General
-
Target
HR-Ageing-Report.ppt
-
Size
82KB
-
Sample
210731-e725nnlpgn
-
MD5
e2c84712e1b4ff68b9d85729dbda044a
-
SHA1
c095064894d2ac8c0864d68d5de14324e49ce010
-
SHA256
8a7eedce7576affb0bcb4fad28a5fdb6c5581efa956aaba80193c18b475266c4
-
SHA512
a5af0aae421fdac20de13c008d4f5656f3efcc1d2805c75f467e097687056ea96e6e2981fe71b27dc05c0027904608b673f008ab248686a2a12c938af4ad07f3
Static task
static1
Behavioral task
behavioral1
Sample
HR-Ageing-Report.ppt
Resource
win7v20210408
Behavioral task
behavioral2
Sample
HR-Ageing-Report.ppt
Resource
win10v20210410
Malware Config
Extracted
oski
103.99.1.60/we/king/
Targets
-
-
Target
HR-Ageing-Report.ppt
-
Size
82KB
-
MD5
e2c84712e1b4ff68b9d85729dbda044a
-
SHA1
c095064894d2ac8c0864d68d5de14324e49ce010
-
SHA256
8a7eedce7576affb0bcb4fad28a5fdb6c5581efa956aaba80193c18b475266c4
-
SHA512
a5af0aae421fdac20de13c008d4f5656f3efcc1d2805c75f467e097687056ea96e6e2981fe71b27dc05c0027904608b673f008ab248686a2a12c938af4ad07f3
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
Suspicious use of SetThreadContext
-