General
-
Target
OfficeFR.zip
-
Size
5.6MB
-
Sample
240221-tqfxjsag51
-
MD5
833ddc1ead1a416da66360ae4f81a92f
-
SHA1
418ad82a6a1777f327ae07393fc8e0a573ee8340
-
SHA256
2833f20225745fba308eeba54508a18930093356ac74d5fc67a42ba263351484
-
SHA512
e1c8409607a52e4f8a7d50f1ef6b2491d8a1ac7db635079a2d96c75269fb9d52aea60825c41908e6f64cb7a7bb3929159564c8e7de5827d3d518246e065eb411
-
SSDEEP
98304:H1rTUJe4YzZVa81bXvXyeNbnaASj5KIyrpbkACjUALuveae01rjyxWmTQmBn:H18JSVTvkXunCIASven01PyxWmzn
Static task
static1
Behavioral task
behavioral1
Sample
Setup.X64.fr-FR_O365HomePremRetail_001a94d5-9257-4d7b-80a6-dce1a0d145d0_TX_DB_.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Setup.X64.fr-FR_O365HomePremRetail_001a94d5-9257-4d7b-80a6-dce1a0d145d0_TX_DB_.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
Setup.X86.fr-FR_O365HomePremRetail_001a94d5-9257-4d7b-80a6-dce1a0d145d0_TX_DB_.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
Setup.X86.fr-FR_O365HomePremRetail_001a94d5-9257-4d7b-80a6-dce1a0d145d0_TX_DB_.exe
Resource
win10-20240221-en
Malware Config
Targets
-
-
Target
Setup.X64.fr-FR_O365HomePremRetail_001a94d5-9257-4d7b-80a6-dce1a0d145d0_TX_DB_.exe
-
Size
7.8MB
-
MD5
407649057c13d5335426826894577c14
-
SHA1
42f41a3d7074b4a28377a24975d9604d09b1b7db
-
SHA256
ee4db6ac9a72bbcea34eeea77a3f1a9f655fa9e2df670408e6aaaf36cc840b3f
-
SHA512
3ec00eda714cd1eafe1ca09df78316616a17ac3126f162086f234a15c430515df5d2625aac31e33e7c8280a6156b4b7f3956731f54b6120f521cd0c4e68db6ed
-
SSDEEP
98304:XS/pJO7LH+/9lNmYg0OxpCmUVzNJBwY2hW:XOJO/e/3Nmn0OxpRmJBWW
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
-
-
Target
Setup.X86.fr-FR_O365HomePremRetail_001a94d5-9257-4d7b-80a6-dce1a0d145d0_TX_DB_.exe
-
Size
5.3MB
-
MD5
43410015fa230bcbd6dbce0bdf0263df
-
SHA1
fccd6b62564f6aead5a34ef768c086ff61669b3b
-
SHA256
1627c3ff6924e869eee5c88ac0cbb3c190d4e97ec04b18d9dc0d86507d3cbc97
-
SHA512
a0cf5519095afbb0ffce2816adb3c7db1af13b2af2c31c770a40eb19ace3b5574fe8fc9e3f551c71c7f2be0aa64483225ceb85e7c7194a8d038ae979a6082473
-
SSDEEP
98304:NbJU1eVFQMl/qh6LiIszkgY34pURD/2DgbHX3Dok0NwY2hEfGl:Nbi1e78hWiIszkpgYD/2S3h0NWt
Score8/10-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Browser Extensions
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Defense Evasion
Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1