b6f7959d8f50c1e9df78b669d28b6c897702f0bdda5d24a79f825735cc6660abd72cd7ccf7706e789b0e0d1d86e24bf5d0722c4adcaaa4e3437ead223c0d

    • SSDEEP

      24576:8nYQPsoDpayI+wW9dFF3ttKA8NJ6PH0g/qTI5L5:MYQE6UlKdFF3ttEP

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes itself

    behavioral3behavioral4

    • Target

      06.ɼɺ޸ϣ1/嵥ɺ޸嵥/ïñɽG41һڵܶϽŴ̹嵥2014.12.27/ïñɽG41һڵܶϽŴͼֽĿ¼.xls

    • Size

      105KB

    • MD5

      1f60e295d5ea7925d7169c021222aceb

    • SHA1

      13f745e10a098ca80cc040c12ade5f5fb6ae20a3

    • SHA256

      4f0a5d5aaa620860dcebc0341d6782ebcf39a68d65d88febb5bf48e29ed22f07

    • SHA512

      622bbe0ccc93aff647a1fb2824c1094ab18c56c7faf958bcfe9eb091f2dcbbd337e2998f60e32787097ab2711a63f83c5828a642bd83b927c5838a331610d176

    • SSDEEP

      3072:Ix1gxv7yZmspH7+cclKiscI4ukoRWGN8Jp3yZ7ulWVbrzQ7ITkDZvn1VzUu1qJt5:c1gxv7yZmspH7+cclKiscI4ukoRWGN8y

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes itself

    behavioral5behavioral6

    • Target

      06.ɼɺ޸ϣ1/嵥ɺ޸嵥/ïñɽG47һϽŴ̹嵥20141208/ïñɽG47һϽŴ̹嵥20141208.xls

    • Size

      1.2MB

    • MD5

      6c7c942ee215e8b8449bec754891726e

    • SHA1

      57e5d5498b2292f8dfc6f7c0f1d609478fb8cf0d

    • SHA256

      c887bb577ae6256fe1e182d633910116dca0b16f8492ed74b500ab59e68fbc72

    • SHA512

      5c57bdae6b82552b87b2daf89ee60a3ccb5dd9881cc2f461e8ea400445a938a9d2a3a95819a89d115bbd2b7f53a616ada77a86a63b767bc9b66bd40b34539a64

    • SSDEEP

      12288:NHzhISBp3EEH9BnyMwEhVVkkqbEAESU6IB/5K9zzp1lIFj5VF4Y7h4g6rj9A/n+T:ZzhIS33xaP9On+T

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes itself

    behavioral7behavioral8

    • Target

      06.ɼɺ޸ϣ1/嵥ɺ޸嵥/ïñɽG47һϽŴ̹嵥20141208/ïñɽG47һϽŴͼֽĿ¼.xls

    • Size

      106KB

    • MD5

      bbbc0d4bba4cf691a1cf7d30c0d1d31c

    • SHA1

      335ded5a0eaac72c4090c293a631af57085e9a7d

    • SHA256

      4147b1c82dd69f4027eea1ffd5465f30894c979ea9971a0dc1f04c28a6a85fa4

    • SHA512

      3a47789281f27f1c7f22d9b40dea9d9346adc9cfa09a4ee25bec2540477a8589136d601469d66cee38a9605992b129acf2284f09edace9d8ad17eec7c590448d

    • SSDEEP

      3072:4UZ1gxv7yZmspH7+cclKisQ6NqTBun5ob57YWVbrzQ7IO7kTE7hVlFlDUJtXwj:441gxv7yZmspH7+cclKisQ6NqTBun5o/

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes itself

    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

4
T1158

Privilege Escalation

Defense Evasion

Modify Registry

5
T1112

Hidden Files and Directories

4
T1158

Credential Access

Discovery

Query Registry

10
T1012

System Information Discovery

10
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks