Overview

overview

10

Static

static

8

01d0e17728...0d.xls

windows7-x64

10

01d0e17728...0d.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    01d0e17728daffd2598b3fd12710e8a401e5af39111a2dc4c346c41beede330d

  • Size

    145KB

  • Sample

    241120-ddyzlaypcv

  • MD5

    7d166ce2da5195fa2094871af38a8078

  • SHA1

    0789b0a78de799562237fea12de0d05f15cc2ab8

  • SHA256

    01d0e17728daffd2598b3fd12710e8a401e5af39111a2dc4c346c41beede330d

  • SHA512

    715af94aa76008bc93e8649c6dc0f689673b3fa6a4629b350d46e17124a3fef9f06662f50a892b76122260f3df8c71d3f59ba25f81a38bed1181af00aa26781e

  • SSDEEP

    3072:icKoSsxzNDZLDZjlbR868O8KlVH3jehvMqAPjxO5xyZUE5V5xtezEVg8/dgL4Lcc:icKoSsxzNDZLDZjlbR868O8KlVH3jehy

Score
10/10
discoverymacromacro_on_action

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://reumatismclinic.com/-/scCnm3mbJRpsaBKBbrC/
exe.dropper

https://shodhmanjari.com/wp-admin/xjEmK4Pd3N/
exe.dropper

http://tubelocal.net/wp-admin/X4Xm4Mk/
exe.dropper

https://pacifichomebroker.com/roderick/RRk/
exe.dropper

https://molinai-journal.com/wp-content/4HBv/
exe.dropper

https://marineboyrecords.com/font-awesome/QBBByHDDYl0slxlQ/
exe.dropper

https://mashuk.net/wp-includes/ej6R4fkU/
exe.dropper

https://lapalette.store/Fox-C404/Gngia6hD0i5zsgd2/
exe.dropper

https://jhonnycryptic.com/cgi-bin/OhZdKCDRBYGZudqs/
exe.dropper

https://korean911.com/wp-admin/TZczIsZtMFXxM5T/
exe.dropper

https://fonijuk.org/wp-content/fzq6vYFUMEiRoR8vG/
exe.dropper

https://baltoe.blog/-/6IC/

Targets

    • Target

      01d0e17728daffd2598b3fd12710e8a401e5af39111a2dc4c346c41beede330d

    • Size

      145KB

    • MD5

      7d166ce2da5195fa2094871af38a8078

    • SHA1

      0789b0a78de799562237fea12de0d05f15cc2ab8

    • SHA256

      01d0e17728daffd2598b3fd12710e8a401e5af39111a2dc4c346c41beede330d

    • SHA512

      715af94aa76008bc93e8649c6dc0f689673b3fa6a4629b350d46e17124a3fef9f06662f50a892b76122260f3df8c71d3f59ba25f81a38bed1181af00aa26781e

    • SSDEEP

      3072:icKoSsxzNDZLDZjlbR868O8KlVH3jehvMqAPjxO5xyZUE5V5xtezEVg8/dgL4Lcc:icKoSsxzNDZLDZjlbR868O8KlVH3jehy

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks