40bcfababa169393524d58a9447ea465ac7a18edd09ae9eaea2739c8d77dab9d | Triage

Submit
Reports

Overview

overview

Static

static

1

Shipping D...00.xls

windows7-x64

Shipping D...00.xls

windows10-2004-x64

Sharing

General

Target

Shipping Documents WMLREF115900.xls
Size

98KB
Sample

241024-lx4yysxakn
MD5

98502d8342f1afd8b699b26ff777a919
SHA1

0d0c6a6f90611fee9c232d90fca0776dbbff5241
SHA256

40bcfababa169393524d58a9447ea465ac7a18edd09ae9eaea2739c8d77dab9d
SHA512

0d1e03166c7dc08098acaeace97930fdc7bfa5b50932bbb6ee151691202389f1d7d053c2d0b0a6248ecfa7a6056bd16a0ad2a61e91a6f03d292d7ace1d5e7e86
SSDEEP

1536:MiqHy1S6F8b2SQrEkawpoXIow7yLHXXRD6G10u9QvuTUpx2MjeHmfDI7:UeFHrE2sIoeK3XR2GWumv6UprT

Score

10^/10

defense_evasion discovery execution

Static task

static1

Behavioral task

behavioral1

Sample

Shipping Documents WMLREF115900.xls

Resource

win7-20240903-en

defense_evasion discovery execution

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

Shipping Documents WMLREF115900.xls

Resource

win10v2004-20241007-en

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Targets

- Target
  
  Shipping Documents WMLREF115900.xls
- Size
  
  98KB
- MD5
  
  98502d8342f1afd8b699b26ff777a919
- SHA1
  
  0d0c6a6f90611fee9c232d90fca0776dbbff5241
- SHA256
  
  40bcfababa169393524d58a9447ea465ac7a18edd09ae9eaea2739c8d77dab9d
- SHA512
  
  0d1e03166c7dc08098acaeace97930fdc7bfa5b50932bbb6ee151691202389f1d7d053c2d0b0a6248ecfa7a6056bd16a0ad2a61e91a6f03d292d7ace1d5e7e86
- SSDEEP
  
  1536:MiqHy1S6F8b2SQrEkawpoXIow7yLHXXRD6G10u9QvuTUpx2MjeHmfDI7:UeFHrE2sIoeK3XR2GWumv6UprT
Score

10^/10

defense_evasion discovery execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Evasion via Device Credential Deployment
  defense_evasion execution
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

© 2018-2025

Terms | Privacy