0fefe416888a41939d0d7143846844edac1b4ee1ea5fd8f98a893ade7a62d34f | Triage

Submit
Reports

Overview

overview

Static

static

8

Microsoft_...t3.xls

windows7-x64

Microsoft_...t3.xls

windows10-2004-x64

Sharing

General

Target

Microsoft_Excel_97-2003_Worksheet3.xls
Size

36KB
Sample

220914-kepwmshfg5
MD5

4e5efb8250aa5094deb1dc99e5786830
SHA1

42124e78ce95be3600258770a002ae01f5e70652
SHA256

0fefe416888a41939d0d7143846844edac1b4ee1ea5fd8f98a893ade7a62d34f
SHA512

cdba63c4ee4620e85b0af3c08911e237bf0b373187efcad9983d2d6bd9aa5238283ef08ba12e00c04ac4bbb41aa10008ce68a984be70de24d86ee3e6ac2c167d
SSDEEP

768:1pz9l7Vbta45G/d9K1EghHsYwiSLSpO7Zp:1pzPzzWdqEghCiKTt

Score

10^/10

collection macro macro_on_action

Static task

static1

macro macro_on_action

1 signatures

Behavioral task

behavioral1

Sample

Microsoft_Excel_97-2003_Worksheet3.xls

Resource

win7-20220812-en

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

Microsoft_Excel_97-2003_Worksheet3.xls

Resource

win10v2004-20220812-en

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.mediafire.com/file/6vip6utwodclo5k/1.htm/file

Extracted

Credentials

Protocol: ftp
Host:
107.182.129.168
Port:
21
Username:
jhfjhjgfh1
Password:
djfhdjfhdf

Targets

- Target
  
  Microsoft_Excel_97-2003_Worksheet3.xls
- Size
  
  36KB
- MD5
  
  4e5efb8250aa5094deb1dc99e5786830
- SHA1
  
  42124e78ce95be3600258770a002ae01f5e70652
- SHA256
  
  0fefe416888a41939d0d7143846844edac1b4ee1ea5fd8f98a893ade7a62d34f
- SHA512
  
  cdba63c4ee4620e85b0af3c08911e237bf0b373187efcad9983d2d6bd9aa5238283ef08ba12e00c04ac4bbb41aa10008ce68a984be70de24d86ee3e6ac2c167d
- SSDEEP
  
  768:1pz9l7Vbta45G/d9K1EghHsYwiSLSpO7Zp:1pzPzzWdqEghCiKTt
Score

10^/10

collection
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

© 2018-2024

Terms | Privacy