54e1e5dc9f8e05a1c50db911ba70f68091c7ac540fd8082deb51380f27ff0201 | Triage

Submit
Reports

Overview

overview

Static

static

1

d9847123b5...a0.rtf

windows7-x64

d9847123b5...a0.rtf

windows10-2004-x64

1

Sharing

General

Target

54e1e5dc9f8e05a1c50db911ba70f68091c7ac540fd8082deb51380f27ff0201
Size

19KB
Sample

240908-chbt7aydpm
MD5

a2a5d8658a6e3cc1ef580f6bf8b74454
SHA1

06a689a1159ef5c8c9754b2539d24de94c86c08f
SHA256

54e1e5dc9f8e05a1c50db911ba70f68091c7ac540fd8082deb51380f27ff0201
SHA512

a945c6a178c1c979b40716f360f1bbbba2f43980b4261706d14bd7a4fb503b3bc2f489848b9ed4b53d32a96fa643b28eff8b8d758d867859ff11ff2945d2a503
SSDEEP

384:Efs82Ue2T9uwe9/zT+wDBagZWdZVqm3LPuYLxAKeWBVuosJKocCxdQ6ArDfYYRlZ:EfYUesV2LT+OkLVqmxAnWBVu9cIIrTYs

Score

10^/10

discovery execution

Static task

static1

Behavioral task

behavioral1

Sample

d9847123b526161e5454f0b6ba07218041ccc47e15171972c3d04d681a1bfba0.rtf

Resource

win7-20240903-en

discovery execution

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

d9847123b526161e5454f0b6ba07218041ccc47e15171972c3d04d681a1bfba0.rtf

Resource

win10v2004-20240802-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://archive.org/download/new_image_vbs/new_image_vbs.jpg

exe.dropper

https://archive.org/download/new_image_vbs/new_image_vbs.jpg

Targets

- Target
  
  d9847123b526161e5454f0b6ba07218041ccc47e15171972c3d04d681a1bfba0.rtf
- Size
  
  81KB
- MD5
  
  afb14dcb82dbb041183e8d492c415a13
- SHA1
  
  6e75ff4e6d06c9824d9a9b50061d22c21f7d659f
- SHA256
  
  d9847123b526161e5454f0b6ba07218041ccc47e15171972c3d04d681a1bfba0
- SHA512
  
  f5adb4a97c5d6bc8a8102c70b2bc3f4b05bc5ea1acbeae6457d654510d46cbeb3018880e64c487ebeaee89978827871f951e025220bed25bbddfb1ae5b6e0ac8
- SSDEEP
  
  384:Ghvwphf2vHXsv6kBBZK9llGuaPJ4QmwhzofOQT6pLcdYa9eyDAPI/uVOP8d465Q7:Ghxv8LB0MJwwSfOQOO1eyDAA/kdJg
Score

10^/10

discovery execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

© 2018-2025

Terms | Privacy