Overview

overview

10

Static

static

10

Shipping d...s.docx

windows7-x64

8

Shipping d...s.docx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Shipping documents.docx

  • Size

    10KB

  • Sample

    230306-g63d9sad8t

  • MD5

    38bde1f71eff4a0b7d396fc4560b921a

  • SHA1

    b7c1e4fdfec691fc11832480cca239d567b5b22c

  • SHA256

    08d5e1d19cd6c2d1d0cd69b4573702bcbd7ebb97835a9d4769fb4dc12a564be1

  • SHA512

    a484e8020d8fd46575814230ffab6cdbc1f968e35a9b037176f05c7defaede4a4b31eeedcd94418a961dbd8ec99f488fc8f88bad8bc1e911290a55d6eafd5f7b

  • SSDEEP

    192:ScIMmtP1aIG/bslPL++uOdVDl+CVWBXJC0c3Fe:SPXU/slT+LOdVHkZC94

Score
10/10
websettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://ZZZJOOIOIOSDP99090SDXDdad9SDED99000DF00DF0SDF00DF0XCCXC0V00S0FDS0F0DF00SSZZZZZZZZ0X0C0XCZZXC0X@392117348/nc..........................doc

Targets

    • Target

      Shipping documents.docx

    • Size

      10KB

    • MD5

      38bde1f71eff4a0b7d396fc4560b921a

    • SHA1

      b7c1e4fdfec691fc11832480cca239d567b5b22c

    • SHA256

      08d5e1d19cd6c2d1d0cd69b4573702bcbd7ebb97835a9d4769fb4dc12a564be1

    • SHA512

      a484e8020d8fd46575814230ffab6cdbc1f968e35a9b037176f05c7defaede4a4b31eeedcd94418a961dbd8ec99f488fc8f88bad8bc1e911290a55d6eafd5f7b

    • SSDEEP

      192:ScIMmtP1aIG/bslPL++uOdVDl+CVWBXJC0c3Fe:SPXU/slT+LOdVHkZC94

    Score
    8/10

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks