General

  • Target

    Proforma_Inv07.xls

  • Size

    848KB

  • Sample

    241021-sg6aeazdlj

  • MD5

    2da17e1c4ebf26a69581d54a54820b02

  • SHA1

    812508063f7f7c4f0d5f9af05a5eb355a113f1c8

  • SHA256

    770baf3fbd5bc70b9e53163834bf28524b88471bece306ddfa458be1d5a5dcb1

  • SHA512

    5efdf8482191f772bb93fe105a113e02b10f48f7b59aa146a7c1681a210d2ad68f420c202002d292c89703f16caec76a242f6bd47dcdf63d1746de81a78e4909

  • SSDEEP

    12288:zmzHJE+Czld0D3DERnLRmF8D1JhuiX3LJpGeuAPI83u+Bif:iczlCbARM85TX33P9NuL

Malware Config

Targets

    • Target

      Proforma_Inv07.xls

    • Size

      848KB

    • MD5

      2da17e1c4ebf26a69581d54a54820b02

    • SHA1

      812508063f7f7c4f0d5f9af05a5eb355a113f1c8

    • SHA256

      770baf3fbd5bc70b9e53163834bf28524b88471bece306ddfa458be1d5a5dcb1

    • SHA512

      5efdf8482191f772bb93fe105a113e02b10f48f7b59aa146a7c1681a210d2ad68f420c202002d292c89703f16caec76a242f6bd47dcdf63d1746de81a78e4909

    • SSDEEP

      12288:zmzHJE+Czld0D3DERnLRmF8D1JhuiX3LJpGeuAPI83u+Bif:iczlCbARM85TX33P9NuL

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks