Managed XDR

c-users-user-desktop-s...3-2020_v4_eng.doc-copy (Konni) — malware analysis report

File info

Filename: c-users-user-desktop-scussions-on-cyber-and-nuclear-issues_may-13-2020_v4_eng.doc-copy
File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Linton Brooks, Template: Normal.dotm, Last Saved By: User, Revision Number: 8, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Thu May 21 22:17:00 2020, Last Saved Time/Date: Sun Nov 9 07:32:00 2025, Number of Pages: 2, Number of Words: 647, Number of Characters: 3691, Security: 0
File size: 61.5 KB
First seen: 2025-11-09 08:41
Last seen: 2025-11-09 08:41

Environment

w10/x86 en

Hashes

SHA1: e8857f76b3431452d9bf842d08c45904bd2a7b75
SHA256: 78fe07efb9a8363305c0decb3d112de71845f5448510a8eff535b9711faadda2
MD5: 8ca664be6181e6c2ca070ae396d3285d

Malwares

Konni

Signatures

Execution

T1203 office_exploit_creates_cmd: The document exhibits suspicious behaviour (creates a cmd.exe process)

T1203 office_write_exe: Office document dropped an executable file

T1203 office_exploit_http: The document exhibits suspicious behaviour (performs HTTP requests)

T1064 office_macros_suspicious: Document contains suspicious macro

T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)

T1204.002 office_com_load: Microsoft Office loads COM DLL files (indicator of COM usage in macros)

T1064 office_macros: The document contains macroses (total: 2)

T1064 office_macros_strings: Feature lines found in document macro

T1064 office_macros_autoexec: The document contains an auto-start macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1064 office_macros_suspicious: Document contains suspicious macro

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1064 office_macros: The document contains macroses (total: 2)

T1064 office_macros_strings: Feature lines found in document macro

T1064 office_macros_autoexec: The document contains an auto-start macro

Credential Access

T1552 cookie_files: Accesses cookie files

T1555.003 cookie_files: Accesses cookie files

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Command and Control

T1071.001 office_exploit_http: The document exhibits suspicious behaviour (performs HTTP requests)

T1071.004 office_exploit_dns: The document exhibits suspicious behaviour (performs DNS requests)

T1071.001 network_http: Performs HTTP requests

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

executes_dropped_exe: Executes dropped exe files

apt_konni_downloader: Detected downloader of Konni trojan

creates_exe: Creates executable files in the file system

creates_suspended_process: Creates suspended process

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

suricata_alert: Malicious traffic detected

yara_rules: Static rules

Related reports

Managed XDR