General

  • Target

    OfficeFR.zip

  • Size

    5.6MB

  • Sample

    240221-tqfxjsag51

  • MD5

    833ddc1ead1a416da66360ae4f81a92f

  • SHA1

    418ad82a6a1777f327ae07393fc8e0a573ee8340

  • SHA256

    2833f20225745fba308eeba54508a18930093356ac74d5fc67a42ba263351484

  • SHA512

    e1c8409607a52e4f8a7d50f1ef6b2491d8a1ac7db635079a2d96c75269fb9d52aea60825c41908e6f64cb7a7bb3929159564c8e7de5827d3d518246e065eb411

  • SSDEEP

    98304:H1rTUJe4YzZVa81bXvXyeNbnaASj5KIyrpbkACjUALuveae01rjyxWmTQmBn:H18JSVTvkXunCIASven01PyxWmzn

Malware Config

Targets

    • Target

      Setup.X64.fr-FR_O365HomePremRetail_001a94d5-9257-4d7b-80a6-dce1a0d145d0_TX_DB_.exe

    • Size

      7.8MB

    • MD5

      407649057c13d5335426826894577c14

    • SHA1

      42f41a3d7074b4a28377a24975d9604d09b1b7db

    • SHA256

      ee4db6ac9a72bbcea34eeea77a3f1a9f655fa9e2df670408e6aaaf36cc840b3f

    • SHA512

      3ec00eda714cd1eafe1ca09df78316616a17ac3126f162086f234a15c430515df5d2625aac31e33e7c8280a6156b4b7f3956731f54b6120f521cd0c4e68db6ed

    • SSDEEP

      98304:XS/pJO7LH+/9lNmYg0OxpCmUVzNJBwY2hW:XOJO/e/3Nmn0OxpRmJBWW

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Sets file execution options in registry

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Target

      Setup.X86.fr-FR_O365HomePremRetail_001a94d5-9257-4d7b-80a6-dce1a0d145d0_TX_DB_.exe

    • Size

      5.3MB

    • MD5

      43410015fa230bcbd6dbce0bdf0263df

    • SHA1

      fccd6b62564f6aead5a34ef768c086ff61669b3b

    • SHA256

      1627c3ff6924e869eee5c88ac0cbb3c190d4e97ec04b18d9dc0d86507d3cbc97

    • SHA512

      a0cf5519095afbb0ffce2816adb3c7db1af13b2af2c31c770a40eb19ace3b5574fe8fc9e3f551c71c7f2be0aa64483225ceb85e7c7194a8d038ae979a6082473

    • SSDEEP

      98304:NbJU1eVFQMl/qh6LiIszkgY34pURD/2DgbHX3Dok0NwY2hEfGl:Nbi1e78hWiIszkpgYD/2S3h0NWt

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Registers COM server for autorun

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks