8f4cb3b0aaf0bdbbcc6d080385fab14ae0cf71d8e46770902ade7f5e4099b5da | Triage

Submit
Reports

Overview

overview

Static

static

1

29102024_1...ip.xls

windows7-x64

29102024_1...ip.xls

windows10-2004-x64

Sharing

General

Target

29102024_1555_29102024_Payment slip.xls
Size

1.2MB
Sample

241029-tc5nravqd1
MD5

fb16f7b0fbcb2ae5d3b185392e4543a5
SHA1

f5e0e6247b2fd7ec74fc687ba0f63d8c05cc3fe0
SHA256

8f4cb3b0aaf0bdbbcc6d080385fab14ae0cf71d8e46770902ade7f5e4099b5da
SHA512

f20b0cd4b5030f517997783caa172e5415bfaefd38cf791c983948ae3a20967fe16840e283e6e4833f0d73d0ba7513f49e212f0bd6db7f1d9a1bf8e473668bb5
SSDEEP

24576:G1852p5l2JsykgMpRptnPskUcZnujf9VYdHk5Xqx5Q:G1O2p5l2oFpB0kUcIf9naT

Score

10^/10

defense_evasion discovery execution

Static task

static1

Behavioral task

behavioral1

Sample

29102024_1555_29102024_Payment slip.xls

Resource

win7-20240903-en

defense_evasion discovery execution

windows7-x64

14 signatures

300 seconds

Behavioral task

behavioral2

Sample

29102024_1555_29102024_Payment slip.xls

Resource

win10v2004-20241007-en

windows10-2004-x64

10 signatures

300 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Targets

- Target
  
  29102024_1555_29102024_Payment slip.xls
- Size
  
  1.2MB
- MD5
  
  fb16f7b0fbcb2ae5d3b185392e4543a5
- SHA1
  
  f5e0e6247b2fd7ec74fc687ba0f63d8c05cc3fe0
- SHA256
  
  8f4cb3b0aaf0bdbbcc6d080385fab14ae0cf71d8e46770902ade7f5e4099b5da
- SHA512
  
  f20b0cd4b5030f517997783caa172e5415bfaefd38cf791c983948ae3a20967fe16840e283e6e4833f0d73d0ba7513f49e212f0bd6db7f1d9a1bf8e473668bb5
- SSDEEP
  
  24576:G1852p5l2JsykgMpRptnPskUcZnujf9VYdHk5Xqx5Q:G1O2p5l2oFpB0kUcIf9naT
Score

10^/10

defense_evasion discovery execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Evasion via Device Credential Deployment
  defense_evasion execution
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

© 2018-2025

Terms | Privacy