9c87045b4d9e7c0814866a7117379907274da816a4212bddc955ef6121c1876c

Sharing

Copy URL

Twitter E-mail

General

Target

9c87045b4d9e7c0814866a7117379907274da816a4212bddc955ef6121c1876c
Size

44KB
Sample

240705-1rgc2ayhkc
MD5

7de3112444beff4ccb3531dcbdae942d
SHA1

5ec234f52022c755d8bad1ff0bad49d5896fba7c
SHA256

9c87045b4d9e7c0814866a7117379907274da816a4212bddc955ef6121c1876c
SHA512

20240eac84ed3d147ba0884e13af1050799f6d536f5972e2d6eecf216a535505514eb5677d849543974bee46e15999471243f1d5eae22bb8d3ed705fe6a5b21a
SSDEEP

768:BtvoekzRk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJwzz3W+uFlmQQc81J9acW9ac6:ZGk3hbdlylKsgqopeJBWhZFGkE+cL2Nx

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1

Targets

- Target
  
  9c87045b4d9e7c0814866a7117379907274da816a4212bddc955ef6121c1876c
- Size
  
  44KB
- MD5
  
  7de3112444beff4ccb3531dcbdae942d
- SHA1
  
  5ec234f52022c755d8bad1ff0bad49d5896fba7c
- SHA256
  
  9c87045b4d9e7c0814866a7117379907274da816a4212bddc955ef6121c1876c
- SHA512
  
  20240eac84ed3d147ba0884e13af1050799f6d536f5972e2d6eecf216a535505514eb5677d849543974bee46e15999471243f1d5eae22bb8d3ed705fe6a5b21a
- SSDEEP
  
  768:BtvoekzRk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJwzz3W+uFlmQQc81J9acW9ac6:ZGk3hbdlylKsgqopeJBWhZFGkE+cL2Nx
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2