General

  • Target

    New Order PI-#19-09897981.xls

  • Size

    1.1MB

  • Sample

    241113-h6nfsaxdrb

  • MD5

    f2711debc76d6e8fd87952e3b123f796

  • SHA1

    4ae156b52e4f0094161d1fbf4a2b86548b05b0b3

  • SHA256

    42b26807f1ba9bcb0be08ea66d955fd3bfd3e94336541b81d54ecfe8f28f2877

  • SHA512

    0e73aea7a5c23177dad88797d58004fd52d972f3bd0c01e6f7577edf13bf9988bdebf1a4026b59aea85353098628f0d3dfb713cfea66afde42143d4af26b6c20

  • SSDEEP

    24576:tq9PLiijE2Z5Z2am8tQnNF84LJQodsaGmQVfX:tEPLiij7Z5ZK8tYFjLJQodgmQp

Malware Config

Targets

    • Target

      New Order PI-#19-09897981.xls

    • Size

      1.1MB

    • MD5

      f2711debc76d6e8fd87952e3b123f796

    • SHA1

      4ae156b52e4f0094161d1fbf4a2b86548b05b0b3

    • SHA256

      42b26807f1ba9bcb0be08ea66d955fd3bfd3e94336541b81d54ecfe8f28f2877

    • SHA512

      0e73aea7a5c23177dad88797d58004fd52d972f3bd0c01e6f7577edf13bf9988bdebf1a4026b59aea85353098628f0d3dfb713cfea66afde42143d4af26b6c20

    • SSDEEP

      24576:tq9PLiijE2Z5Z2am8tQnNF84LJQodsaGmQVfX:tEPLiij7Z5ZK8tYFjLJQodgmQp

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks