A client sent the accountant at the company a phishing email with a false invoice, and the SIEM solution flagged the potential malicious file.
A detailed examination of the PPT file, with an MD5 hash of 12c1842c3ccafe7408c23ebf292ee3d9, was performed, comprising the following:
Determining that the malware was created on September 28, 2022, at 5:40 pm.
It contacts a C2 server with a key URL.
Once infected, it requests a specific library.
It uses an RC4 key to decrypt a base64 string for configuration.
It steals user credentials through web browsers using the MITRE ATT&CK technique.
It targets the ProgramData directory for deletion, specifically DLL files, and self-deletes after 5 seconds post-exfiltration.
This insights offer clarity on the attacker’s methods, goals, and mitigation strategies through examining the malware’s behaviour during and post-execution.
These findings can then be used to strengthen network security and in defence strategies.