e4f6c81b09b0eeca69933d95506dcdcc76ddd05943f552270dbbdb15d760a1d3

General

Target

OfficeDE.zip
Size

5.6MB
Sample

241208-r173nswngs
MD5

a789a37df845321375c7a7bdcb920be3
SHA1

62b1596b543800d84558008faffd5c0c2bbb91b4
SHA256

e4f6c81b09b0eeca69933d95506dcdcc76ddd05943f552270dbbdb15d760a1d3
SHA512

ecd17f6b06d040311d18a7bfc9a30598dcab6193078c15db40e4233535a354b95390ad6045c0def6dfe0abe3cd0b8df00ecf8133a225d1a7e7dc100be01e1069
SSDEEP

98304:TZX+WxOQIk9rCO/f+w3QeW1vPnH2aqi0y+fnaLhSj5KIyrpbkACjUALuveae01rm:EWfI0Ow3QP1Xf0yryunCIASven01PyxL

Score

8^/10

Malware Config

Targets

- Target
  
  Setup.X64.de-DE_O365HomePremRetail_001a94d5-9257-4d7b-80a6-dce1a0d145d0_TX_DB_.exe
- Size
  
  7.8MB
- MD5
  
  66233bdb5187266b9188475a9b477450
- SHA1
  
  028b4ca088e7479ae8a23914cd33a00cb3bdceea
- SHA256
  
  afaaa4252d10658d90892a8a4d259373f42aaa4405de3db944db39901d2d5d88
- SHA512
  
  7250fd5185aba57ec045e735e842475a301d65ea30b74c527767c83be03b28e56bcec65800327e8986da5f81a34dcebf2e6472f6467f46dbe91ad3b8397d1f3c
- SSDEEP
  
  98304:iS/pJO7LH+/9lNmYg0OxpCmUVzNJNwY2hT:iOJO/e/3Nmn0OxpRmJNWT
Score

8^/10

adware defense_evasion discovery execution link macro pdf persistence privilege_escalation stealer xlm
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: Clear Persistence
  remove IFEO.
  defense_evasion
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1
- Target
  
  Setup.X86.de-DE_O365HomePremRetail_001a94d5-9257-4d7b-80a6-dce1a0d145d0_TX_DB_.exe
- Size
  
  5.3MB
- MD5
  
  a92321b88f22a66f2a5eb4be3e766ee8
- SHA1
  
  d4a1f0ea8d7c4c07fba1822143c2b32cba35c192
- SHA256
  
  2e20447325ed382e69eeb89149fea5365a9835733a86e0bcb4aec95172d1c953
- SHA512
  
  a73c2cb18f2f0c93fb76e3894335d69db1c257f2eb88697c50b81975709c544c255a59c05418a099bbe2b0678bf9cf140790be641fd06e1a3b5cfc3f025e5a8f
- SSDEEP
  
  98304:sbJU1eVFQMl/qh6LiIszkgY34pURD/2DgbHX3Dok8MwY2hwfGH:sbi1e78hWiIszkpgYD/2S3h8MWj
Score

8^/10

adware defense_evasion discovery execution link macro pdf persistence privilege_escalation stealer xlm
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: Clear Persistence
  remove IFEO.
  defense_evasion
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral2