General
-
Target
Office2010Toolkit.exe
-
Size
30.4MB
-
Sample
241119-splwqssmgl
-
MD5
095da47b2af35235a9dce6a3a0b8b7bc
-
SHA1
79c1e905b760f04b57d27fdcad6bae00092627a7
-
SHA256
750f304fdc796497d448f581cc69835875540dd03c5422efc2f7db4d2a507623
-
SHA512
073b54303e188e0d7ffa3b6016e566c3e182ef4ea468367c92c5bcd57058fc1dbb9e1ce8de33aa5fcb52ee1ed92e468f165a50511f0ed8595b029b627cd2a1eb
-
SSDEEP
393216:9BicMNQk9lhCOlF8ecgUv22AJDPUecfmJjO:6GanCAF8ex+HAx8Lu
Malware Config
Targets
-
-
Target
Office2010Toolkit.exe
-
Size
30.4MB
-
MD5
095da47b2af35235a9dce6a3a0b8b7bc
-
SHA1
79c1e905b760f04b57d27fdcad6bae00092627a7
-
SHA256
750f304fdc796497d448f581cc69835875540dd03c5422efc2f7db4d2a507623
-
SHA512
073b54303e188e0d7ffa3b6016e566c3e182ef4ea468367c92c5bcd57058fc1dbb9e1ce8de33aa5fcb52ee1ed92e468f165a50511f0ed8595b029b627cd2a1eb
-
SSDEEP
393216:9BicMNQk9lhCOlF8ecgUv22AJDPUecfmJjO:6GanCAF8ex+HAx8Lu
Score8/10-
Event Triggered Execution: Image File Execution Options Injection
-
Office macro that triggers on suspicious action
Office document macro which triggers in special circumstances - often malicious.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
MITRE ATT&CK Enterprise v15
Persistence
Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1