General

  • Target

    sus.txt

  • Size

    33B

  • Sample

    221129-p9jekabd34

  • MD5

    652747586066e24a04a8c518c7e8037b

  • SHA1

    fd0b1016c319000db7f637d2a5ec69849f7084d9

  • SHA256

    06661b993960db5564e908e925100252af536866ed911d6af581925e118c2520

  • SHA512

    e5be8a41affa7b131989d9ba39af63237772c889a1347438dcd9599332d25e18f8babfcc8d960dd69f159dbe1e28c2eb3f9805e0792d89f692befac2fe2b0ca9

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/b61285dd-d9f7-41f2-9757-8f61cba4e9c8/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/834504cc-dc55-4c6d-9e71-e024d0253f6d/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5462eee5-1e97-495b-9370-853cd873bb07/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/5440fd1f-7ecb-4221-8110-145efaa6372f/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/f4f024c8-d611-4748-a7e0-02b6e754c0fe/Office/Data/v32.cab

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://officecdn.microsoft.com/pr/2e148de9-61c8-4051-b103-4af54baffbb4/Office/Data/v32.cab

Targets

    • Target

      sus.txt

    • Size

      33B

    • MD5

      652747586066e24a04a8c518c7e8037b

    • SHA1

      fd0b1016c319000db7f637d2a5ec69849f7084d9

    • SHA256

      06661b993960db5564e908e925100252af536866ed911d6af581925e118c2520

    • SHA512

      e5be8a41affa7b131989d9ba39af63237772c889a1347438dcd9599332d25e18f8babfcc8d960dd69f159dbe1e28c2eb3f9805e0792d89f692befac2fe2b0ca9

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Registers COM server for autorun

    • Sets file execution options in registry

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

2
T1060

Browser Extensions

1
T1176

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Impair Defenses

1
T1562

Install Root Certificate

1
T1130

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Impact

Service Stop

1
T1489

Tasks