Overview

overview

10

Static

static

1

c0e0842868...2b.xls

windows7-x64

10

c0e0842868...2b.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a8e1c0126304e8d65c0a30873dc3d830.bin

  • Size

    758KB

  • Sample

    241027-b2n37asajg

  • MD5

    f905d86b578c505823835cc2432594c7

  • SHA1

    c529c05a4523fea02cb073541327e4604eb29d72

  • SHA256

    5e3fade0bb906fa990c5a6fccff48bdd14bf2d9cb52971f719b4ab5e5829fba2

  • SHA512

    e783971ddec4078c321ce2110b9d3b726485137f89877542503f67f0c0c116102723ebeda39799094fffc54c47bf480933cafe204f2be3d3aded68efef711472

  • SSDEEP

    12288:05XQ2fIXbX+Q3QzvaKjIGj4Xq6X/3QkwWXvX1o76eVpO4ihVCjVDsX3BUlyEoi0z:4Xu7l4RIG866XoaX1o76enO4ICjyUl94

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Targets

    • Target

      c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b.xls

    • Size

      1.0MB

    • MD5

      a8e1c0126304e8d65c0a30873dc3d830

    • SHA1

      a0b52e51d227a126c1bc85b057482a58b028ed88

    • SHA256

      c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b

    • SHA512

      87ec45bd80a0b29c11900946b892134a636b6806ca87b9bce7fbbc52bfbd680436f73c61b6ce51a661b2b179cdf18577617267b68aab43a5f0f425e217f443cd

    • SSDEEP

      12288:0mzHJEyfN1YpuBPP39sZEVD3DERnLRmF8DCO9auag9riz5+w3Z6VM0f3kobnY1lR:Hhfgp83hVbARM8+wa5ESZUF8nN

    Score
    10/10
    defense_evasiondiscoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks