Sample File: MD5 hash: 90a59c16d670fd77d710516299533834 SHA1 hash: 25c0a651d7bdfdfca2f37160837829bea669c5f7 SHA256 hash: 70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665 SSDEEP hash: 384:Mo8AY64U4jOHgiI/6iSY5UFXoOfYxFSAtcwqVCM+V0hxtjiK6yOrX0jui3M:t/7dRc6lCMvxp6yOL5i Filename(s): Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia.doc Filetype: Word Document Mutex IOCs: - None - Registry Key IOCs: HKEY_CLASSES_ROOT\Licenses HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors HKEY_CLASSES_ROOT\TypeLib HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup Domain IOCs: www.rabadaun.com IP IOCs: 186.122.150.107 134.0.11.201 URL IOCs: http://186.122.150.107/cc/index.php https://www.rabadaun.com/wordpress/wp-content/themes/TEMP.so File IOCs: Filenames: C:\ProgramData\AVG 7017296fe4621fb5765b17dfc94485c7663d18f3cc35159f368899a55cce4ee5 C:\Users\FD1HVy\AppData\Local\Temp\VBE 0c26b620ab8e6837cbb9527f79a4cd029243b0da2f72c420f257fc4a2c6f4b44 C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL C:\ProgramData\AVAST Software C:\ProgramData\Bitdefender C:\Users\FD1HVy\Desktop C:\ProgramData\Avira C:\ProgramData\Norton C:\ProgramData\a7963 \??\C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Templates\spolsve.exe C:\ProgramData\ESET C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Templates\spolsve.exe C:\ProgramData\Comodo C:\ProgramData\Sophos C:\ProgramData\360TotalSecurity C:\Users\FD1HVy\Desktop\Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia.doc C:\ProgramData\Kaspersky Lab C:\ProgramData\Doctor Web Normal C:\ProgramData\Panda Security c:\programdata\a7963\tlworker.exe‡kk”v–p¤j0“8q C:\WINDOWS\SysWOW64\cmd.exe \??\C:\Users\FD1HVy\AppData\Local\Temp\Liebert.bmp \??\C:\WINDOWS\SYSTEM32\ntdll.dll System Paging File MD5 hashes: 7955497d0248dbb62f643c3a5a62def5 90a59c16d670fd77d710516299533834 f160c057fded2c01bfdb65bb7aa9dfcc 335fafc74a1d3a0caebc3e1896c46351 SHA1 hashes: 1e14de870b1c4b09cbf81206562a254c27178d85 2081f4a1c334b5b498155f5629923f89c16325a6 1ea45f4793f6ac81f252a74dfd6a2423bd66b612 25c0a651d7bdfdfca2f37160837829bea669c5f7 SHA256 hashes: 7017296fe4621fb5765b17dfc94485c7663d18f3cc35159f368899a55cce4ee5 efc139dc0e280a374065dc59c55a45b5146f091a85a3abd6f0caf1a9a2f8b060 70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665 0c26b620ab8e6837cbb9527f79a4cd029243b0da2f72c420f257fc4a2c6f4b44 SSDEEP hashes: 384:Mo8AY64U4jOHgiI/6iSY5UFXoOfYxFSAtcwqVCM+V0hxtjiK6yOrX0jui3M:t/7dRc6lCMvxp6yOL5i 24:2dmMPmIAvy45SUtXYuwxvqmrxrqTt+YVbOr:cVmIAqySCYuQlowQm 3:A7G0FDTa26XJT4W8YMlgh0Dec:A7G0NDaeYMlVp 6144:deSI8dD+Zp4IWoafJC8WVpH4dx98hNVVjr/:deSI8ha4ItNVVn