3cdc60732562db3eeaa69151c15f981113c4e59209c86d82b9a449454c484a79 | Triage

Submit
Reports

Overview

overview

Static

static

8

3cdc607325...79.xls

windows7-x64

3cdc607325...79.xls

windows10-2004-x64

Sharing

General

Target

3cdc60732562db3eeaa69151c15f981113c4e59209c86d82b9a449454c484a79
Size

35KB
Sample

240705-1a114swdqq
MD5

a38298c904ab5f1319f249d2ac05bdb7
SHA1

d638c6ea91e5362784ef7c4ac5a5c0e1f1c0addb
SHA256

3cdc60732562db3eeaa69151c15f981113c4e59209c86d82b9a449454c484a79
SHA512

fe64dd18a50ceecf914b3542f7606940d51510e52073f56f3986778e34e3b8f7fc034fd3a761d912a2a4e17dc3a4ce47a37c47df4e15face9d9e0e44ba1c0129
SSDEEP

768:1tvoegUk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJ2z2UWOd93:15k3hbdlylKsgqopeJBWhZFGkE+cL2Nf

Score

10^/10

execution macro macro_on_action

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

3cdc60732562db3eeaa69151c15f981113c4e59209c86d82b9a449454c484a79.xls

Resource

win7-20240508-en

windows7-x64

14 signatures

60 seconds

Behavioral task

behavioral2

Sample

3cdc60732562db3eeaa69151c15f981113c4e59209c86d82b9a449454c484a79.xls

Resource

win10v2004-20240704-en

windows10-2004-x64

14 signatures

60 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1

Targets

- Target
  
  3cdc60732562db3eeaa69151c15f981113c4e59209c86d82b9a449454c484a79
- Size
  
  35KB
- MD5
  
  a38298c904ab5f1319f249d2ac05bdb7
- SHA1
  
  d638c6ea91e5362784ef7c4ac5a5c0e1f1c0addb
- SHA256
  
  3cdc60732562db3eeaa69151c15f981113c4e59209c86d82b9a449454c484a79
- SHA512
  
  fe64dd18a50ceecf914b3542f7606940d51510e52073f56f3986778e34e3b8f7fc034fd3a761d912a2a4e17dc3a4ce47a37c47df4e15face9d9e0e44ba1c0129
- SSDEEP
  
  768:1tvoegUk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJ2z2UWOd93:15k3hbdlylKsgqopeJBWhZFGkE+cL2Nf
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

© 2018-2024

Terms | Privacy