Overview

overview

10

Static

static

1

7a131ae2f6...ce.xls

windows7-x64

10

7a131ae2f6...ce.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a131ae2f6bee4502aa717926cda6045a5528ba6a25d3dd3a5fbbb880af942ce.xls

  • Size

    1.1MB

  • Sample

    241107-c6matssnhv

  • MD5

    2fa05b6430d95473b907dfe83338f462

  • SHA1

    3f830f801f4225891075a0fc5c2ef6cc8bc361cb

  • SHA256

    7a131ae2f6bee4502aa717926cda6045a5528ba6a25d3dd3a5fbbb880af942ce

  • SHA512

    fabf49e054a9fcf6cabb82f64c319a713adc058dbe2406a29b9744473bc94b960eb7208dc58855cfb14dd3442d70fd753054201877c451d042e03b12e13a7318

  • SSDEEP

    24576:5yaZxvseowaDI9eqvBw2L+LXlkWlXTgNXMAdsNUnh:5T0DIRvBwCuXlpM8usNAh

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Targets

    • Target

      7a131ae2f6bee4502aa717926cda6045a5528ba6a25d3dd3a5fbbb880af942ce.xls

    • Size

      1.1MB

    • MD5

      2fa05b6430d95473b907dfe83338f462

    • SHA1

      3f830f801f4225891075a0fc5c2ef6cc8bc361cb

    • SHA256

      7a131ae2f6bee4502aa717926cda6045a5528ba6a25d3dd3a5fbbb880af942ce

    • SHA512

      fabf49e054a9fcf6cabb82f64c319a713adc058dbe2406a29b9744473bc94b960eb7208dc58855cfb14dd3442d70fd753054201877c451d042e03b12e13a7318

    • SSDEEP

      24576:5yaZxvseowaDI9eqvBw2L+LXlkWlXTgNXMAdsNUnh:5T0DIRvBwCuXlpM8usNAh

    Score
    10/10
    defense_evasiondiscoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks