General

  • Target

    33e186a73110c8e1200d615ee10d3d5bb044074d83e2ed6ff6bd44d56bcc00f8.xlsx

  • Size

    1.1MB

  • Sample

    241110-cpk2fawqcw

  • MD5

    dcabfc00eaf6a79d1e961862b1005db9

  • SHA1

    f1754d8ef5783e374bdc85f96514c07b6635dec9

  • SHA256

    33e186a73110c8e1200d615ee10d3d5bb044074d83e2ed6ff6bd44d56bcc00f8

  • SHA512

    82dfe2229079a2e958ca7fd4d284f3c627c756d9f356ca2feb2b534d4acdd2089d480ba3661d616f309c6552e9cfc48f2fc7e7b88f3244287d78678d9e3665f6

  • SSDEEP

    24576:oyaZxvseowaDI9eqvBw2LTA3G99IRgMU2hLQHlZ0BUY:oT0DIRvBwCT99qgCL4Ee

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Targets

    • Target

      33e186a73110c8e1200d615ee10d3d5bb044074d83e2ed6ff6bd44d56bcc00f8.xlsx

    • Size

      1.1MB

    • MD5

      dcabfc00eaf6a79d1e961862b1005db9

    • SHA1

      f1754d8ef5783e374bdc85f96514c07b6635dec9

    • SHA256

      33e186a73110c8e1200d615ee10d3d5bb044074d83e2ed6ff6bd44d56bcc00f8

    • SHA512

      82dfe2229079a2e958ca7fd4d284f3c627c756d9f356ca2feb2b534d4acdd2089d480ba3661d616f309c6552e9cfc48f2fc7e7b88f3244287d78678d9e3665f6

    • SSDEEP

      24576:oyaZxvseowaDI9eqvBw2LTA3G99IRgMU2hLQHlZ0BUY:oT0DIRvBwCT99qgCL4Ee

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks