Overview

overview

9

Static

static

1

PLnscHuiKqAawMiU.rtf

windows7-x64

9

PLnscHuiKqAawMiU.rtf

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    PLnscHuiKqAawMiU.doc

  • Size

    684KB

  • Sample

    240819-g3rhlasajm

  • MD5

    d5ac3bdfc1c16165095c22500024f2f3

  • SHA1

    c4010fdbc899d9912f1ebc821b1bd2bad210052f

  • SHA256

    6dd55c94a5e3c10bb10494f9b5028f67e9a10370c88960194b9874fa7e6d5504

  • SHA512

    6fb3393bdaf7bf752af0b007b2cd49303199389ddc866c54e4a10ca5b2990baa3aeb8c12c9e226888b002ed63c8e0b119b46cb66bb452ef8c7f86ec664b6b187

  • SSDEEP

    6144:+wAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAK:J

Score
9/10
collectioncredential_accessdiscoveryexecutionspywarestealer

Malware Config

Targets

    • Target

      PLnscHuiKqAawMiU.doc

    • Size

      684KB

    • MD5

      d5ac3bdfc1c16165095c22500024f2f3

    • SHA1

      c4010fdbc899d9912f1ebc821b1bd2bad210052f

    • SHA256

      6dd55c94a5e3c10bb10494f9b5028f67e9a10370c88960194b9874fa7e6d5504

    • SHA512

      6fb3393bdaf7bf752af0b007b2cd49303199389ddc866c54e4a10ca5b2990baa3aeb8c12c9e226888b002ed63c8e0b119b46cb66bb452ef8c7f86ec664b6b187

    • SSDEEP

      6144:+wAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAK:J

    Score
    9/10
    collectioncredential_accessdiscoveryexecutionspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks