Overview

overview

10

Static

static

1

c0e0842868...2b.xls

windows7-x64

10

c0e0842868...2b.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b.xls

  • Size

    1.0MB

  • Sample

    241026-c3s9zawkbp

  • MD5

    a8e1c0126304e8d65c0a30873dc3d830

  • SHA1

    a0b52e51d227a126c1bc85b057482a58b028ed88

  • SHA256

    c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b

  • SHA512

    87ec45bd80a0b29c11900946b892134a636b6806ca87b9bce7fbbc52bfbd680436f73c61b6ce51a661b2b179cdf18577617267b68aab43a5f0f425e217f443cd

  • SSDEEP

    12288:0mzHJEyfN1YpuBPP39sZEVD3DERnLRmF8DCO9auag9riz5+w3Z6VM0f3kobnY1lR:Hhfgp83hVbARM8+wa5ESZUF8nN

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Targets

    • Target

      c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b.xls

    • Size

      1.0MB

    • MD5

      a8e1c0126304e8d65c0a30873dc3d830

    • SHA1

      a0b52e51d227a126c1bc85b057482a58b028ed88

    • SHA256

      c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b

    • SHA512

      87ec45bd80a0b29c11900946b892134a636b6806ca87b9bce7fbbc52bfbd680436f73c61b6ce51a661b2b179cdf18577617267b68aab43a5f0f425e217f443cd

    • SSDEEP

      12288:0mzHJEyfN1YpuBPP39sZEVD3DERnLRmF8DCO9auag9riz5+w3Z6VM0f3kobnY1lR:Hhfgp83hVbARM8+wa5ESZUF8nN

    Score
    10/10
    defense_evasiondiscoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks