cc01815d54a289d110af781b87dea4c4625d068f6a4f13aaa39d25fd723c136d

General

Target

cc01815d54a289d110af781b87dea4c4625d068f6a4f13aaa39d25fd723c136d.xls
Size

1.1MB
Sample

241121-kdxj4avlgn
MD5

65fbcc8da027e55f200e662f94037339
SHA1

a45ff70dd8f364f4d3f0d4be15430fd288bdbbf7
SHA256

cc01815d54a289d110af781b87dea4c4625d068f6a4f13aaa39d25fd723c136d
SHA512

bcf76e0ad9dc6a4056b5815fb1dd424dd7f0c175debc15fc878a3fc9f2a8c29df5bc00156ab378cac77ec4a9c7b8e8e2d688d97236b0966d1ffba013359b68d6
SSDEEP

24576:5uq9PLiijE2Z5Z2amLKuhoF84LJQohXvFClUd7nZDiTtOZc:5uEPLiij7Z5ZKLGFjLJQohXvFTNnb6

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Targets

- Target
  
  cc01815d54a289d110af781b87dea4c4625d068f6a4f13aaa39d25fd723c136d.xls
- Size
  
  1.1MB
- MD5
  
  65fbcc8da027e55f200e662f94037339
- SHA1
  
  a45ff70dd8f364f4d3f0d4be15430fd288bdbbf7
- SHA256
  
  cc01815d54a289d110af781b87dea4c4625d068f6a4f13aaa39d25fd723c136d
- SHA512
  
  bcf76e0ad9dc6a4056b5815fb1dd424dd7f0c175debc15fc878a3fc9f2a8c29df5bc00156ab378cac77ec4a9c7b8e8e2d688d97236b0966d1ffba013359b68d6
- SSDEEP
  
  24576:5uq9PLiijE2Z5Z2amLKuhoF84LJQohXvFClUd7nZDiTtOZc:5uEPLiij7Z5ZKLGFjLJQohXvFTNnb6
Score

10^/10

defense_evasion discovery execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Evasion via Device Credential Deployment
  defense_evasion execution
- Drops file in System32 directory
behavioral1 behavioral2