4d86998a295608296e073f20d5ae6b0d15fd7a44e10e0bc980462b6567b2a5b6 | Triage

Submit
Reports

Overview

overview

Static

static

1

4d86998a29...b6.xls

windows7-x64

4d86998a29...b6.xls

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

Target

4d86998a295608296e073f20d5ae6b0d15fd7a44e10e0bc980462b6567b2a5b6.xls
Size

843KB
Sample

241002-bmnh4szcrk
MD5

2779226058bde97e0a493f3e3d8c4d66
SHA1

d1e5d2604b7ab8aa8d13dccb8e7b85062af3e13e
SHA256

4d86998a295608296e073f20d5ae6b0d15fd7a44e10e0bc980462b6567b2a5b6
SHA512

e1ba222ad48daf56465375346a86842e89cd0afc35132cc8ba2d557e52f461a331304cdff5676fc6b9e00509fdee4766be35f9f3c6405fae00a6324737d3085f
SSDEEP

24576:7oAyXsPfh6BV9qLzONUpSa5S9B+Q4ri27B4ObmfR:2kQTcLTSeQYikmp

Score

10^/10

discovery execution

Static task

static1

Behavioral task

behavioral1

Sample

4d86998a295608296e073f20d5ae6b0d15fd7a44e10e0bc980462b6567b2a5b6.xls

Resource

win7-20240708-en

discovery execution

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

4d86998a295608296e073f20d5ae6b0d15fd7a44e10e0bc980462b6567b2a5b6.xls

Resource

win10v2004-20240802-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Targets

- Target
  
  4d86998a295608296e073f20d5ae6b0d15fd7a44e10e0bc980462b6567b2a5b6.xls
- Size
  
  843KB
- MD5
  
  2779226058bde97e0a493f3e3d8c4d66
- SHA1
  
  d1e5d2604b7ab8aa8d13dccb8e7b85062af3e13e
- SHA256
  
  4d86998a295608296e073f20d5ae6b0d15fd7a44e10e0bc980462b6567b2a5b6
- SHA512
  
  e1ba222ad48daf56465375346a86842e89cd0afc35132cc8ba2d557e52f461a331304cdff5676fc6b9e00509fdee4766be35f9f3c6405fae00a6324737d3085f
- SSDEEP
  
  24576:7oAyXsPfh6BV9qLzONUpSa5S9B+Q4ri27B4ObmfR:2kQTcLTSeQYikmp
Score

10^/10

discovery execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Abuses OpenXML format to download file from external location
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

© 2018-2025

Terms | Privacy