42e6ba1ea816c43320ae4eb3952059263348072339b75e9200a3914b510b044a | Triage

Submit
Reports

Overview

overview

Static

static

8

42e6ba1ea8...4a.doc

windows7-x64

42e6ba1ea8...4a.doc

windows10-2004-x64

Sharing

General

Target

42e6ba1ea816c43320ae4eb3952059263348072339b75e9200a3914b510b044a
Size

32KB
Sample

241122-bpyf4axmcp
MD5

bb54172287fd2b0e410c5028d561b185
SHA1

e805b5ed52dd4371c8c1fb8cf7458bc84a4a2630
SHA256

42e6ba1ea816c43320ae4eb3952059263348072339b75e9200a3914b510b044a
SHA512

05c8929310cc38a0f97b354c6ff4f1b19ae8f39f647d2cdf423dc397625c19f473e3e167dc956a25fead95f44d659444d917ac09b6e69af948aa2941c73ecaa7
SSDEEP

192:IxSNOlLZEvA+6/6r8px8SmvowzxT4rKVrWGlAtno5hdbeCdCicDlg0jT4V2Iwa:E8iS8px8SMDEyrjStuhdbXdCRlg0jEc

Score

10^/10

discovery execution macro macro_on_action

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

42e6ba1ea816c43320ae4eb3952059263348072339b75e9200a3914b510b044a.doc

Resource

win7-20240903-en

discovery execution

windows7-x64

11 signatures

60 seconds

Behavioral task

behavioral2

Sample

42e6ba1ea816c43320ae4eb3952059263348072339b75e9200a3914b510b044a.doc

Resource

win10v2004-20241007-en

windows10-2004-x64

8 signatures

60 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://192.168.45.199/health

Targets

- Target
  
  42e6ba1ea816c43320ae4eb3952059263348072339b75e9200a3914b510b044a
- Size
  
  32KB
- MD5
  
  bb54172287fd2b0e410c5028d561b185
- SHA1
  
  e805b5ed52dd4371c8c1fb8cf7458bc84a4a2630
- SHA256
  
  42e6ba1ea816c43320ae4eb3952059263348072339b75e9200a3914b510b044a
- SHA512
  
  05c8929310cc38a0f97b354c6ff4f1b19ae8f39f647d2cdf423dc397625c19f473e3e167dc956a25fead95f44d659444d917ac09b6e69af948aa2941c73ecaa7
- SSDEEP
  
  192:IxSNOlLZEvA+6/6r8px8SmvowzxT4rKVrWGlAtno5hdbeCdCicDlg0jT4V2Iwa:E8iS8px8SMDEyrjStuhdbXdCRlg0jEc
Score

10^/10

discovery execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

discoveryexecution

behavioral2

© 2018-2024

Terms | Privacy