General

  • Target

    NEW ORDER.xls

  • Size

    317KB

  • Sample

    240326-bwxs5seb5t

  • MD5

    3a676a14c0aa582a465032b971ca23f5

  • SHA1

    04b12227d6b22ed562005d126cd7e3366c4fe966

  • SHA256

    3688f05556a136fe094de5cb1888eac2a579525f72cd027e19738582ed40c283

  • SHA512

    f4e2e080f2c6b73aad8f8a487e65a5aed1cee9fa77e9e82f1e0538c978c2f150e10b2ac93e96d65857a7380acd94e16178c82bedb65c415b247f01580e49ae05

  • SSDEEP

    6144:VPunhX2jaLY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVlLMIU6FDCmg9bhQ87:VqhX2ja23bVlLMILKbhQ4z3SJKgJeB/b

Score
10/10

Malware Config

Targets

    • Target

      NEW ORDER.xls

    • Size

      317KB

    • MD5

      3a676a14c0aa582a465032b971ca23f5

    • SHA1

      04b12227d6b22ed562005d126cd7e3366c4fe966

    • SHA256

      3688f05556a136fe094de5cb1888eac2a579525f72cd027e19738582ed40c283

    • SHA512

      f4e2e080f2c6b73aad8f8a487e65a5aed1cee9fa77e9e82f1e0538c978c2f150e10b2ac93e96d65857a7380acd94e16178c82bedb65c415b247f01580e49ae05

    • SSDEEP

      6144:VPunhX2jaLY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVlLMIU6FDCmg9bhQ87:VqhX2ja23bVlLMILKbhQ4z3SJKgJeB/b

    Score
    10/10
    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks