Extracted

Extracted

• • Target

    ca2d1cdf7ed424c2d7cf0ef6acb4a6d697a2316b8b0bdab73b4f3450eda994f4.doc

  • Size

    112KB

  • MD5

    916af4bbb620fc412b71343c14bc65da

  • SHA1

    13972c6c8f8d121d90fd53ec6dfb634d0e382446

  • SHA256

    ca2d1cdf7ed424c2d7cf0ef6acb4a6d697a2316b8b0bdab73b4f3450eda994f4

  • SHA512

    9d4f71bbaefb57dffd57d603688732e32a811ffc3193c055f870402d5320745d2f8d48937889d51c7f4aa8f7210e60da44d46962a025e3594df11a241b97ac45

  • SSDEEP

    1536:vkcgH+VIU5s7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuBh/0pxG:vVgH+mU5ClwH9r0l77AnsSmy/Bh8pxG

  Score

  10^/10

  discoverydefense_evasionexecutionpersistence

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  behavioral1behavioral2