Overview

overview

10

Static

static

1

Orden de C...7.xlam

windows7-x64

10

Orden de C...7.xlam

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Orden de Compra No. 78986756565344657.xlam.xlsx

  • Size

    588KB

  • Sample

    241024-hen81azarn

  • MD5

    6d622d241526560dcfd39335c249cd6e

  • SHA1

    cc0d6a0f1cab1b41ef8553318b126225f8604f34

  • SHA256

    36cb95a3f8294818da3c9561fa21681028e4e878dcb938ca5a43d36c46e31a9e

  • SHA512

    b7a289b323fc933253bff2fd3006f713ddfed6917bce8e12d002d50f5d02c135e5f190a67081ca63b0f96cd32145b1bd0ab52c16f255b35392f847bd8c34a291

  • SSDEEP

    12288:Ys9ejjZuPkhNw5hf093Sg0+T2z8FTZr9Uygz+iEC5bCGZkRL0WAZJtj+:j9ej2A9SmTPtr2yo+q25Ruj+

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Targets

    • Target

      Orden de Compra No. 78986756565344657.xlam.xlsx

    • Size

      588KB

    • MD5

      6d622d241526560dcfd39335c249cd6e

    • SHA1

      cc0d6a0f1cab1b41ef8553318b126225f8604f34

    • SHA256

      36cb95a3f8294818da3c9561fa21681028e4e878dcb938ca5a43d36c46e31a9e

    • SHA512

      b7a289b323fc933253bff2fd3006f713ddfed6917bce8e12d002d50f5d02c135e5f190a67081ca63b0f96cd32145b1bd0ab52c16f255b35392f847bd8c34a291

    • SSDEEP

      12288:Ys9ejjZuPkhNw5hf093Sg0+T2z8FTZr9Uygz+iEC5bCGZkRL0WAZJtj+:j9ej2A9SmTPtr2yo+q25Ruj+

    Score
    10/10
    discoveryexecution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks