Overview

overview

10

Static

static

8

9f8125ccbb...d7.xls

windows7-x64

10

9f8125ccbb...d7.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f8125ccbb335bf06504de7636530da31fac9ae3a31db6587f86df389f5907d7

  • Size

    438KB

  • Sample

    241120-q6c9tayaql

  • MD5

    d92adc60a1f138720d363bf955769639

  • SHA1

    40b7682bb2f81dd99f0fe45ed8d3b7d106d92407

  • SHA256

    9f8125ccbb335bf06504de7636530da31fac9ae3a31db6587f86df389f5907d7

  • SHA512

    803be2016774024f921c476f424d165a810ef205b8d674e8c2b81041c8f516555def1aa882e34b64a321f6b969167907a1acd452db255d2aa894abe37ed0d0a0

  • SSDEEP

    12288:T947a/JjsLZjXYc7X0/aXCKli04OaZ1XSwbhF0:furYc7E/i004OSLbhF0

Score
10/10
discoveryexecutionmacromacro_on_action

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://wildmanwildfood.com/wp-admin/wxyadXKXFe/
exe.dropper

https://ashven.co.uk/wp-includes/UwBairqGXVb11tCu/
exe.dropper

https://aigenix.comartstudios.com/cgi-bin/ZZ8HCNr40H/
exe.dropper

https://fastonlineearn.com/wp-content/L/
exe.dropper

https://mbmscaffolding.co.uk/test/3j/
exe.dropper

https://ineslebuhan.com/wp-includes/7dLR8UB3RFfSHd4cZN/
exe.dropper

https://mccoygloballinks.com/cgi-bin/HvZWLrLljiRj2ck/
exe.dropper

http://lonaomer.com/wp-content/6G/
exe.dropper

https://tainformado.com.br/wp-content/0Ysot/
exe.dropper

https://nifdtb.in/wp-content/9uHo3GBgyIQ/
exe.dropper

https://sdn3sajen.stormapp.in/wp-admin/Xc6Z/
exe.dropper

https://narsanat.com/banner/TnIhz/
exe.dropper

https://vanessanascimento.com.br/auren-xbox/cDD2dfW/
exe.dropper

https://medvital.com.br/arquivos/q6ZjbPPoR7l/
exe.dropper

https://mcjalandhar.in/1950-kill/BMoLHJM4g/
exe.dropper

https://nuranabd.com/wp-content/BhYOZ2pJV5q/
exe.dropper

https://sdigitaltv.online/wp-admin/rpRCArrXjpoUXo/
exe.dropper

http://news.leta.com.vn/-/NQOY80o/

Targets

    • Target

      9f8125ccbb335bf06504de7636530da31fac9ae3a31db6587f86df389f5907d7

    • Size

      438KB

    • MD5

      d92adc60a1f138720d363bf955769639

    • SHA1

      40b7682bb2f81dd99f0fe45ed8d3b7d106d92407

    • SHA256

      9f8125ccbb335bf06504de7636530da31fac9ae3a31db6587f86df389f5907d7

    • SHA512

      803be2016774024f921c476f424d165a810ef205b8d674e8c2b81041c8f516555def1aa882e34b64a321f6b969167907a1acd452db255d2aa894abe37ed0d0a0

    • SSDEEP

      12288:T947a/JjsLZjXYc7X0/aXCKli04OaZ1XSwbhF0:furYc7E/i004OSLbhF0

    Score
    10/10
    discoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks