General
-
Target
f9eaaaf6b41c2f2092b3f71128997f95068cb44e6926f16ab102221990bc3a24
-
Size
35KB
-
Sample
240705-13hegazcmb
-
MD5
7f69cc80e16be40d9015c5570e67d609
-
SHA1
606a573c59f020525f92b55d17d9a9526a9a0776
-
SHA256
f9eaaaf6b41c2f2092b3f71128997f95068cb44e6926f16ab102221990bc3a24
-
SHA512
4a9ae97a1c0c55a058eef4b853720855d8f1e56e866c07c22fec713f5990417536ce71b4beae0b790a71709711f6498306cc0ddb15f4bc9b9eafb101ee7c1ad6
-
SSDEEP
768:ktvo+ezRk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJh4G80W93:Ewk3hbdlylKsgqopeJBWhZFGkE+cL2Nj
Malware Config
Extracted
https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1
Targets
-
-
Target
f9eaaaf6b41c2f2092b3f71128997f95068cb44e6926f16ab102221990bc3a24
-
Size
35KB
-
MD5
7f69cc80e16be40d9015c5570e67d609
-
SHA1
606a573c59f020525f92b55d17d9a9526a9a0776
-
SHA256
f9eaaaf6b41c2f2092b3f71128997f95068cb44e6926f16ab102221990bc3a24
-
SHA512
4a9ae97a1c0c55a058eef4b853720855d8f1e56e866c07c22fec713f5990417536ce71b4beae0b790a71709711f6498306cc0ddb15f4bc9b9eafb101ee7c1ad6
-
SSDEEP
768:ktvo+ezRk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJh4G80W93:Ewk3hbdlylKsgqopeJBWhZFGkE+cL2Nj
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-