General

  • Target

    CI.xls

  • Size

    1.1MB

  • Sample

    241113-h6nrjszrgj

  • MD5

    72d8e169ad35b47ec2c78eca9daf6887

  • SHA1

    4457b65f714f803cbf1206530b4795aa944a75c8

  • SHA256

    62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1

  • SHA512

    7d22b976e78136053965b251ca864afa1366d8322fcf544330549f956025f4aa11985dd2a8577c8365af4a2d77aaeb9c5fcd5dede5d53547e6bd88b57f4dbfce

  • SSDEEP

    24576:nq9PLiijE2Z5Z2am8x/gY/tMJE8F84LJQodszysshMx6YIVf9QCIr+:nEPLiij7Z5ZK8Fg8tMpFjLJQodXsehYo

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Targets

    • Target

      CI.xls

    • Size

      1.1MB

    • MD5

      72d8e169ad35b47ec2c78eca9daf6887

    • SHA1

      4457b65f714f803cbf1206530b4795aa944a75c8

    • SHA256

      62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1

    • SHA512

      7d22b976e78136053965b251ca864afa1366d8322fcf544330549f956025f4aa11985dd2a8577c8365af4a2d77aaeb9c5fcd5dede5d53547e6bd88b57f4dbfce

    • SSDEEP

      24576:nq9PLiijE2Z5Z2am8x/gY/tMJE8F84LJQodszysshMx6YIVf9QCIr+:nEPLiij7Z5ZK8Fg8tMpFjLJQodXsehYo

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks