2020-03-23 - INFO_03_23.DOC PUSHES MALWARE (VALAK, MAYBE?)
- 2020-03-23-infection-IOCs.txt.zip 2.0 kB (1,958 bytes)
- 2020-03-23-infection-traffic-from-info_03_23.pcap.zip 270 kB (270,381 bytes)
- 2020-03-23-malware-and-artifacts.zip 379 kB (379,088 bytes)
- All zip archives on this site are password-protected with the standard password. If you don't know it, see the "about" page of this website.
Shown above: Extracting info_03_23.doc from the zip archive.
Shown above: Screenshot of the Word doc.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Alerts using the ETPRO ruleset from Suricata using Sguil in Security Onion.
Shown above: Initial artifacts dropped after enabling macros.
Shown above: Follow-up malware/artifacts.
Shown above: Scheduled task to keep the infection persistent, indicating use of an Alternate Data Stream (ADS).
Shown above: Windows registry updates created during this infection.
Click here to return to the main page.