General
-
Target
Proforma_Inv07.xls
-
Size
848KB
-
Sample
241021-sg6aeazdlj
-
MD5
2da17e1c4ebf26a69581d54a54820b02
-
SHA1
812508063f7f7c4f0d5f9af05a5eb355a113f1c8
-
SHA256
770baf3fbd5bc70b9e53163834bf28524b88471bece306ddfa458be1d5a5dcb1
-
SHA512
5efdf8482191f772bb93fe105a113e02b10f48f7b59aa146a7c1681a210d2ad68f420c202002d292c89703f16caec76a242f6bd47dcdf63d1746de81a78e4909
-
SSDEEP
12288:zmzHJE+Czld0D3DERnLRmF8D1JhuiX3LJpGeuAPI83u+Bif:iczlCbARM85TX33P9NuL
Static task
static1
Behavioral task
behavioral1
Sample
Proforma_Inv07.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Proforma_Inv07.xls
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
Proforma_Inv07.xls
-
Size
848KB
-
MD5
2da17e1c4ebf26a69581d54a54820b02
-
SHA1
812508063f7f7c4f0d5f9af05a5eb355a113f1c8
-
SHA256
770baf3fbd5bc70b9e53163834bf28524b88471bece306ddfa458be1d5a5dcb1
-
SHA512
5efdf8482191f772bb93fe105a113e02b10f48f7b59aa146a7c1681a210d2ad68f420c202002d292c89703f16caec76a242f6bd47dcdf63d1746de81a78e4909
-
SSDEEP
12288:zmzHJE+Czld0D3DERnLRmF8D1JhuiX3LJpGeuAPI83u+Bif:iczlCbARM85TX33P9NuL
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1