Overview

overview

8

Static

static

1

avatar.jpg

windows7-x64

3

avatar.jpg

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    avatar.jpg

  • Size

    8KB

  • Sample

    230328-1a6xcsfb5y

  • MD5

    f70b24dfe9e49b0af3513dfbd53cadaa

  • SHA1

    666a52fa433181c74463a4a07fc3b14225a1351e

  • SHA256

    6c526b56946f1159ddf58f72542a3020e4610f9e70ea59bb1b30c8630a3faf79

  • SHA512

    3439302faa2d0d8f7e8584fd630a8816205ea04e9fce0effab1617c71ae7590c08ae69676fc1647c3ce95eb5dafc3ed8ad1e82e607b82fda4d2b9ee65f67c2b4

  • SSDEEP

    192:u7SVdhw9DmrAoPnQ7zads8eTVn24O2yyCfkC4VxzgGOJylq84BMqMOM51vUn1uPM:O9DObPn6Gdszpn2UyxEdkjBMSu8IPM

Score
8/10
discoverylinkmacromacro_on_actionpdfpersistence

Malware Config

Targets

    • Target

      avatar.jpg

    • Size

      8KB

    • MD5

      f70b24dfe9e49b0af3513dfbd53cadaa

    • SHA1

      666a52fa433181c74463a4a07fc3b14225a1351e

    • SHA256

      6c526b56946f1159ddf58f72542a3020e4610f9e70ea59bb1b30c8630a3faf79

    • SHA512

      3439302faa2d0d8f7e8584fd630a8816205ea04e9fce0effab1617c71ae7590c08ae69676fc1647c3ce95eb5dafc3ed8ad1e82e607b82fda4d2b9ee65f67c2b4

    • SSDEEP

      192:u7SVdhw9DmrAoPnQ7zads8eTVn24O2yyCfkC4VxzgGOJylq84BMqMOM51vUn1uPM:O9DObPn6Gdszpn2UyxEdkjBMSu8IPM

    Score
    8/10
    discoverylinkmacromacro_on_actionpdfpersistence

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Registers new Print Monitor

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

7
T1012

System Information Discovery

7
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks